Linux bridge not forward
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
# ebtables -t filter -L
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
Bridge chain: FORWARD, entries: 0, policy: ACCEPT
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
# ebtables -t nat -L
Bridge table: nat
Bridge chain: PREROUTING, entries: 0, policy: ACCEPT
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
As an additional observation: if i start docker, which will create docker0 bridge and bunch of rules in iptables and add my veth0 interface to docker0 bridge then everything works fine. I have no glue why docker0 bridge works fine but mine not.
Any idea?
Chain INPUT (policy ACCEPT 5 packets, 1432 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 424 packets, 28043 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all — any any anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 424 packets, 28043 bytes)
pkts bytes target prot opt in out source destination
3 252 MASQUERADE all — any !docker0 192.168.64.0/24 anywhere
0 0 MASQUERADE all — any !br-68c3e5c395af 192.168.70.0/24 anywhere
0 0 MASQUERADE all — any !br0 192.168.8.0/24 anywhere
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all — docker0 any anywhere anywhere
0 0 RETURN all — br-68c3e5c395af any anywhere anywhere
0 0 RETURN all — br0 any anywhere anywhere
# iptables -t filter -v -L
Chain INPUT (policy ACCEPT 1152 packets, 459K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 4 packets, 336 bytes)
pkts bytes target prot opt in out source destination
80 6664 DOCKER-USER all — any any anywhere anywhere
80 6664 DOCKER-ISOLATION-STAGE-1 all — any any anywhere anywhere
13 1092 ACCEPT all — any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED
9 756 DOCKER all — any docker0 anywhere anywhere
13 1092 ACCEPT all — docker0 !docker0 anywhere anywhere
0 0 ACCEPT all — docker0 docker0 anywhere anywhere
0 0 ACCEPT all — any br-68c3e5c395af anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 DOCKER all — any br-68c3e5c395af anywhere anywhere
0 0 ACCEPT all — br-68c3e5c395af !br-68c3e5c395af anywhere anywhere
0 0 ACCEPT all — br-68c3e5c395af br-68c3e5c395af anywhere anywhere
0 0 ACCEPT all — any br0 anywhere anywhere
0 0 DOCKER all — any br0 anywhere anywhere
0 0 ACCEPT all — br0 !br0 anywhere anywhere
0 0 ACCEPT all — br0 br0 anywhere anywhere
Chain OUTPUT (policy ACCEPT 1230 packets, 160K bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (3 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all — br0 !br0 anywhere anywhere
13 1092 DOCKER-ISOLATION-STAGE-2 all — docker0 !docker0 anywhere anywhere
0 0 DOCKER-ISOLATION-STAGE-2 all — br-68c3e5c395af !br-68c3e5c395af anywhere anywhere
80 6664 RETURN all — any any anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
pkts bytes target prot opt in out source destination
0 0 DROP all — any br0 anywhere anywhere
0 0 DROP all — any docker0 anywhere anywhere
0 0 DROP all — any br-68c3e5c395af anywhere anywhere
13 1092 RETURN all — any any anywhere anywhere
Linux bridge for virtual machines not forwarding IP packets (but is forwarding ARP)
The problem is that Linux isn’t forwarding any IP traffic out the physical interface. It’s forwarding ARP traffic both ways since ARP resolution works, but no IP traffic gets sent out of enp6s0f0.
- adding enp6s0f1 to the bridge, giving enp7s0f0 to the VM, and using a cable to link enp7s0f0 to enp6s0f1
- same result (ARP traffic forwarded, IP traffic not)
- no change
- no change
- no change (this was actually the initial setup and I dropped this quad-port card in to see if was the onboard NIC causing a problem)
- I could see the echo-request come in and I could see it on br0 but it was not forwarded to the VM port (either the vnet port or enp6s0f1 )
- no change
