[Bug 1158817] New: Update broke network on KVM virtual machines
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 Bug ID: 1158817 Summary: Update broke network on KVM virtual machines Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.1 Hardware: x86-64 OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Basesystem Assignee: bnc-team-screening@forge.provo.novell.com Reporter: nwr10cst-oslnx@yahoo.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Build Identifier: I updated Leap 15.1 this morning, and rebooted. When starting KVM virtual machines, I had no network. This was working correctly yesterday. It looks as if something is broken on the network bridge used to share the network with virtual machines. I have since reverted suse-module-tools to the previous version (15.1.13-lp151.1.1) and rebooted. And now the virtual machines again have networking. Reproducible: Always -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c1 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.wilck@suse.com Component|Basesystem |KVM Assignee|bnc-team-screening@forge.pr |kvm-bugs@suse.de |ovo.novell.com | --- Comment #1 from Andreas Stieger <Andreas.Stieger@gmx.de> --- (In reply to Neil Rickert from comment #0)
reverted suse-module-tools
From update information for bug 1142152 (SLE)
This update for suse-module-tools fixes the following issues:
- Add dependency of papr_scm on libnvdimm in the initrd image. (bsc#1142152, #= ltc#176292, FATE#327775).
This update was imported from the SUSE:SLE-15-SP1:Update update project.
cc SLE maintainer -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c2 Giacomo Comes <comes@naic.edu> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |comes@naic.edu --- Comment #2 from Giacomo Comes <comes@naic.edu> --- Same problem here. The issue is caused by the line softdep bridge post: br_netfilter in /etc/modprobe.d/00-system.conf introduced in suse-module-tools-15.1.16 commenting such line makes kvm network work again. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c3 --- Comment #3 from Neil Rickert <nwr10cst-oslnx@yahoo.com> --- Responding to comment #2 Thank you. Commenting out that line fixed the problem. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c4 Matthew Gibbs <mtgibbs@yahoo.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mtgibbs@yahoo.com --- Comment #4 from Matthew Gibbs <mtgibbs@yahoo.com> --- I had a similar issue, but in my case I had been using the lines net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 in sysctl.conf to have bridge traffic bypass firewalld. After updating last night, it appeared that the settings were being ignored when booting. If I called e.g. echo "0" > /proc/sys/net/bridge/bridge-nf-call-iptables then things started working again until another reboot. I have suse-module-tools-15.1.18-lp151.2.4.1 Commenting out the cited line does fix the issue for me, too, and also eliminates the need for the above configuration. It was quite a surprise to find things not working and not easy to track down the cause. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c5 David Kronlid <david@kronlid.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High CC| |david@kronlid.net Found By|--- |Community User --- Comment #5 from David Kronlid <david@kronlid.net> --- I also had the same problem, all my VMs were unable to connect to the internet. Took me many hours to search for what was causing the problem. Reverted back to suse-module-tools version 15.1.13-lp151.1.1 until this issue is fixed, and did zypper addlock. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c6 Richard Farthing <rf@keynet-technology.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rf@keynet-technology.com --- Comment #6 from Richard Farthing <rf@keynet-technology.com> --- *** Bug 1159215 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c7 Krasimir Ivanov <kiv@mail.orbitel.bg> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kiv@mail.orbitel.bg --- Comment #7 from Krasimir Ivanov <kiv@mail.orbitel.bg> --- (In reply to Giacomo Comes from comment #2)
Same problem here. The issue is caused by the line softdep bridge post: br_netfilter in /etc/modprobe.d/00-system.conf introduced in suse-module-tools-15.1.16 commenting such line makes kvm network work again.
