Join Log in
Score:0
Andrew avatar Server

libvirt bridge incoming traffic not forwarded

vn flag
Andrew

I have a public ip block 51.x.x.16/28 that I'm trying to use with libvirt/qemu VMs. Inside the VM (ip 51.x.x.18) I'm trying to create an outbound tcp connection (http).

Using tcpdump on the host I can see that SYN and SYN-ACK are sent and received. However inside the VM the SYN-ACK is never received (no trace on tcpdump and connect stuck).

I have connectivity from the VM to the bridge (brtest) and host interface (eno1). From the host I can also connect to the VM. What can be causing this? I've attached the bridge configuration, tcpdump, iptables (rules created by libvirt) and ifconfig below.

brtest.xml

<network>
  <name>test</name>
  <bridge name="brtest"/>
  <forward mode="route" dev="eno1" />
  <ip address="51.x.x.30" netmask="255.255.255.240">
    <dhcp>
      <host mac="02:xx:xx:xx:xx:49" ip="51.x.x.18"/>
    </dhcp>
  </ip>
</network>

tcpdump -n -i eno1

02:07:11.125655 IP 51.x.x.18.51236 > 76.x.x.173.80: Flags [S], seq 2472740296, win 64240, options [mss 1460,sackOK,TS val 3379788359 ecr 0,nop,wscale 7], length 0
02:07:11.135352 IP 76.x.x.173.80 > 51.x.x.18.51236: Flags [S.], seq 1083725147, ack 2472740297, win 65160, options [mss 1460,sackOK,TS val 2243378625 ecr 3379788359,nop,wscale 7], length 0

iptables -n -v -L

Chain INPUT (policy ACCEPT 401 packets, 43908 bytes)
 pkts bytes target     prot opt in     out     source               destination
  516 53705 LIBVIRT_INP  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   31  1876 LIBVIRT_FWX  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   31  1876 LIBVIRT_FWI  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   31  1876 LIBVIRT_FWO  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 453 packets, 193K bytes)
 pkts bytes target     prot opt in     out     source               destination
  546  209K LIBVIRT_OUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LIBVIRT_FWI (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  eno1   brtest  0.0.0.0/0            51.x.x.16/28
    0     0 REJECT     all  --  *      brtest  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain LIBVIRT_FWO (1 references)
 pkts bytes target     prot opt in     out     source               destination
   31  1876 ACCEPT     all  --  brtest eno1    51.x.x.16/28     0.0.0.0/0
    0     0 REJECT     all  --  brtest *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain LIBVIRT_FWX (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  brtest brtest  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0

Chain LIBVIRT_INP (1 references)
 pkts bytes target     prot opt in     out     source               destination
   11   781 ACCEPT     udp  --  brtest *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  brtest *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    5  1585 ACCEPT     udp  --  brtest *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  brtest *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67

Chain LIBVIRT_OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  *      brtest  0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  *      brtest  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    4  1312 ACCEPT     udp  --  *      brtest  0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ACCEPT     tcp  --  *      brtest  0.0.0.0/0            0.0.0.0/0            tcp dpt:68
    0     0 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ACCEPT     tcp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            tcp dpt:68

ifconfig

brtest: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 51.x.x.30  netmask 255.255.255.240  broadcast 51.x.x.31
        ether 52:xx:xx:xx:xx:fe  txqueuelen 1000  (Ethernet)
        RX packets 134  bytes 10118 (10.1 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 49  bytes 8781 (8.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 146.x.x.42  netmask 255.255.255.0  broadcast 146.x.x.255
        inet6 fe80::xxxx:xxxx:xxxx:xxxx  prefixlen 64  scopeid 0x20<link>
        inet6 2001:xxxx:xxx:xxxx::  prefixlen 57  scopeid 0x0<global>
        ether d0:xx:xx:xx:xx:14  txqueuelen 1000  (Ethernet)
        RX packets 11073  bytes 1099048 (1.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5843  bytes 923130 (923.1 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vethe57ac9e: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::249a:c8ff:fe26:f4c1  prefixlen 64  scopeid 0x20<link>
        ether 26:xx:xx:xx:xx:c1  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 15  bytes 1226 (1.2 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 52:xx:xx:xx:xx:d2  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::xxxx:xx:xxxx:xxxx  prefixlen 64  scopeid 0x20<link>
        ether fe:xx:xx:xx:xx:49  txqueuelen 1000  (Ethernet)
        RX packets 138  bytes 12591 (12.5 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 472  bytes 31107 (31.1 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
174
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.