http://bugzilla.opensuse.org/show_bug.cgi?id=1159215 Bug ID: 1159215 Summary: firewalld filters ports to LXC container on bridge despite being allowed Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.1 Hardware: x86-64 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Containers Assignee: containers-bugowner@suse.de Reporter: rf@keynet-technology.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 826135 --> http://bugzilla.opensuse.org/attachment.cgi?id=826135&action=edit Internal rules on br0, eth0 Environment: Server running 15.1 with separate mail server running in LXC container (on centos), interconnected via a bridge br0. Container gets IP via DHCP. This config has been running 6+ months, no issues. Container is still accessible via br0 (other machines and server itself) via http. But mail and some other protocols fail. Some auto update since 2019-12-05 (last reboot), causes firewalld on the server to reject connections on br0 to the container port 993, and ssh port 22 even though specifically enabled in the rules (attached). Enabled firewall logging: 10.0.0.62 = machine on network, 10.0.0.110=container running mail (vethQV8JUR), eth3 is the DMZ Mail client on private net tries to connect: Dec 13 14:57:23 ha-server kernel: FINAL_REJECT: IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=vethQV8JUR MAC=00:16:3e:f3:83:5f:64:51:06:4f:b9:c9:08:00 SRC=10.0.0.62 DST=10.0.0.110 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=14030 DF PROTO=TCP SPT=64692 DPT=993 WINDOW=8192 RES=0x00 SYN URGP=0 Mail server in LXC attempts pickup from a remote server via br0 Dec 13 17:08:55 ha-server kernel: FINAL_REJECT: IN=br0 OUT=br0 PHYSIN=vethQV8JUR PHYSOUT=eth3 MAC=00:14:7f:22:c4:ac:00:16:3e:f3:83:5f:08:00 SRC=10.0.0.110 DST=94.126.40.131 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=36503 DF PROTO=TCP SPT=59680 DPT=143 WINDOW=29200 RES=0x00 SYN URGP=0 Tests : - Stopping firewalld = all OK. - Reversion from today's kernel update 4.12.14-lp151.28.36 to the former 4.12.14-lp151.28.32 doesn't fix it I'm probably missing something, but I also don't understand the garbled MAC addresses listed in the log. The LXC MAC is 00:16:3e:f3:83:5f -- You are receiving this mail because: You are on the CC list for the bug.