Thank you very much for this hint! Commenting this line helped me to get back online my virtual machines. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c8 --- Comment #8 from Neil Rickert <nwr10cst-oslnx@yahoo.com> --- *** Bug 1159694 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 Manu Maier <mmanu84@outlook.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mmanu84@outlook.de -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 Kasimir _ <kasimir_@outlook.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kasimir_@outlook.de Flags| |needinfo? -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c9 Bruce Rogers <brogers@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |brogers@suse.com Assignee|kvm-bugs@suse.de |martin.wilck@suse.com --- Comment #9 from Bruce Rogers <brogers@suse.com> --- Assigning to Martin Wilck based on reports about suse-module-tools. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c10 Martin Wilck <martin.wilck@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nwr10cst-oslnx@yahoo.com Flags| |needinfo?(nwr10cst-oslnx@ya | |hoo.com) --- Comment #10 from Martin Wilck <martin.wilck@suse.com> --- @Neil, and everyone affected: I am sorry that this change is causing you trouble. The change was made because the kernel warns on every load of the bridge module otherwise. But of course a loss of connectivity is worse than having to read a warning message. I am discussing internally whether this change can be reverted. In the meantime, 00-system.conf is just a configuration file, so applying the change suggested in comment 2 is the preferred workaround for the time being. Could you please review your firewall rules? It seems that your setup depends on rules not applying to bridged packets. Are you using SuSEfirewall2 or firewalld? As for the sysctl settings in comment 4, I believe the sysctls are ignored because they are applied at system boot time, before the br_netfilter module is being loaded. That's easily reproduced; unloading and reloading br_netfilter restores the default setting (=1) even if these sysctl had been set to 0 in the meantime. A possible workaround is to make sure br_netfilter is loaded before running sysctl, e.g. by adding it to /etc/modules-load.d, or to create an "install" directive in /etc/modprobe.d:
cat >/etc/modprobe.d/br_netfilter.conf <<EOF install br_netfilter /sbin/modprobe --ignore-install br_netfilter; sysctl -w net.bridge.bridge-nf-call-iptables=0 EOF
-- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c11 Neil Rickert <nwr10cst-oslnx@yahoo.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(nwr10cst-oslnx@ya | |hoo.com) | --- Comment #11 from Neil Rickert <nwr10cst-oslnx@yahoo.com> --- Responding to Martin at comment #10 I'm not quite sure what you are asking. This is pretty much a standard Leap 15.1 install (a clean install, not an upgrade). So I am using "firewalld". As for firewall rules -- I set the sshd port to be open (during install). At some time, I opened ports for nfs and rpcbind, because I am sharing a partition over NFS with the home network. I assume that installing KVM and having that setup a bridge might have changed firewall rules. I have not made any other changes. I should add that I am using "wicked" to manage the network. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c12 Martin Wilck <martin.wilck@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(nwr10cst-oslnx@ya | |hoo.com) --- Comment #12 from Martin Wilck <martin.wilck@suse.com> --- (In reply to Neil Rickert from comment #11)
I'm not quite sure what you are asking.
For a start, please provide output of "firewall-cmd --list-all-zones" and "iptables-save". -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 Martin Wilck <martin.wilck@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jfehlig@suse.com Flags| |needinfo?(jfehlig@suse.com) -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c14 --- Comment #14 from Martin Wilck <martin.wilck@suse.com> --- (In reply to Martin Wilck from comment #12) ... and Neil, please provide the network XML of the libvirt virtual networks which have ceased to work (virtsh net-dumpxml $NETWORK). -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c15 --- Comment #15 from Martin Wilck <martin.wilck@suse.com> --- FTR: the code discussed here was proposed in bug 937216. related: https://github.com/openSUSE/suse-module-tools/issues/11 -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c16 Neil Rickert <nwr10cst-oslnx@yahoo.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(nwr10cst-oslnx@ya | |hoo.com) | --- Comment #16 from Neil Rickert <nwr10cst-oslnx@yahoo.com> --- Created attachment 827530 --> http://bugzilla.opensuse.org/attachment.cgi?id=827530&action=edit transcript of requested command output The attached "screenlog.0" contains the commands (and output): firewall-cmd --list-all-zones iptables-save virsh net-dumpxml default -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c18 --- Comment #18 from Neil Rickert <nwr10cst-oslnx@yahoo.com> --- Yes, "libvirtd" is running, and "virt-manager" is running. As far as I know, I am not using NAT for virtual machines. Yes, my home router provides NAT for the home network. And the virtual machines are assigned NAT addresses directly by the home router. But I have not set up NAT for virtual machines. As far as I know, they are directly using the bridge. I have not attempted that firewall change, until whether there is any clarification related to NAT. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c19 --- Comment #19 from Giacomo Comes <comes@naic.edu> --- (In reply to Martin Wilck from comment #12)
(In reply to Neil Rickert from comment #11)
I'm not quite sure what you are asking.
