Comment # 10 on bug 1158817 from Martin Wilck

@Neil, and everyone affected:

I am sorry that this change is causing you trouble. The change was made because
the kernel warns on every load of the bridge module otherwise. But of course a
loss of connectivity is worse than having to read a warning message.

I am discussing internally whether this change can be reverted. In the
meantime, 00-system.conf is just a configuration file, so applying the change
suggested in comment 2 is the preferred workaround for the time being.

Could you please review your firewall rules? It seems that your setup depends
on rules not applying to bridged packets. Are you using SuSEfirewall2 or
firewalld?

As for the sysctl settings in comment 4, I believe the sysctls are ignored
because they are applied at system boot time, before the br_netfilter module is
being loaded. That's easily reproduced; unloading and reloading br_netfilter
restores the default setting (=1) even if these sysctl had been set to 0 in the
meantime.

A possible workaround is to make sure br_netfilter is loaded before running
sysctl, e.g. by adding it to /etc/modules-load.d, or to create an "install"
directive in /etc/modprobe.d:

> cat >/etc/modprobe.d/br_netfilter.conf <<EOF
> install br_netfilter /sbin/modprobe --ignore-install br_netfilter; sysctl -w net.bridge.bridge-nf-call-iptables=0
> EOF