bridge-nf - Any good references?

Background:
Am troubleshooting LXC networking, curiously

  • Although I have 2 containers running and configured to use the same br device, only one actually is mostly functioning. The other starts up without noticeable errors, but with no network connection(am guessing at the moment likely some kind of container ID collision).
  • I also have a KVM VM configured to use the same br device, it has full networking functionality with the one working LXC container and the Host.
  • Of the two VMs with functional networking (1 LXC container and the KVM VM), both Guests can ping and connect to the Host, but the Host can only connect to the KVM VM. The LXC container does not respond to Pings, telnet to active services so although SUSE FW is not running in the container, something seems to be blocking in that direction.

After some investigation, my current candidate for the source of problems is active bridge-nf.

I’ve been piecing together info about bridge-nf,
If anyone else has had to configure/re-configure, I’d appreciate any pointers.

Specifically,
I think bridge-nf is a family of transparent bridge scripts that configure kernel functionality, but am uncertain exactly the relationship and perhaps flow how this functionality works. I <think> it acts as a kind of pre-filter which <optionally> interacts with iptables. I see that something else called “ebtables” is often used in conjunction with bridge-nf, I’m <guessing> to enable similar functionality as iptables <with> bridge-nf instead of behind which is what regular iptables would be.

There is a common recommendation that disables bridge-nf generally, but I’m still evaluating its impact (and will try with my next reboot)


cd /proc/sys/net/bridge
for f in bridge-nf-*; do echo 0 > $f; done

Although I’ve read several sources about bridge-nf, I consider the following my main “best” sources… and yes, one is an openSUSE forum post
https://forums.opensuse.org/english/get-technical-help-here/network-internet/471897-how-12-1-bridged-firewall-part1-rest-follows.html
https://docs.fedoraproject.org/en-US/Fedora/13/html/Virtualization_Guide/sect-Virtualization-Network_Configuration-Bridged_networking_with_libvirt.html

So, for starters…
If my guesses above are incorrect, would welcome setting me straight.
Also, would appreciate anything anyone can provide in the way of comment, recommendation, clarification, etc.

TIA,
TSU