On Thu, Sep 17, 2020 at 01:20:04PM -0000, Gal Anonim wrote:
The br0_p01_i interface is only for host <-> bridge communication. VM's have their own ports on the bridge, so any network traffic to/from any VM should never go through br0_p01_i interface - at least that is what I am expecting. At this moment the target for zone, where br0_p01_i interface is, is REJECT. And everything appears to be working...
The second part of the project is podman, and br_netfilter is loaded. Podman needs br_netfilter for intra container communication via host mapped ip/port (I really need that functionality) - I haven't found workaround to be able to unload the br_netfilter module. This part also appears to be working...
Then the bridged packets are likely subject to firewalld's filtering. There is also an associated sysctl. 1 means send to netfilter. 0 means don not send to netfilter. This sysctl is only available if br_netfilter is loaded.
# sysctl -a |grep bridge net.bridge.bridge-nf-call-arptables = 1 net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1
What is the relation between firewalld and br_netfilter? Can firewalld do anything about/with br_netfilter?
br_netfilter will send _bridged_ packets to netfilter. If it's enabled, then firewalld will see _bridged_ packets in addition to _routed_ packets.