Laine Stump
2015-Mar-17 14:57 UTC
Re: [libvirt-users] still possible to use traditional bridge network setup ?
On 03/16/2015 01:07 PM, Lentes, Bernd wrote:> Bernd wrote: > >> Laine wrote: >> >>> -----Original Message----- >>> From: sendmail [mailto:justsendmailnothingelse@gmail.com] On >> Behalf Of >>> Laine Stump >>> Sent: Monday, March 16, 2015 4:12 PM >>> To: libvirt-users@redhat.com >>> Cc: Lentes, Bernd >>> Subject: Re: [libvirt-users] still possible to use traditional bridge >>> network setup ? >>> >>> On 03/16/2015 10:08 AM, Lentes, Bernd wrote: >>>> Hi, >>>> >>>> i'm currently installing a SLES 12 64bit system. >>>> libvirt-client-1.2.5- >>> 13.3.x86_64 and libvirt-daemon-1.2.5-13.3.x86_64. >>>> Formerly I created my vm's (KVM) using a traditional bridge in my >>>> host >>> systems, mostly SLES 11 SP3. >>>> But with SLES 12 I don't succeed. I can use the macvtap device in >>>> the >>> host, but I like to be able to communicate between host and guest. >>>> Is the traditional bridge setup not any longer available ? >>> Nothing has been removed in libvirt. Traditional bridges work just fine. >>> What failure did you see? >> Hi Laine, >> >> thank you for your answer. Well, it simply does not work: >> >> this is my setup: >> >> pc63422:/etc/sysconfig/network # cat ifcfg-br0 BOOTPROTO='dhcp4' >> TYPE='Bridge' >> BRIDGE='yes' >> DEVICE='br0' >> BRIDGE_FORWARDDELAY='0' >> BRIDGE_PORTS='eth0' >> BRIDGE_STP='off' >> BROADCAST='' >> DHCLIENT_SET_DEFAULT_ROUTE='yes' >> ETHTOOL_OPTIONS='' >> IPADDR='' >> MTU='' >> NAME='' >> NETMASK='' >> NETWORK='' >> REMOTE_IPADDR='' >> STARTMODE='auto' >> USERCONTROL='no >> >> pc63422:/etc/sysconfig/network # cat ifcfg-eth0 # BOOTPROTO='dhcp' >> BROADCAST='' >> ETHTOOL_OPTIONS='' >> IPADDR='' >> MTU='' >> NAME='' >> NETMASK='' >> NETWORK='' >> REMOTE_IPADDR='' >> STARTMODE='auto' >> DHCLIENT_SET_DEFAULT_ROUTE='yes' >> PREFIXLEN='' >> BOOTPROTO='static' >> USERCONTROL='no' >> BRIDGE='br0' >> >> >> guest.xml: >> ... >> <interface type='bridge'> >> <mac address='52:54:00:37:92:b1'/> >> <source bridge='br0'/> >> <model type='rtl8139'/> >> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' >> function='0x0'/> >> </interface> >> ... >> >> pc63422:/etc/sysconfig/network # ip addr >> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state >> UNKNOWN group default >> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 >> inet 127.0.0.1/8 scope host lo >> valid_lft forever preferred_lft forever >> inet6 ::1/128 scope host >> valid_lft forever preferred_lft forever >> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc >> pfifo_fast master br0 state UP group default qlen 1000 >> link/ether 78:24:af:9c:bd:a6 brd ff:ff:ff:ff:ff:ff >> inet6 fe80::7a24:afff:fe9c:bda6/64 scope link >> valid_lft forever preferred_lft forever >> 27: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc >> noqueue state UP group default >> link/ether 78:24:af:9c:bd:a6 brd ff:ff:ff:ff:ff:ff >> inet 10.35.34.115/24 brd 10.35.34.255 scope global br0 >> valid_lft forever preferred_lft forever >> inet6 fe80::7a24:afff:fe9c:bda6/64 scope link >> valid_lft forever preferred_lft forever >> 28: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc >> pfifo_fast master br0 state UNKNOWN group default qlen 500 >> link/ether fe:54:00:37:92:b1 brd ff:ff:ff:ff:ff:ff >> inet6 fe80::fc54:ff:fe37:92b1/64 scope link >> valid_lft forever preferred_lft forever >> >> >> Attached is what I choose during creation of the vm. It's german, >> network source means something like "name of the shared device". >> >> I attached the host to a network hub to be able to sniff all packets. But I >> don't see any packet from the guest. E.g. I choosed "dhclient" after >> booting a knoppix cd in the guest, but no packet from the guest. Also >> using a windows 7 installation cd - no packet from the guest. But I see >> packets from the host. > Hi, > > using the above mentioned setup, i booted the guest using a knoppix cd. Inside the guest I configured the ip address statically. I can ping from host to guest and vice versa, but nothing else. Of course the host is able to connect everything, but the guest just reaches the host.I assume your dhcp server is on a different machine (since your host is also using dhcp on that interface), so if communication between the guest and the outside didn't work later, it's not going to work for dhcp either. The most common two causes of this symptom in a bridged setup are: 1) there are iptables rules in place (on the host) that prevent the traffic crossing the bridge, and the bridge module tunable net.bridge.bridge-nf-call-iptables is set to 1 (on the host). You can determine this by running: sysctl net.bridge.bridge-nf-call-iptables If it's set to 1, set it to 0 with: sysctl -w net.bridge.bridge-nf-call-iptables=0 (Note that as of kernel 3.17 filtering of packets on the bridge isn't on by default any more, and a new module called br_netfilter must be loaded for it to take place. So if your kernel is 3.17 or newer, this probably *isn't* your problem) 2) the switch connecting your host to the network only allows a single (or particular) mac address on the port used to connect the host. If this is the problem, then you'll need to talk to your network administrator.
