如何为 Fedora 30 设置桥接网络连接以与 libvirt KVM 配合使用

如何为 Fedora 30 设置桥接网络连接以与 libvirt KVM 配合使用

要在 Fedora 30 中使用 KVM VM,我需要设置桥接连接。因此,我设法编写了一些简单的脚本,但似乎遇到了一些问题。如果我没有记错的话,那么当我添加桥接从属连接时,我为桥接连接输入的属性不会传递给以太网连接?您能否就此脚本文件中的问题给我一些提示?这是我的./bridge.sh脚本:

#!/bin/sh

# Author: Dzintars Klavins
# This script will setup bridge connection to enable KVM networking
# Before runing, delete all devices and connections
# nmcli connection delete <connection-name>
# nmcli device delete <device-name>
# Don't forget to make this file executable

export NETWORK_ETHERNET_DEVICE="eno1"
export NETWORK_ETHERNET_CONNECTION="eno1"
export NETWORK_BRIDGE_CONNECTION="br1"
export NETWORK_GW_ADDRESS="192.168.1.1"
export NETWORK_IP_ADDRESS="192.168.1.2"
export NETWORK_DNS_ADDRESES="8.8.8.8,8.8.4.4"

# General cleanup

# Delete all existing connections
for i in `nmcli c | \
grep -o -- "[0-9a-fA-F]\{8\}-[0-9a-fA-F]\{4\}-[0-9a-fA-F]\{4\}-[0-9a-fA-F]\{4\}-[0-9a-fA-F]\{12\}"` ; \
do nmcli connection delete uuid $i ; \
done

# Delete all devices (optional/not sure)
for i in `nmcli d | \
grep -o -- "[0-9a-fA-F]\{8\}-[0-9a-fA-F]\{4\}-[0-9a-fA-F]\{4\}-[0-9a-fA-F]\{4\}-[0-9a-fA-F]\{12\}"` ; \
do nmcli device delete uuid $i ; \
done

# Create new bridge connection
nmcli connection add type bridge autoconnect yes con-name ${NETWORK_BRIDGE_CONNECTION} ifname ${NETWORK_BRIDGE_CONNECTION}
# Modify bridge connection properties
nmcli connection modify ${NETWORK_BRIDGE_CONNECTION} ipv4.address ${NETWORK_IP_ADDRESS}/24
nmcli connection modify ${NETWORK_BRIDGE_CONNECTION} ipv4.method manual
nmcli connection modify ${NETWORK_BRIDGE_CONNECTION} ipv4.gateway ${NETWORK_GW_ADDRESS}
nmcli connection modify ${NETWORK_BRIDGE_CONNECTION} ipv4.dns ${NETWORK_DNS_ADDRESES}
# Bring bridged connection up
nmcli connection up ${NETWORK_BRIDGE_CONNECTION}
# Add slave for bridged connection
nmcli connection add type bridge-slave autoconnect yes con-name ${NETWORK_ETHERNET_CONNECTION} ifname ${NETWORK_ETHERNET_DEVICE} master ${NETWORK_BRIDGE_CONNECTION}
# Bring up slave connection
nmcli connection down ${NETWORK_ETHERNET_CONNECTION}; nmcli connection up ${NETWORK_ETHERNET_CONNECTION}

ping google.com
# ... no ping :( :( :(

它可以工作,但无法 ping google。我看到创建了 2 个设备:

$ nmcli device
DEVICE      TYPE      STATE        CONNECTION 
br1         bridge    connected    br1        
eno1        ethernet  connected    eno1       
wlp6s0u1    wifi      unavailable  --         
lo          loopback  unmanaged    --         
virbr0-nic  tun       unmanaged    --   

还有 2 个连接:

$ nmcli connection
NAME  UUID                                  TYPE      DEVICE 
br1   7ed7ca67-8a92-4ba4-a526-092efbf6c4ea  bridge    br1    
eno1  00b1f26a-c83e-46eb-a432-aa749f798d08  ethernet  eno1

输出ip addr

$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br1 state UP group default qlen 1000
    link/ether 30:85:a9:96:49:ef brd ff:ff:ff:ff:ff:ff
8: wlp6s0u1: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 7e:fd:21:9f:4f:03 brd ff:ff:ff:ff:ff:ff
50: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 52:54:00:b6:5f:4f brd ff:ff:ff:ff:ff:ff
73: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 30:85:a9:96:49:ef brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.2/24 brd 192.168.1.255 scope global noprefixroute br1
       valid_lft forever preferred_lft forever
    inet6 fe80::b71a:aa17:83b:f53/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

答案1

我假设您从 kvm 客户端进行的 ping 操作没有通过桥接器,但主机上的 ping 操作正常。

我在为 kvm 设置桥接时遇到了同样的问题。我列出了 iptables 规则,并注意到防火墙设置(Fedora 30/31)在默认区域桥接接口中缺少前向链的最终 ACCEPT。最终 ACCEPT 位于 FWDI_libvirt 和 FWDO_libvirt 表中。

因此,要么将桥接接口的默认区域更改为 libvirt 并在 libvirt 中启用服务,要么为默认区域附加转发规则。假设桥接接口 br0 或 br1 默认区域为“公共”,请执行以下操作(将公共更改为任何必要的区域):

# firewall-cmd --permanent --direct --add-passthrough ipv4 -A FWDI_public -j ACCEPT
# firewall-cmd --permanent --direct --add-passthrough ipv4 -A FWDO_public -j ACCEPT
# firewall-cmd --reload

这些直接 iptables 规则将添加到 /etc/firewalld/direct.xml 中

另一种方法是转发 br0 或 br1 的所有传入和传出数据包

# firewall-cmd --permanent --direct --add-passthrough ipv4 -A FORWARD -i br0 -j ACCEPT
# firewall-cmd --permanent --direct --add-passthrough ipv4 -A FORWARD -o br0 -j ACCEPT
# firewall-cmd --reload

希望这可以帮助。

相关内容