https://wiki.openvz.org/api.php?action=feedcontributions&feedformat=atom&user=Strites 2026-06-10T04:39:43Z User contributions MediaWiki 1.31.1 https://wiki.openvz.org/index.php?title=Bridge_doesn%27t_forward_packets&diff=6729 2008-11-25T07:51:02Z

<p>Strites: /* Resolution */</p> <hr /> <div>Sometimes a bridge can mysteriously drop packets and not forward them.<br /> e.g. eyck user experienced a problem when some of the broadcasts were not<br /> delivered to container via the bridge.<br /> <br /> Original report and the thread: [http://forum.openvz.org/index.php?t=tree&amp;th=4052&amp; forum thread]<br /> <br /> == Simplest configuration ==<br /> <br /> Container #101 with veth interface (veth101.0) connected to eth0 physical interface via bridge.<br /> <br /> == Problem statement ==<br /> <br /> We faced a situation when some of the broadcast packets were not delivered to<br /> the container. Actually it could happen with any packets, not with the<br /> broadcasts only. But broadcasts are simpler and obviously should have been<br /> delivered to all the networking interfaces with no doubt.<br /> <br /> Using tcpdump we see that BOOTP/DHCP request is visible on br0 interface in<br /> the host system ([[CT0]]):<br /> 15:21:52.258220 00:1b:d5:2c:bf:38 &gt; ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 350: 0.0.0.0.68 &gt; 255.255.255.255.67:<br /> BOOTP/DHCP, Request from 00:1b:d5:2c:bf:38, length 308<br /> 15:21:52.287269 00:08:02:ac:36:20 &gt; ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 172.17.8.254.67 &gt; 255.255.255.255.68:<br /> BOOTP/DHCP, Reply, length 300<br /> <br /> However, eth0 inside the container received only 2nd packet with a BOOTP/DHCP reply and doesn't see the 1st one with the request itself:<br /> 15:21:52.291145 00:08:02:ac:36:20 &gt; ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 172.17.8.254.67 &gt; 255.255.255.255.68:<br /> BOOTP/DHCP, Reply, length 300<br /> <br /> == Resolution ==<br /> <br /> It is not obvious at all, but bridges (though they have their own ebtables filters) do also call iptables FORWARD chain when forwarding packets between interfaces.<br /> Thus your FORWARD iptables rules should allow all the packets which are supposed to go through.<br /> <br /> in our case eyck had a default DROP policy on FORWARD and had to add:<br /> iptables -A FORWARD -d 255.255.255.255 -j ACCEPT<br /> to fix the issue.<br /> <br /> == Another Problem Case ==<br /> I had setup a bridge andgot the same problem, but iptables was setup well. In my case the problem was lying in /proc/sys/net/bridge/<br /> <br /> everything inside had value &quot;1&quot;, changed them to &quot;0&quot; and problem was solved.<br /> <br /> == Credits ==<br /> Many credits to Dariush Pietrzak, who patiently helped to debug this.<br /> <br /> [[Category:Troubleshooting]]<br /> [[Category:Networking]]</div>

Strites