Lentes, Bernd
2015-Mar-19 16:12 UTC
Re: [libvirt-users] still possible to use traditional bridge network setup ?
Laine wrote:> -----Original Message----- > From: sendmail [mailto:justsendmailnothingelse@gmail.com] On Behalf > Of Laine Stump > Sent: Tuesday, March 17, 2015 3:57 PM > To: libvirt-users@redhat.com > Cc: Lentes, Bernd > Subject: Re: [libvirt-users] still possible to use traditional bridge network > setup ? > > On 03/16/2015 01:07 PM, Lentes, Bernd wrote: > > Bernd wrote: > > > >> Laine wrote: > >> > >>> -----Original Message----- > >>> From: sendmail [mailto:justsendmailnothingelse@gmail.com] On > >> Behalf Of > >>> Laine Stump > >>> Sent: Monday, March 16, 2015 4:12 PM > >>> To: libvirt-users@redhat.com > >>> Cc: Lentes, Bernd > >>> Subject: Re: [libvirt-users] still possible to use traditional > >>> bridge network setup ? > >>> > >>> On 03/16/2015 10:08 AM, Lentes, Bernd wrote: > >>>> Hi, > >>>> > >>>> i'm currently installing a SLES 12 64bit system. > >>>> libvirt-client-1.2.5- > >>> 13.3.x86_64 and libvirt-daemon-1.2.5-13.3.x86_64. > >>>> Formerly I created my vm's (KVM) using a traditional bridge in my > >>>> host > >>> systems, mostly SLES 11 SP3. > >>>> But with SLES 12 I don't succeed. I can use the macvtap device in > >>>> the > >>> host, but I like to be able to communicate between host and guest. > >>>> Is the traditional bridge setup not any longer available ? > >>> Nothing has been removed in libvirt. Traditional bridges work just > fine. > >>> What failure did you see? > >> Hi Laine, > >> > >> thank you for your answer. Well, it simply does not work: > >> > >> this is my setup: > >> > >> pc63422:/etc/sysconfig/network # cat ifcfg-br0 BOOTPROTO='dhcp4' > >> TYPE='Bridge' > >> BRIDGE='yes' > >> DEVICE='br0' > >> BRIDGE_FORWARDDELAY='0' > >> BRIDGE_PORTS='eth0' > >> BRIDGE_STP='off' > >> BROADCAST='' > >> DHCLIENT_SET_DEFAULT_ROUTE='yes' > >> ETHTOOL_OPTIONS='' > >> IPADDR='' > >> MTU='' > >> NAME='' > >> NETMASK='' > >> NETWORK='' > >> REMOTE_IPADDR='' > >> STARTMODE='auto' > >> USERCONTROL='no > >> > >> pc63422:/etc/sysconfig/network # cat ifcfg-eth0 # > BOOTPROTO='dhcp' > >> BROADCAST='' > >> ETHTOOL_OPTIONS='' > >> IPADDR='' > >> MTU='' > >> NAME='' > >> NETMASK='' > >> NETWORK='' > >> REMOTE_IPADDR='' > >> STARTMODE='auto' > >> DHCLIENT_SET_DEFAULT_ROUTE='yes' > >> PREFIXLEN='' > >> BOOTPROTO='static' > >> USERCONTROL='no' > >> BRIDGE='br0' > >> > >> > >> guest.xml: > >> ... > >> <interface type='bridge'> > >> <mac address='52:54:00:37:92:b1'/> > >> <source bridge='br0'/> > >> <model type='rtl8139'/> > >> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' > >> function='0x0'/> > >> </interface> > >> ... > >> > >> pc63422:/etc/sysconfig/network # ip addr > >> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state > UNKNOWN > >> group default > >> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > >> inet 127.0.0.1/8 scope host lo > >> valid_lft forever preferred_lft forever > >> inet6 ::1/128 scope host > >> valid_lft forever preferred_lft forever > >> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc > pfifo_fast > >> master br0 state UP group default qlen 1000 > >> link/ether 78:24:af:9c:bd:a6 brd ff:ff:ff:ff:ff:ff > >> inet6 fe80::7a24:afff:fe9c:bda6/64 scope link > >> valid_lft forever preferred_lft forever > >> 27: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc > noqueue > >> state UP group default > >> link/ether 78:24:af:9c:bd:a6 brd ff:ff:ff:ff:ff:ff > >> inet 10.35.34.115/24 brd 10.35.34.255 scope global br0 > >> valid_lft forever preferred_lft forever > >> inet6 fe80::7a24:afff:fe9c:bda6/64 scope link > >> valid_lft forever preferred_lft forever > >> 28: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc > >> pfifo_fast master br0 state UNKNOWN group default qlen 500 > >> link/ether fe:54:00:37:92:b1 brd ff:ff:ff:ff:ff:ff > >> inet6 fe80::fc54:ff:fe37:92b1/64 scope link > >> valid_lft forever preferred_lft forever > >> > >> > >> Attached is what I choose during creation of the vm. It's german, > >> network source means something like "name of the shared device". > >> > >> I attached the host to a network hub to be able to sniff all packets. > >> But I don't see any packet from the guest. E.g. I choosed "dhclient" > >> after booting a knoppix cd in the guest, but no packet from the > >> guest. Also using a windows 7 installation cd - no packet from the > >> guest. But I see packets from the