我有一个相对简单的设置在 Ubuntu 22.04 上使用 libvirt 的 KVM 客户机。(今日所有软件包已更新)。我想要一个桥接网络,这样我就可以从 LAN 上的其他机器访问访客。但是流量不会传递到访客或从访客传递出去。
我的桥接配置:
$ sudo brctl show
bridge name bridge id STP enabled interfaces
vmbr0 8000.8690c059a7cf yes eno1
vnet5
$ sudo nmcli conn show --active
NAME UUID TYPE DEVICE
VO Bridge Connection 71a4f8dd-4b89-4052-be12-21559df85d7b bridge vmbr0
vnet5 1efe8a7d-6883-42da-acec-0a6e1c03317b tun vnet5
VO-bridge0 8ca30e55-c339-4a43-b0cc-6627fc045a20 ethernet eno1
(每次启动 KVM 客户机时,网络接口号都会增加 1,因此上述操作从 vnet0 启动,在 5 次重启后现在位于 vnet5。)
$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master vmbr0 state UP mode DEFAULT group default qlen 1000
link/ether e8:40:f2:ac:ff:31 brd ff:ff:ff:ff:ff:ff
altname enp0s25
3: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 86:90:c0:59:a7:cf brd ff:ff:ff:ff:ff:ff
9: vnet5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether fe:40:f2:ac:ff:31 brd ff:ff:ff:ff:ff:ff
libvirt 网络配置:
$ virsh net-dumpxml vo-br0
<network connections='1'>
<name>vo-br0</name>
<uuid>0db0d301-3e92-4e10-a70a-5f3f583234af</uuid>
<forward mode='bridge'/>
<bridge name='vmbr0'/>
</network>
$ virsh net-list --all
Name State Autostart Persistent
-------------------------------------------
vo-br0 active yes yes
KVM 客户网络配置:
<interface type='network'>
<mac address='e8:40:f2:ac:ff:31'/>
<source network='vo-br0'/>
<model type='rtl8139'/>
<link state='up'/>
<address type='pci' domain='0x0000' bus='0x10' slot='0x01' function='0x0'/>
</interface>
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether e8:40:f2:ac:ff:31 brd ff:ff:ff:ff:ff:ff
altname enp2s1
inet 192.168.101.6/24 brd 192.168.101.255 scope global noprefixroute ens1
valid_lft forever preferred_lft forever
但是,我甚至无法 ping 通网桥上的主机:
$ ping 192.168.101.11
PING 192.168.101.11 (192.168.101.11) 56(84) bytes of data.
From 192.168.101.6 icmp_seq=1 Destination Host Unreachable
From 192.168.101.6 icmp_seq=2 Destination Host Unreachable
From 192.168.101.6 icmp_seq=3 Destination Host Unreachable
^C
主人对客人说:
$ ping 192.168.101.6
PING 192.168.101.6 (192.168.101.6) 56(84) bytes of data.