For a start, please provide output of "firewall-cmd --list-all-zones" and "iptables-save".
I don't think firewalld has anything to do with the problem here. If I add again in /etc/modprobe.d/00-system.conf: softdep bridge post: br_netfilter and I disable firewalld the network in KVM still does not work. If the problem was due to a strange firewall rule, disabling firewalld should make the issue go away, isn't it? Also I have the suspect that libvirt has nothing to do with the problem as well. And the reason is that I start qemu-kvm manually (from a script actually) and libvirt is not used at all. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c22 --- Comment #22 from Neil Rickert <nwr10cst-oslnx@yahoo.com> ---
But well, you say networking doesn't work, so maybe that's (part of) the reason.
Networking is fine, once I commented out that line as suggested in comment #2 (and then rebooted the host system). -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c26 --- Comment #26 from Giacomo Comes <comes@naic.edu> --- (In reply to Martin Wilck from comment #21)
(In reply to Giacomo Comes from comment #19)
I don't think firewalld has anything to do with the problem here. If I add again in /etc/modprobe.d/00-system.conf: softdep bridge post: br_netfilter and I disable firewalld the network in KVM still does not work.
What exactly have you done to disable firewalld? "systemctl stop firewalld"? What does "iptables-save" output after that?
I run "systemctl disable firewalld" and then reboot. The output of "iptables-save" is then empty.
If the problem was due to a strange firewall rule, disabling firewalld should make the issue go away, isn't it?
Yes. But without any firewall rules, disabling br_netfilter wouldn't have any effect, either. The only purpose of br_netfilter is to call netfilter rules for bridged packets, and that would have no effect if there were no rules.
Apparently that's not the case. Without any firewall rules it makes a difference if br_netfilter is enabled or not. At least for this bug.
Also I have the suspect that libvirt has nothing to do with the problem as well. And the reason is that I start qemu-kvm manually (from a script actually) and libvirt is not used at all.
But you're using a bridge, right?
Yes I use a bridge. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c27 --- Comment #27 from Neil Rickert <nwr10cst-oslnx@yahoo.com> ---
I don't believe that NAT would work without any masquerading rules. You say you don't use it, but it's configured. Try pinging 8.8.8.8.
% ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=12.8 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=12.2 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=12.5 ms 64 bytes from 8.8.8.8: icmp_seq=4 ttl=56 time=12.5 ms ^C --- 8.8.8.8 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3005ms rtt min/avg/max/mdev = 12.250/12.526/12.819/0.230 ms That ping was from within the virtual machine named "slack12" (and running Leap 15.2 Alpha).
Would you do me the favor to try what I suggested in comment 17?
