Disable netfilter on bridge

1 year ago · 704b2de78d
2 changed files with 16 additions and 1 deletions
--- a/roles/libvirthost/files/etc/udev/rules.d/99-bridge.rules
+++ b/roles/libvirthost/files/etc/udev/rules.d/99-bridge.rules
@ -0,0 +1 @@
+ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=net/bridge
--- a/roles/libvirthost/tasks/main.yml
+++ b/roles/libvirthost/tasks/main.yml
@ -30,6 +30,7 @@
    - etc/network/interfaces.d/
    - etc/systemd/system/
    - etc/libvirt/hooks/
+    - etc/udev/rules.d/
    - usr/local/bin/

 - name: hugepages config
@ -47,7 +48,7 @@
    append: yes
  become: yes

- name: kernel param tuning
+- name: hugepages kernel params
  sysctl:
    state: present
    name: "{{ item.name }}"
@ -61,6 +62,19 @@
    - { name: 'vm.stat_interval', value: '120' }
    - { name: 'kernel.watchdog', value: '0' }

+- name: bridge networking kernel params
+  sysctl:
+    state: present
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    sysctl_file: /etc/sysctl.d/bridge.conf
+    reload: yes
+  become: yes
+  with_items:
+    - { name: 'net.bridge.bridge-nf-call-arptables', value: '0' }
+    - { name: 'net.bridge.bridge-nf-call-ip6tables', value: '0' }
+    - { name: 'net.bridge.bridge-nf-call-iptables', value: '0' }
+
 - name: enable tuning service
  systemd:
    name: kvm-tuning
				`@ -0,0 +1 @@`
				`ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=net/bridge`