^C
--- 192.168.101.6 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5114ms
以下是来自主机的网桥来宾端口部分的流量转储:
$ sudo tcpdump -i 3
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vnet5, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:17:53.452257 ARP, Request who-has 192.168.101.1 tell 192.168.101.6, length 28
10:17:54.331497 STP 802.1d, Config, Flags [none], bridge-id 8000.86:90:c0:59:a7:cf.8002, length 35
10:17:54.476238 ARP, Request who-has 192.168.101.1 tell 192.168.101.6, length 28
10:17:55.500338 ARP, Request who-has 192.168.101.1 tell 192.168.101.6, length 28
10:17:56.333940 STP 802.1d, Config, Flags [none], bridge-id 8000.86:90:c0:59:a7:cf.8002, length 35
10:17:56.524239 ARP, Request who-has 192.168.101.1 tell 192.168.101.6, length 28
10:17:57.548256 ARP, Request who-has 192.168.101.1 tell 192.168.101.6, length 28
10:17:58.335624 STP 802.1d, Config, Flags [none], bridge-id 8000.86:90:c0:59:a7:cf.8002, length 35
10:17:58.573947 ARP, Request who-has 192.168.101.1 tell 192.168.101.6, length 28
可以看出,APR 请求到达主机,但主机不知道客户机的 MAC 地址。至少在我看来是这样的。
没有定义可以阻止此操作的 iptables:
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
网络接口已启动:
$ sudo tcpdump -D
1.eno1 [Up, Running, Connected]
2.vmbr0 [Up, Running, Connected]
3.vnet5 [Up, Running, Connected]
4.any (Pseudo-device that captures on all interfaces) [Up, Running]
5.lo [Up, Running, Loopback]
6.bluetooth-monitor (Bluetooth Linux Monitor) [Wireless]
7.nflog (Linux netfilter log (NFLOG) interface) [none]
8.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
9.dbus-system (D-Bus system bus) [none]
10.dbus-session (D-Bus session bus) [none]
我很为难。我之前在这个主机上安装了 docker,但已经禁用了它。我还有一些 OpenVPN 连接,但我没有激活。docket 和 OpenVPN 网络都正常,但 KVM 不行。
我无法找到任何可能导致此问题的原因。我在网上搜索无果。有人知道我该怎么做才能解决这个问题吗?
编辑:路线:
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.101.1 0.0.0.0 UG 425 0 0 vmbr0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eno1
192.168.88.0 0.0.0.0 255.255.255.0 U 425 0 0 vmbr0
192.168.101.0 0.0.0.0 255.255.255.0 U 425 0 0 vmbr0
附加更新:
@stack3r 建议设备 eno1 应该具有网关(和 IP 地址),而不是 vmbr0 网桥。我对此进行了更改以进行测试,但结果相似。
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.101.1 0.0.0.0 UG 100 0 0 eno1
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 vmbr0
192.168.101.0 0.0.0.0 255.255.255.0 U 100 0 0 eno1
$ sudo nmcli conn show --active
[sudo] password for roland:
NAME UUID TYPE DEVICE
VO eth bridge 25248883-172d-47af-9d3c-0000e2f0d9af ethernet eno1
vnet0 c9f2a3c4-ea03-4b8d-9dac-781b0d14ef00 tun vnet0
VO Bridge Connection 71a4f8dd-4b89-4052-be12-21559df85d7b bridge vmbr0
$ ping 192.168.101.6
PING 192.168.101.6 (192.168.101.6) 56(84) bytes of data.
From 192.168.101.11 icmp_seq=1 Destination Host Unreachable
From 192.168.101.11 icmp_seq=2 Destination Host Unreachable
From 192.168.101.11 icmp_seq=3 Destination Host Unreachable
^C
--- 192.168.101.6 ping statistics ---
6 packets transmitted, 0 received, +3 errors, 100% packet loss, time 5125ms
$ sudo tcpdump -D
1.eno1 [Up, Running, Connected]
2.vmbr0 [Up, Running, Connected]
3.vnet0 [Up, Running, Connected]
4.any (Pseudo-device that captures on all interfaces) [Up, Running]
5.lo [Up, Running, Loopback]
6.bluetooth-monitor (Bluetooth Linux Monitor) [Wireless]
7.nflog (Linux netfilter log (NFLOG) interface) [none]
8.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
9.dbus-system (D-Bus system bus) [none]
10.dbus-session (D-Bus session bus) [none]
