Comment # 29 on bug 1158817 from 
(In reply to Martin Wilck from comment #10)

Hi @Martin-

Thank you for the tip.  To add some more info/clarification, the sysctl
settings

net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0

worked on the system that I upgraded first (from 15.0 to 15.1) but when I
recently upgraded a second system it did not work as I believe, like you noted,
that they were being "applied" before the br_netfilter module was loaded. 
OTOH, if I comment out the line

softdep bridge post: br_netfilter

as in Comment 2 then /proc/sys/net/bridge/bridge-nf-call-ip(6)tables does not
even exist to set and traffic goes through and bypasses the firewall as
desired.

As far as FirewallD, I spent a bit of time when switching from SuSEFirewall2 to
FirewallD because it seems that SuSEFirewall2 (automatically?) included the
equivalent of

firewall-cmd --permanent --direct --passthrough ipv6 -t filter -I FORWARD -m
physdev --physdev-is-bridged -j ACCEPT
firewall-cmd --permanent --direct --passthrough ipv4 -t filter -I FORWARD -m
physdev --physdev-is-bridged -j ACCEPT

and FirewallD did not, at least that's what I recall from the
susefirewall2-to-firewalld script output and doing some troubleshooting.  I'm
also using wicked and not NetworkManager.  Nothing seemed to "automatically"
configure the bridge/firewall or add the virtual interfaces in such a way that
they can be easily manipulated in firewall-config.

In response to Comment 25, I agree that it's not desirable to accidentally
expose something outside of the firewall that you don't want.  In my case, I
want the traffic to be sent directly to the VM to be processed by the VM's
firewall and not the host's firewall (either by forwarding through the host
firewall or bypassing the host firewall).  I could also see where it might be
desirable to have some VMs on a host to be "outside" and some "inside,"
depending on what the VM is for.

If it's helpful, I've attached the output of "firewall-cmd --list-all-zones"
and "iptables-save." from a host running 15.1 with
suse-module-tools-15.1.13-lp151.1.1 and forwarding rules above added to the
firewall.  Also, "virsh net-list" does not show any networks.  Otherwise it's
essentially a stock setup that's been set up using YaST and virt-manager.

You are receiving this mail because: