要在 Fedora 30 中使用 KVM VM,我需要设置桥接连接。因此,我设法编写了一些简单的脚本,但似乎遇到了一些问题。如果我没有记错的话,那么当我添加桥接从属连接时,我为桥接连接输入的属性不会传递给以太网连接?您能否就此脚本文件中的问题给我一些提示?这是我的./bridge.sh
脚本:
#!/bin/sh
# Author: Dzintars Klavins
# This script will setup bridge connection to enable KVM networking
# Before runing, delete all devices and connections
# nmcli connection delete <connection-name>
# nmcli device delete <device-name>
# Don't forget to make this file executable
export NETWORK_ETHERNET_DEVICE="eno1"
export NETWORK_ETHERNET_CONNECTION="eno1"
export NETWORK_BRIDGE_CONNECTION="br1"
export NETWORK_GW_ADDRESS="192.168.1.1"
export NETWORK_IP_ADDRESS="192.168.1.2"
export NETWORK_DNS_ADDRESES="8.8.8.8,8.8.4.4"
# General cleanup
# Delete all existing connections
for i in `nmcli c | \
grep -o -- "[0-9a-fA-F]\{8\}-[0-9a-fA-F]\{4\}-[0-9a-fA-F]\{4\}-[0-9a-fA-F]\{4\}-[0-9a-fA-F]\{12\}"` ; \
do nmcli connection delete uuid $i ; \
done
# Delete all devices (optional/not sure)
for i in `nmcli d | \
grep -o -- "[0-9a-fA-F]\{8\}-[0-9a-fA-F]\{4\}-[0-9a-fA-F]\{4\}-[0-9a-fA-F]\{4\}-[0-9a-fA-F]\{12\}"` ; \
do nmcli device delete uuid $i ; \
done
# Create new bridge connection
nmcli connection add type bridge autoconnect yes con-name ${NETWORK_BRIDGE_CONNECTION} ifname ${NETWORK_BRIDGE_CONNECTION}
# Modify bridge connection properties
nmcli connection modify ${NETWORK_BRIDGE_CONNECTION} ipv4.address ${NETWORK_IP_ADDRESS}/24
nmcli connection modify ${NETWORK_BRIDGE_CONNECTION} ipv4.method manual
nmcli connection modify ${NETWORK_BRIDGE_CONNECTION} ipv4.gateway ${NETWORK_GW_ADDRESS}
nmcli connection modify ${NETWORK_BRIDGE_CONNECTION} ipv4.dns ${NETWORK_DNS_ADDRESES}
# Bring bridged connection up
nmcli connection up ${NETWORK_BRIDGE_CONNECTION}
# Add slave for bridged connection
nmcli connection add type bridge-slave autoconnect yes con-name ${NETWORK_ETHERNET_CONNECTION} ifname ${NETWORK_ETHERNET_DEVICE} master ${NETWORK_BRIDGE_CONNECTION}
# Bring up slave connection
nmcli connection down ${NETWORK_ETHERNET_CONNECTION}; nmcli connection up ${NETWORK_ETHERNET_CONNECTION}
ping google.com
# ... no ping :( :( :(
它可以工作,但无法 ping google。我看到创建了 2 个设备:
$ nmcli device
DEVICE TYPE STATE CONNECTION
br1 bridge connected br1
eno1 ethernet connected eno1
wlp6s0u1 wifi unavailable --
lo loopback unmanaged --
virbr0-nic tun unmanaged --
还有 2 个连接:
$ nmcli connection
NAME UUID TYPE DEVICE
br1 7ed7ca67-8a92-4ba4-a526-092efbf6c4ea bridge br1
eno1 00b1f26a-c83e-46eb-a432-aa749f798d08 ethernet eno1
输出ip addr
:
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br1 state UP group default qlen 1000
link/ether 30:85:a9:96:49:ef brd ff:ff:ff:ff:ff:ff
8: wlp6s0u1: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether 7e:fd:21:9f:4f:03 brd ff:ff:ff:ff:ff:ff
50: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 52:54:00:b6:5f:4f brd ff:ff:ff:ff:ff:ff
73: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 30:85:a9:96:49:ef brd ff:ff:ff:ff:ff:ff
inet 192.168.1.2/24 brd 192.168.1.255 scope global noprefixroute br1
valid_lft forever preferred_lft forever
inet6 fe80::b71a:aa17:83b:f53/64 scope link noprefixroute
valid_lft forever preferred_lft forever
答案1
我假设您从 kvm 客户端进行的 ping 操作没有通过桥接器,但主机上的 ping 操作正常。
我在为 kvm 设置桥接时遇到了同样的问题。我列出了 iptables 规则,并注意到防火墙设置(Fedora 30/31)在默认区域桥接接口中缺少前向链的最终 ACCEPT。最终 ACCEPT 位于 FWDI_libvirt 和 FWDO_libvirt 表中。
因此,要么将桥接接口的默认区域更改为 libvirt 并在 libvirt 中启用服务,要么为默认区域附加转发规则。假设桥接接口 br0 或 br1 默认区域为“公共”,请执行以下操作(将公共更改为任何必要的区域):
# firewall-cmd --permanent --direct --add-passthrough ipv4 -A FWDI_public -j ACCEPT
# firewall-cmd --permanent --direct --add-passthrough ipv4 -A FWDO_public -j ACCEPT
# firewall-cmd --reload
这些直接 iptables 规则将添加到 /etc/firewalld/direct.xml 中
另一种方法是转发 br0 或 br1 的所有传入和传出数据包
# firewall-cmd --permanent --direct --add-passthrough ipv4 -A FORWARD -i br0 -j ACCEPT
# firewall-cmd --permanent --direct --add-passthrough ipv4 -A FORWARD -o br0 -j ACCEPT
# firewall-cmd --reload
希望这可以帮助。