Failed to update device "eth0": security.ipv6_filtering requires br_netfilter be loaded: open /proc/sys/net/bridge/bridge-nf-call-ip6tables: no such file or directory

cemzafer · August 26, 2021, 3:13pm

Hi,
I have created a second bridge interface which is lxdbr2 and a profile with name “test”.

test@host:~$ lxc profile show test
config: {}
description: Default LXD profile
devices:
  eth0:
    name: eth0
    network: lxdbr2
    security.ipv4_filtering: "true"
    security.mac_filtering: "true"
    type: nic
  root:
    path: /
    pool: default
    type: disk
name: test
used_by:
- /1.0/instances/debian
- /1.0/instances/alpine

When I want to set the profile property, I get the following errror.

test@host:~$ lxc profile device set test eth0 security.ipv6_filtering=true
Error: The following instances failed to update (profile change still saved):
 - Project: default, Instance: debian: Failed to update device "eth0": security.ipv6_filtering requires br_netfilter be loaded: open /proc/sys/net/bridge/bridge-nf-call-ip6tables: no such file or directory

Instead of that error, I get the following as well.

test@host:~$ lxc launch images:alpine/edge/cloud alpine -p test
Creating alpine
Starting alpine
Error: Failed preparing container for start: Failed to start device "eth0": security.ipv6_filtering requires br_netfilter be loaded: open /proc/sys/net/bridge/bridge-nf-call-ip6tables: no such file or directory
Try `lxc info --show-log local:alpine` for more info

It seems to me a little bug, can someone assist me?
Thanks.

tomp · August 26, 2021, 3:19pm

The error message is telling you that br_netfilter kernel module needs to be loaded.

We don’t load it automatically as it will cause all your bridged traffic to go through netfilter firewall, which may cause intra-bridge traffic to get blocked (based on your current ruleset).

tomp · August 26, 2021, 3:19pm

I’ve set category to LXD and tags to networking as they were not correctly set.

stgraber · August 26, 2021, 3:45pm

@tomp feels like the error wrapping is making things needlessly hard to read here. Just stating that br_netfilter is required would probably look better.

tomp · August 26, 2021, 3:46pm

Yeah and saying that its a kernel module too would improve clarity for those that don’t know br_netfilter is a kernel module.

cemzafer · August 26, 2021, 4:30pm

Thanks for the clarification.
Regards.

cemzafer · August 27, 2021, 6:51am

I missed the message, sorry. modprobe br_netfilter is the answer.

tomp · September 2, 2021, 8:30am

Improved the error message clarity here:

cemzafer · September 2, 2021, 10:41am

Wonderful, thanks @tomp