$ sudo tcpdump -i 2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vmbr0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
19:43:20.901703 ARP, Request who-has 192.168.101.1 tell 192.168.101.6, length 28
19:43:21.925619 ARP, Request who-has 192.168.101.1 tell 192.168.101.6, length 28
19:43:22.949575 ARP, Request who-has 192.168.101.1 tell 192.168.101.6, length 28
19:43:23.973649 ARP, Request who-has 192.168.101.1 tell 192.168.101.6, length 28
19:43:24.997518 ARP, Request who-has 192.168.101.1 tell 192.168.101.6, length 28
19:43:26.021477 ARP, Request who-has 192.168.101.1 tell 192.168.101.6, length 28
19:43:27.045600 ARP, Request who-has 192.168.101.1 tell 192.168.101.6, length 28
19:43:28.069454 ARP, Request who-has 192.168.101.1 tell 192.168.101.6, length 28
19:43:29.093423 ARP, Request who-has 192.168.101.1 tell 192.168.101.6, length 28
19:43:30.117488 ARP, Request who-has 192.168.101.1 tell 192.168.101.6, length 28
^C
$ sudo tcpdump -i 3
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vnet0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
19:43:52.340139 STP 802.1d, Config, Flags [none], bridge-id 8000.fe:40:f2:ac:ff:31.8001, length 35
19:43:52.644833 ARP, Request who-has 192.168.101.1 tell 192.168.101.6, length 28
19:43:53.668768 ARP, Request who-has 192.168.101.1 tell 192.168.101.6, length 28
19:43:54.356125 STP 802.1d, Config, Flags [none], bridge-id 8000.fe:40:f2:ac:ff:31.8001, length 35
19:43:54.692879 ARP, Request who-has 192.168.101.1 tell 192.168.101.6, length 28
19:43:55.716722 ARP, Request who-has 192.168.101.1 tell 192.168.101.6, length 28
19:43:56.340150 STP 802.1d, Config, Flags [none], bridge-id 8000.fe:40:f2:ac:ff:31.8001, length 35
19:43:56.740703 ARP, Request who-has 192.168.101.1 tell 192.168.101.6, length 28
19:43:57.764782 ARP, Request who-has 192.168.101.1 tell 192.168.101.6, length 28
19:43:58.356147 STP 802.1d, Config, Flags [none], bridge-id 8000.fe:40:f2:ac:ff:31.8001, length 35
19:43:58.788654 ARP, Request who-has 192.168.101.1 tell 192.168.101.6, length 28
19:43:59.812633 ARP, Request who-has 192.168.101.1 tell 192.168.101.6, length 28
19:44:00.340132 STP 802.1d, Config, Flags [none], bridge-id 8000.fe:40:f2:ac:ff:31.8001, length 35
^C
答案1
我已经让它工作了。我再次回顾了我的步骤,删除了以太网接口并将其从网桥中移除。然后我使用 nm-connection-editor 为网桥添加了一个新的以太网端口(用于 eno1)。
我为网桥分配了一个 IP。我还删除并添加了网卡配置到 KVM 客户机。
重新启动机器后,网桥启动并且客户机具有网络连接。
$ sudo tcpdump -D
1.eno1 [Up, Running, Connected]
2.vmbr0 [Up, Running, Connected]
3.vnet0 [Up, Running, Connected]
4.tun0 [Up, Running, Connected]
5.tun1 [Up, Running, Connected]
6.any (Pseudo-device that captures on all interfaces) [Up, Running]
7.lo [Up, Running, Loopback]
8.bluetooth-monitor (Bluetooth Linux Monitor) [Wireless]
9.nflog (Linux netfilter log (NFLOG) interface) [none]
10.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
11.dbus-system (D-Bus system bus) [none]
12.dbus-session (D-Bus session bus) [none]
tun0 和 tun1 之前并不存在。
我第一次添加桥接器和接口时似乎出了点问题。重新创建后,它就如宣传的那样工作了。
$ ping 192.168.101.6
PING 192.168.101.6 (192.168.101.6) 56(84) bytes of data.
64 bytes from 192.168.101.6: icmp_seq=1 ttl=64 time=0.318 ms
64 bytes from 192.168.101.6: icmp_seq=2 ttl=64 time=0.215 ms
^C
--- 192.168.101.6 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1020ms
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.101.1 0.0.0.0 UG 425 0 0 vmbr0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eno1
192.168.101.0 0.0.0.0 255.255.255.0 U 425 0 0 vmbr0