I can try that. But I'm not clear on what that entails. Do you want me to uncomment that line mentioned in comment 2; reboot; check that networking is now failing in virtual machines; then run the firewall command and see if that fixes it? -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c28 --- Comment #28 from Neil Rickert <nwr10cst-oslnx@yahoo.com> --- An addendum to my last comment about following the suggestion in comment 17 What's "virbr0"? I don't recall that ever showing up. And what does it mean to "load br_netfilter"? I don't know that I have ever done that, though it might have happened in the background due to some other command. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c29 --- Comment #29 from Matthew Gibbs <mtgibbs@yahoo.com> --- (In reply to Martin Wilck from comment #10) Hi @Martin- Thank you for the tip. To add some more info/clarification, the sysctl settings net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 worked on the system that I upgraded first (from 15.0 to 15.1) but when I recently upgraded a second system it did not work as I believe, like you noted, that they were being "applied" before the br_netfilter module was loaded. OTOH, if I comment out the line softdep bridge post: br_netfilter as in Comment 2 then /proc/sys/net/bridge/bridge-nf-call-ip(6)tables does not even exist to set and traffic goes through and bypasses the firewall as desired. As far as FirewallD, I spent a bit of time when switching from SuSEFirewall2 to FirewallD because it seems that SuSEFirewall2 (automatically?) included the equivalent of firewall-cmd --permanent --direct --passthrough ipv6 -t filter -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT firewall-cmd --permanent --direct --passthrough ipv4 -t filter -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT and FirewallD did not, at least that's what I recall from the susefirewall2-to-firewalld script output and doing some troubleshooting. I'm also using wicked and not NetworkManager. Nothing seemed to "automatically" configure the bridge/firewall or add the virtual interfaces in such a way that they can be easily manipulated in firewall-config. In response to Comment 25, I agree that it's not desirable to accidentally expose something outside of the firewall that you don't want. In my case, I want the traffic to be sent directly to the VM to be processed by the VM's firewall and not the host's firewall (either by forwarding through the host firewall or bypassing the host firewall). I could also see where it might be desirable to have some VMs on a host to be "outside" and some "inside," depending on what the VM is for. If it's helpful, I've attached the output of "firewall-cmd --list-all-zones" and "iptables-save." from a host running 15.1 with suse-module-tools-15.1.13-lp151.1.1 and forwarding rules above added to the firewall. Also, "virsh net-list" does not show any networks. Otherwise it's essentially a stock setup that's been set up using YaST and virt-manager. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c30 --- Comment #30 from Matthew Gibbs <mtgibbs@yahoo.com> --- Created attachment 827550 --> http://bugzilla.opensuse.org/attachment.cgi?id=827550&action=edit output from iptables-save -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c31 --- Comment #31 from Matthew Gibbs <mtgibbs@yahoo.com> --- Created attachment 827551 --> http://bugzilla.opensuse.org/attachment.cgi?id=827551&action=edit output from firewall-cmd --list-all-zones -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c32 --- Comment #32 from Martin Wilck <martin.wilck@suse.com> --- (In reply to Giacomo Comes from comment #26)
Yes. But without any firewall rules, disabling br_netfilter wouldn't have any effect, either. The only purpose of br_netfilter is to call netfilter rules for bridged packets, and that would have no effect if there were no rules.
Apparently that's not the case. Without any firewall rules it makes a difference if br_netfilter is enabled or not. At least for this bug.
Jiri, does this make any sense to you? How could it come to pass? -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c33 --- Comment #33 from Martin Wilck <martin.wilck@suse.com> --- (In reply to Neil Rickert from comment #28)
What's "virbr0"? I don't recall that ever showing up.
This is the name of the bridge device tha libvirt would typically create. It actually shows up in the network XML you attached in comment 16. If you don't see this device, I can only conclude that your "default" network from libvirt is stopped. How is networking for your VMs set up then? Do you use static bridges configured with YaST?
And what does it mean to "load br_netfilter"?
br_netfilter is a kernel module, which you an load and unload using "modprobe" and "rmmod", respectively. The offending directive from comment 2 causes the br_netfilter module to be loaded whenever the "bridge" module is loaded. The effect of loading this module is that netfilter hooks (in other words: firewall rules) are applied for network packets passing bridges, which wouldn't happen otherwise. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c35 --- Comment #35 from Neil Rickert <nwr10cst-oslnx@yahoo.com> ---
This is the name of the bridge device tha libvirt would typically create. It actually shows up in the network XML you attached in comment 16.
Except that I am seeing "br0", but not "virbr0" in both that XML and in output of commands such as "ip a". I have the impression that "virbr0" would be there if I were using NAT. So I think there is some miscommunication going on, with you making wrong assumptions about how things are setup here. If I were to put "br0" in the firewall trusted zone, wouldn't that have the same effect as disabling the firewall here? -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c36 --- Comment #36 from Martin Wilck <martin.wilck@suse.com> --- (In reply to Neil Rickert from comment #35)
Except that I am seeing "br0", but not "virbr0" in both that XML and in output of commands such as "ip a".
