Niccolò Belli
2023-Jul-12 00:18 UTC
Cannot access guest with bridged networking when using firewalld (nftables backend) on Debian 12 Bookworm
firewalld version 1.3.0-1
libvirt version 9.0.0-4
network-manager version 1.42.4-1
# firewall-cmd --get-active-zones
libvirt
interfaces: br28
public
interfaces: dac0 dac0.100 dac0.28 ftth
# firewall-cmd --list-all --zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: dac0 dac0.100 dac0.28 ftth
sources:
services: dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dac0 is a Direct Attach cable with several vlans.
dac0.100 is the vlan where I create the ppoe connection from my FTTH
provider.
ftth is the ppp name.
dac0.28 is the vlan for the public /28 IPv4 subnet.
br28 is the bridge where dac0.28 is attached.
# brctl show
bridge name bridge id STP enabled interfaces
br28 8000.d2605c025b1d no dac0.28
vnet1
# firewall-cmd --list-all --zone=libvirt
libvirt (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: br28
sources:
services: dhcp dhcpv6 dns ssh tftp
ports:
protocols: icmp ipv6-icmp
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
# nft list tables
table inet firewalld
table ip mangle
# nft list table ip mangle
# Warning: table ip mangle is managed by iptables-nft, do not touch!
table ip mangle {
chain FORWARD {
type filter hook forward priority mangle; policy accept;
oifname "ftth" tcp flags syn / syn,rst tcp option maxseg size
1400-65495 counter packets 0 bytes 0 tcp option maxseg size set rt mtu
}
}
The previous rule is created by NetworkManager to clamp-mss-to-pmtu for
the ftth pppoe.
This is how I create the bridge and the dac0.28 vlan with
NetworkManager:
# nmcli con add ifname br28 type bridge con-name br28 ipv4.method manual
ipv4.addresses MY_IP/28 connection.zone libvirt
# nmcli connection add type vlan con-name dac0.28 ifname dac0.28
vlan.parent dac0 vlan.id 28 ipv4.method disabled ipv6.method disabled
master br28 slave-type bridge
I also have isc-dhcp-server, wide-dhcpv6-client and radvd running.
# nmcli con
NAME UUID TYPE DEVICE
ftth f370639c-2712-49c2-9749-e39f17102346 pppoe ftth
br28 e4d2aad3-ef2d-4ac0-bda5-58471f21655c bridge br28
lo f0327b03-bbc3-4078-8bd1-5225df0ce153 loopback lo
vnet1 25ae75cd-1606-4fd7-8213-09f4ef1280c4 tun vnet1
dac0 040e747e-fd7e-41e9-b6a6-ccec9e73c022 ethernet dac0
dac0.100 147c1632-2c60-42f3-a97a-a6733ef69f4c vlan dac0.100
dac0.28 cefb4bf3-dda9-465a-95d0-512ac1294a5b vlan dac0.28
enp1s0 81a44a95-efdc-47e2-9c12-76a0a140ca5a ethernet --
The previous are all dark green expect lo and vnet1 which are light
green (externally managed) and enp1s0 which is white (disconnected).
The br_netfilter module is not loaded and thus
net.bridge.bridge-nf-call-ip6tables, net.bridge.bridge-nf-call-iptables,
net.bridge.bridge-nf-call-arptables are not even exposed to
/proc/sys/net/bridge.
I don't have any nwfilter enabled yet, I'd like to get the basics
working first.
The guest gets an IP (both v4 and v6) and can reach the internet.
Unfortunately the guest cannot be reached from the outside:
$ ping GUEST_IP
PING GUEST_IP (GUEST_IP) 56(84) bytes of data.
From FTTH_IP icmp_seq=1 Packet filtered
$ ssh GUEST_IP
ssh: connect to host GUEST_IP port 22: No route to host
Routed networking works fine, but libvirt is in charge to create
everything in that case (creating the bridge, assigning the
libvirt-routed zone, enabling the libvirt-routed policies, etc) while
bridged networking must be configured manually (at least on non-RedHat
distros).
What's wrong? It looks suspiciously similar to
https://bbs.archlinux.org/viewtopic.php?id=274670
Thanks,
Niccolo' Belli