host. > > Hi, > > > > using the above mentioned setup, i booted the guest using a knoppix > cd. Inside the guest I configured the ip address statically. I can ping from > host to guest and vice versa, but nothing else. Of course the host is able > to connect everything, but the guest just reaches the host. > > I assume your dhcp server is on a different machine (since your host is > also using dhcp on that interface), so if communication between the > guest and the outside didn't work later, it's not going to work for dhcp > either. The most common two causes of this symptom in a bridged setup > are: > > 1) there are iptables rules in place (on the host) that prevent the traffic > crossing the bridge, and the bridge module tunable net.bridge.bridge-nf- > call-iptables is set to 1 (on the host). You can determine this by running: > > sysctl net.bridge.bridge-nf-call-iptables > > If it's set to 1, set it to 0 with: > > sysctl -w net.bridge.bridge-nf-call-iptables=0 > > (Note that as of kernel 3.17 filtering of packets on the bridge isn't on by > default any more, and a new module called br_netfilter must be loaded > for it to take place. So if your kernel is 3.17 or newer, this probably > *isn't* your problem) > > 2) the switch connecting your host to the network only allows a single (or > particular) mac address on the port used to connect the host. If this is the > problem, then you'll need to talk to your network administrator.Hi Laine, the reason was the firewall. Thanks for your tip ! Bernd Helmholtz Zentrum München Deutsches Forschungszentrum für Gesundheit und Umwelt (GmbH) Ingolstädter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDir´in Bärbel Brumme-Bothe Geschäftsführer: Prof. Dr. Günther Wess, Dr. Nikolaus Blum, Dr. Alfons Enhsen Registergericht: Amtsgericht München HRB 6466 USt-IdNr: DE 129521671
Lentes, Bernd
2015-Mar-20 17:35 UTC
Re: [libvirt-users] still possible to use traditional bridge network setup ?
Bernd wrote:> -----Original Message----- > From: libvirt-users-bounces@redhat.com [mailto:libvirt-users- > bounces@redhat.com] On Behalf Of Lentes, Bernd > Sent: Thursday, March 19, 2015 5:12 PM > To: libvirt-users@redhat.com > Subject: Re: [libvirt-users] still possible to use traditional bridge network > setup ? > > Laine wrote: > >...> > Hi Laine, > > the reason was the firewall. Thanks for your tip ! > >Hi, now the more precise explaination: I booted the host with a normal eth0 and nothing else. Firewall rules were evaluated. I created and configured the bridge. After that "systemctl restart network". Everything worked as expected. I configured the vm to use the bridge and started it. The vm has an eth, but no ip, no route, no ns. " sysctl net.bridge.bridge-nf-call-iptables" brought a 1. I didn't change it. Then I restartet the firewall ! After that I have a new rule (and network is running): " Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 34148 4651K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-FWD-ILL-ROUTING" man iptables-extensions says: " physdev: This module matches on the bridge port input and output devices enslaved to a bridge device. This module is a part of the infrastructure that enables a transparent bridging IP firewall and is only useful for kernel versions above version 2.5.44." and further more: " --physdev-is-bridged: Matches if the packet is being bridged and therefore is not being routed. This is only useful in the FORWARD and POSTROUTING chains." When I booted the host for the 1st time, the bridge didn't exist, so no firewall rule for the bridge. After creating the bridge and restarting the firewall, it recognizes the bridge and creates dynamically this rule. I didn't change " net.bridge.bridge-nf-call-iptables". Still 1. Bernd Helmholtz Zentrum München Deutsches Forschungszentrum für Gesundheit und Umwelt (GmbH) Ingolstädter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDir´in Bärbel Brumme-Bothe Geschäftsführer: Prof. Dr. Günther Wess, Dr. Nikolaus Blum, Dr. Alfons Enhsen Registergericht: Amtsgericht München HRB 6466 USt-IdNr: DE 129521671
Possibly Parallel Threads
- Re: still possible to use traditional bridge network setup ?
- Re: still possible to use traditional bridge network setup ?
- Re: still possible to use traditional bridge network setup ?
- still possible to use traditional bridge network setup ?
- Accepting RELATED, ESTABLISHED (TCP) connections into VM using Network Filters