Bridge/docker/kvm/iptables - Where is the problem

lindesbs · 14 July 2025 05:14

Hi.

I am running a stable Manjaro with NetworkManager, ufw, iptables.
Regardless of whether I use systemd-networkd or NetworkManager, have the bridge created automatically or manually, I have no network within my container.

Neither in docker nor kvm. I have checked several times, the bridge modules are loaded.


$ lsmod |grep bridge                                                                                                              
bridge                450560  0
stp                    12288  1 bridge
llc                    16384  2 bridge,stp

$ brctl show                                                                                                                                                                                                       
bridge name	bridge id		STP enabled	interfaces
br-3a08cde39a36		8000.c688f720df55	no		
docker0		8000.a68f346efa88	no		
virbr0		8000.5254008f0979	yes

2: enp34s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether ba:61:e3:70:ed:06 brd ff:ff:ff:ff:ff:ff permaddr 00:d8:61:36:98:70
    altname enx00d861369870
    inet 192.168.99.204/24 brd 192.168.99.255 scope global dynamic noprefixroute enp34s0
       valid_lft 2278sec preferred_lft 2278sec
    inet6 fe80::7ecd:81a:e638:75c3/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: br-3a08cde39a36: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether c6:88:f7:20:df:55 brd ff:ff:ff:ff:ff:ff
    inet 172.19.0.1/16 brd 172.19.255.255 scope global br-3a08cde39a36
       valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether a6:8f:34:6e:fa:88 brd ff:ff:ff:ff:ff:ff
    inet 172.21.0.1/16 brd 172.21.255.255 scope global docker0
       valid_lft forever preferred_lft forever
5: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:8f:09:79 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.1/24 brd 192.168.100.255 scope global virbr0
       valid_lft forever preferred_lft forever

I walk through same topics here, never get a chance to ping from the container to the outer world.

Any additional hints?

xabbu · 14 July 2025 06:09

let’s start with an easy one, why do you believe you need a bridge?

What is the bridge supposed to be doing in your setup?

linux-aarhus · 14 July 2025 06:18

Bridges named virbrX is created by ~~vmware~~ qemu.

vmware creates vmnet interfaces.

Your br-3a08cde39a36 is probably the initial bridge created by docker and the dockerX is a bridge for a single container network.

If your container cannot connect outside the container the bridge has no route defined - or the route is not configured correct - as it may need multiple hops to reach the outside world.

lindesbs · 14 July 2025 06:22

I need access to the internet from my docker and my KVM machine

xabbu · 14 July 2025 06:45

Libvirt also uses in the default Qemu configuration virbr0 as a bridge name.

if you need just that, you don’t need to create your own bridge.

Docker will just work, if not you changed the defaults. However depending on your iptables setup, it might get in the way. For tests disable all your own rules and firewall setups.

You should use libvirt for kvm. For networking use the NAT-Setup. Make sure the subnet is not used anywhere else. libvirt will create own iptables rules for it. But you should make sure you enabled net.ipv4.ip_forward

linux-aarhus · 14 July 2025 06:57

You are right - my mistake - vmware creates vmnet interfaces