○ → ip addr 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp6s0f0: mtu 1500 qdisc mq master br0 state UP group default qlen 1000 link/ether 00:10:18:85:1c:c0 brd ff:ff:ff:ff:ff:ff inet6 fe80::210:18ff:fe85:1cc0/64 scope link valid_lft forever preferred_lft forever 3: enp6s0f1: mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 00:10:18:85:1c:c2 brd ff:ff:ff:ff:ff:ff 4: enp7s0f0: mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 00:10:18:85:1c:c4 brd ff:ff:ff:ff:ff:ff 5: enp7s0f1: mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 00:10:18:85:1c:c6 brd ff:ff:ff:ff:ff:ff 6: enp9s0: mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether b4:2e:99:a6:22:f9 brd ff:ff:ff:ff:ff:ff 7: wlp8s0: mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 08:71:90:4e:e9:77 brd ff:ff:ff:ff:ff:ff 8: br-183e1a17d7f6: mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:ba:03:e1:9d brd ff:ff:ff:ff:ff:ff inet 172.18.0.1/16 brd 172.18.255.255 scope global br-183e1a17d7f6 valid_lft forever preferred_lft forever 9: docker0: mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:02:61:00:66 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever 10: br0: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 00:10:18:85:1c:c0 brd ff:ff:ff:ff:ff:ff inet 192.168.1.205/24 brd 192.168.1.255 scope global dynamic noprefixroute br0 valid_lft 9730sec preferred_lft 7930sec inet6 fe80::210:18ff:fe85:1cc0/64 scope link valid_lft forever preferred_lft forever 11: vnet0: mtu 1500 qdisc fq_codel master br0 state UNKNOWN group default qlen 1000 link/ether fe:54:00:be:eb:3e brd ff:ff:ff:ff:ff:ff inet6 fe80::fc54:ff:febe:eb3e/64 scope link valid_lft forever preferred_lft forever ○ → brctl showstp br0 br0 bridge id 8000.001018851cc0 designated root 1000.44e4d9d88a00 root port 1 path cost 4 max age 19.99 bridge max age 19.99 hello time 1.99 bridge hello time 1.99 forward delay 14.99 bridge forward delay 14.99 ageing time 299.99 hello timer 0.00 tcn timer 0.00 topology change timer 0.00 gc timer 25.78 flags enp6s0f0 (1) port id 8001 state forwarding designated root 1000.44e4d9d88a00 path cost 4 designated bridge 1000.44e4d9d88a00 message age timer 19.21 designated port 800d forward delay timer 0.00 designated cost 0 hold timer 0.00 flags vnet0 (2) port id 8002 state forwarding designated root 1000.44e4d9d88a00 path cost 100 designated bridge 8000.001018851cc0 message age timer 0.00 designated port 8002 forward delay timer 0.00 designated cost 4 hold timer 0.22 flags ○ → bridge -d link show 2: enp6s0f0: mtu 1500 master br0 state forwarding priority 32 cost 4 hairpin off guard off root_block off fastleave off learning on flood on mcast_flood on mcast_to_unicast off neigh_suppress off vlan_tunnel off isolated off enp6s0f0 8: br-183e1a17d7f6: mtu 1500 master br-183e1a17d7f6 br-183e1a17d7f6 9: docker0: mtu 1500 master docker0 docker0 10: br0: mtu 1500 master br0 br0 11: vnet0: mtu 1500 master br0 state forwarding priority 32 cost 100 hairpin off guard off root_block off fastleave off learning on flood on mcast_flood on mcast_to_unicast off neigh_suppress off vlan_tunnel off isolated off vnet0 ○ → sysctl net.bridge.bridge-nf-call-iptables net.bridge.bridge-nf-call-iptables = 1 ○ → sysctl net.ipv4.conf.br0.forwarding net.ipv4.conf.br0.forwarding = 1Linux bridging not forwarding packets
I am trying to set up a Linux bridge with 2 ethernet interfaces and cannot get it to work correctly. I am using Gentoo Linux and thought it would be quite easy but I end up having trouble getting packets go through the bridge. All of that is virtualized under Hyper-V is that matters for anything (but I doubt it). Here goes my configuration.
------ ------------------ -------- ----------- | NUX3 |------------|eth1 BRIDGE eth0|---------| ROUTER |-------/ INTERNET / ------ ------------------ -------- ----------- 192.168.1.195/24 192.168.1.197/24 (br0) 192.168.1.101/24 00:15:5d:00:01:12 00:15:5d:00:01:08 (eth0) 00:15:5d:00:01:03 00:15:5d:00:01:13 (eth1)bridge_br0=( "eth0 eth1" ) config_eth0=( "null" ) config_eth1=( "null" ) config_br0=( "192.168.1.197 netmask 255.255.255.0 brd 192.168.1.255" ) routes_br0=( "default via 192.168.1.101" )bridge name bridge id STP enabled interfaces br0 8000.00155d000108 no eth0 eth1eth0 (1) state forwarding eth1 (2) state forwarding
net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-arptables = 0 net.bridge.bridge-nf-call-iptables = 0br0 UP BROADCAST RUNNING MULTICAST inet addr:192.168.1.197 Bcast:192.168.1.255 Mask:255.255.255.0 eth0 UP BROADCAST RUNNING PROMISC MULTICAST eth1 UP BROADCAST RUNNING PROMISC MULTICAST
port no mac addr is local? ageing timer 1 00:15:5d:00:01:03 no 1.51 1 00:15:5d:00:01:08 yes 0.00 2 00:15:5d:00:01:12 no 36.22 2 00:15:5d:00:01:13 yes 0.00BRIDGE can ping the ROUTER but not NUX3, NUX3 cannot ping neither BRIDGE nor ROUTER. All seems good to me but I am obviously missing something. I’d be really glad if someone can point me to it! Thanks.