Comment 3 for bug 931806

I made a copy of linux-lts-backport-natty: 2.6.38-13.56~lucid1 into
https://launchpad.net/~nutznboltz/+archive/lp-931806-testing
and installed that on a KVM server.

by default now:

net.bridge.bridge-nf-call-iptables = 1

VM guest is firewalled off, can only reach the VM host.

If I run:

$ sudo sysctl -w net.bridge.bridge-nf-call-iptables=0
net.bridge.bridge-nf-call-iptables = 0

Then the VM guest can access the network.

This is the same behavior I see on Ubuntu 12.04 (developer branch).

I don't remember seeing this on a 2.6.38 backport to Lucid before.

During 12.04 testing I had to add this:

               case node[:lsb][:codename]
               when 'precise'
                       # Ubuntu 12.04 iptables FORWARD section will control the bridge (bridging) by default.
                       # Without the following adjustment VM guests' network will not be reachable
                       # beyond the VM host when the FORWARD policy is set to DROP or REJECT.

                       # Adjust firewall immediately
                       execute "/sbin/sysctl -w 'net.bridge.bridge-nf-call-iptables=0'" do
                               only_if { File.exists?('/proc/sys/net/bridge') }
                       end

                       # Also at boot time
                       execute "echo 'net.bridge.bridge-nf-call-iptables=0' >> /etc/sysctl.conf" do
                               only_if do
                                       File.exists?('/proc/sys/net/bridge') && \
                                       File.open("/etc/sysctl.conf").grep(/^net.bridge.bridge-nf-call-iptables=0/).empty?
                               end
                       end
                end