Granted for "ip a", but please check your own attachment in comment 16 again. Unless I'm dreaming, it says "virbr0". -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c37 --- Comment #37 from Martin Wilck <martin.wilck@suse.com> --- Given Michal's statement in comment 34, I'm going to revert this change for openSUSE. It will take some time until that update hits the distro. In the meantime, you can use the workaround from comment 2. Wrt the general analysis and firewalld, I need to correct my own statements from comment 25. The instructions under 3.) there *don't solve the problem*. TL;DR: use comment 2. br_netfilter changes the handling of *forwarded* packets only. Packets originating from or received by the host itself are *always* subject to firewall filtering, even if br_netfilter is not active. The same holds for the sysctl knobs mentioned in comment 4. Without br_netfilter, the traffic *between VMs* on that virtual network are unaffected by the firewall settings. If br_netfilter is active, firewall rules are applied to forwarded packets. But these packets traverse only the FORWARD chain, and firewalld applies the zone-specific rules only to the INPUT chain. Only the zone's "target" is applied to both INPUT and FORWARD chains. This is the reason why libvirt sets up its zone as follows: libvirt (active) target: ACCEPT services: dhcp dhcpv6 dns ssh tftp rich rules: rule priority="32767" reject (*doesn't work on Leap 15.1, see below!!*) If they used a "REJECT" target instead, all forwarded traffic would be rejected, and the exceptions defined further down wouldn't take effect (only for packets destined for the host). This explains why libvirt/firewalld integration requires firewalld >= 0.7.0: libvirt uses firewalld's "priority" attribute, which was added in 0.7.0, and makes sure that the "services" definition takes priority over the final "reject" rule. On Leap, the only alternative to comment 2, or to disabling the firewall entirely, is adding the bridges to the "trusted" zone. But that allows everything, so disabling br_netfilter (comment 2) is actually more secure. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c38 Neil Rickert <nwr10cst-oslnx@yahoo.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(nwr10cst-oslnx@ya | |hoo.com) | --- Comment #38 from Neil Rickert <nwr10cst-oslnx@yahoo.com> ---
Granted for "ip a", but please check your own attachment in comment 16 again. Unless I'm dreaming, it says "virbr0".
Looking closely -- yes, it is there. It seems to be defining a NAT network with IP addresses of the form 192.168.122.xxx. I have never seen such an address on my network. My virtual machines get addresses of the form 192.168.1.xxx, and those come from the home router. So I don't think I am actually using "virbr0". Wouldn't I need to start some kind of NAT service before that would be available? -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c39 --- Comment #39 from James Fehlig <jfehlig@suse.com> --- (In reply to Neil Rickert from comment #38)
Looking closely -- yes, it is there. It seems to be defining a NAT network with IP addresses of the form 192.168.122.xxx. I have never seen such an address on my network.
Likely because none of your VMs use that network.
My virtual machines get addresses of the form 192.168.1.xxx, and those come from the home router. So I don't think I am actually using "virbr0".
If you are not using it, you should disable it. E.g. 'virsh net-destroy default && virsh net-autostart default --disable'.
Wouldn't I need to start some kind of NAT service before that would be available?
libvirt starts an instance of dnsmasq to provide dhcp and such services for VMs using the virtual network. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 http://bugzilla.opensuse.org/show_bug.cgi?id=1158817#c45 --- Comment #45 from Neil Rickert <nwr10cst-oslnx@yahoo.com> ---
Has anyone seen this issue under Leap 15.0?
I have not tried running KVM on Leap 15.0, since moving to Leap 15.1. However, I guess I could try if you really want that tested. I'm not sure why this would matter now that we are past end-of-life for 15.0 -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1158817 James Fehlig <jfehlig@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(jfehlig@suse.com) | -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com