On Thu, Sep 17, 2020 at 01:20:04PM -0000, Gal Anonim wrote:
The br0_p01_i interface is only for host <-> bridge
communication.
VM's have their own ports on the bridge, so any network traffic
to/from any VM should never go through br0_p01_i interface - at least
that is what I am expecting. At this moment the target for zone,
where br0_p01_i interface is, is REJECT. And everything appears to be
working...
The second part of the project is podman, and br_netfilter is loaded.
Podman needs br_netfilter for intra container communication via host
mapped ip/port (I really need that functionality) - I haven't found
workaround to be able to unload the br_netfilter module. This part
also appears to be working...
Then the bridged packets are likely subject to firewalld's filtering.
There is also an associated sysctl. 1 means send to netfilter. 0 means
don not send to netfilter. This sysctl is only available if br_netfilter
is loaded.
# sysctl -a |grep bridge
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
What is the relation between firewalld and br_netfilter? Can
firewalld
do anything about/with br_netfilter?
br_netfilter will send _bridged_ packets to netfilter. If it's enabled,
then firewalld will see _bridged_ packets in addition to _routed_
packets.