[clug] [CLUG] KVM Bridge networking - Update 1

[George at Clug]

Hi,

In my quest for isolated bridges for a KVM host, I have had some success, but only by disabling IPv6 on the bridge itself (thanks Bob for the suggestion of disabling IPv6).

If you understand this stuff better than myself, please point out any stupid errors may have made.  (this has been a four day intensive research journey for myself).

I would prefer not to have had to disable IPv6 on the bridge, but until I learn how to stop "systemd-networkd" from re-enabling my efforts to disable autoconfiguration on the bridge, it will have to do as a solution.

First I found this statement, which if true explains why I was not able to disable IPv6 addresses, even after setting IPv6 autoconfiguration as disabled.

"The problem with Ubuntu 18 and ipv6 is that systemd-networkd controls kernel parameters, so though one might disable ipv6 with sysctl, networkd will be more than happy switching them on for you, if the configuration does not state otherwise."

The below web page provided some help ful suggestions
https://hsmr.cc/Freifunk/GatewayKonfiguration

/etc/sysctl.conf
    Uncomment
        net.ipv4.ip_forward=1
        net.ipv6.conf.all.forwarding=1
        net.ipv4.conf.default.rp_filter=1
        net.ipv4.conf.all.rp_filter=1 
    Append
        # Disable IPv6 autoconf
        net.ipv6.conf.all.autoconf = 0
        net.ipv6.conf.default.autoconf = 0
        net.ipv6.conf.eth0.autoconf = 0

        net.ipv6.conf.all.accept_ra = 0
        net.ipv6.conf.default.accept_ra = 0
        net.ipv6.conf.eth0.accept_ra = 0

        # Do not process traffic on bridges with iptables
        net.bridge.bridge-nf-call-arptables = 0
        net.bridge.bridge-nf-call-ip6tables = 0
        net.bridge.bridge-nf-call-iptables = 0


I tried this approach but it did not work for me, I guess because of the "systemd-networkd controls kernel parameters" issue.

Not knowing how to stop systemd-networkd from overriding settings or how to get systemd-networkd to do what I wanted to achieve, I keep researching, and while it is going further than I wanted to do, disabling IPv6 on the bridge does appear to acheive what I wanted to do.

https://superuser.com/questions/575684/how-to-disable-ipv6-on-a-specific-interface-in-linux/575701
You can disable it from /etc/sysctl.conf with this line:
net.ipv6.conf.eth0.disable_ipv6 = 1
Take a look at /proc/sys/net/ipv6/conf/eth0. There are many options you can set in that directory, like leaving IPv6 enabled but disabling autoconf etc.

Disabling IPv6 for the specific bridges that I do not want IPv6 addresses, seems to have worked, and IPv6 traffic is forwarded from the physical network via the NIC to the VMs connected to the bridge (tested using ping6), while I cannot ping between bridges (which is what I do want).


Below are some other links I reviewed.
==========================================

bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.

https://ycnrg.org/vga-passthrough-with-ovmf-vfio/

https://hsmr.cc/Freifunk/GatewayKonfiguration

https://freifunk-herford.github.io/ffhf-salt/file_roots/gateway/network/index.html

=================================================================
https://superuser.com/questions/33196/how-to-disable-autoconfiguration-on-ipv6-in-linux
============================================================================
# apt install dnsutils net-tools bridge-utils -y

# sysctl -w net.ipv6.conf.br1.disable_ipv6=1

# nano /etc/sysctl.conf
    Uncomment
        net.ipv4.ip_forward=1
        net.ipv6.conf.all.forwarding=1
        net.ipv4.conf.default.rp_filter=1
        net.ipv4.conf.all.rp_filter=1 
    Append
        # Disable IPv6 autoconf
        net.ipv6.conf.all.autoconf = 0
        net.ipv6.conf.default.autoconf = 0
        net.ipv6.conf.eth0.autoconf = 0

        net.ipv6.conf.all.accept_ra = 0
        net.ipv6.conf.default.accept_ra = 0
        net.ipv6.conf.eth0.accept_ra = 0

        # Do not process traffic on bridges with iptables
        net.bridge.bridge-nf-call-arptables = 0
        net.bridge.bridge-nf-call-ip6tables = 0
        net.bridge.bridge-nf-call-iptables = 0

       #Disable IPv6 for bridge
       net.ipv6.conf.br1.disable_ipv6=1

# ls /proc/sys/net/ipv6/conf/
# ls /proc/sys/net/ipv6/conf/br1/
# ls /proc/sys/net/ipv6/conf/br1/autoconf 
# cat  /proc/sys/net/ipv6/conf/br1/autoconf 
# cat  /proc/sys/net/ipv6/conf/br1/accept_ra
# cat  /proc/sys/net/ipv6/conf/br1/disable_ipv6 
# cat  /proc/sys/net/ipv6/conf/br1/use_tempaddr 
# cat  /proc/sys/net/ipv6/conf/br1/use_oif_addrs_only 
# cat  /proc/sys/net/ipv6/conf/br1/forwarding 



================================================================
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

#VERBOSE="yes"

#DEBUG="yes"

# SYSLOG="yes"

# The primary network interface
auto ens3
#allow-hotplug ens3
iface ens3 inet static
	address 10.0.0.122/24
	gateway 10.0.0.254
	# dns-* options are implemented by the resolvconf package, if installed
	dns-nameservers 10.0.0.254
	dns-search goproject.info

iface ens9 inet manual

#auto br1
#iface br1 inet manual
#    bridge_ports ens9
#    up /usr/sbin/brctl setageing br1 0
#    up /usr/sbin/brctl stp br1 off
#
#iface ens9 inet6 manual
#    bridge_ports ens9
#    up /usr/sbin/brctl setageing br1 0
#    up /usr/sbin/brctl stp br1 off

auto br1
iface br1 inet manual
    bridge_ports ens9
    autoconf 0
    accept_ra 0
    bridge_stp off
    bridge_fd 0
    bridge_waitport 0
 
iface br1 inet6 manual
    bridge_ports ens9
    autoconf 0
    accept_ra 0
    bridge_stp off
    bridge_waitport 0
    bridge_fd 0