Bug 1457120

Summary: 'br_netfilter' should be loaded instead of 'bridge'
Product: Red Hat Enterprise Linux 7 Reporter: Jan Synacek <jsynacek>
Component: firewalldAssignee: Eric Garver <egarver>
Status: CLOSED WONTFIX QA Contact: qe-baseos-daemons
Severity: low Docs Contact:
Priority: medium    
Version: 7.4CC: atragler, egarver, rkhan, sukulkar, todoleza
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-08 18:49:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1472751    

Description Jan Synacek 2017-05-31 07:42:41 UTC 
Description of problem:
On a default RHEL-7.3+ installation when firewalld is started, the 'bridge' module is loaded, which results in the following warning in the logs:

May 31 09:32:42 rhel7-virt kernel: bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this.

The 'br_netfilter' should be loaded instead.


Version-Release number of selected component (if applicable):
firewalld-0.4.3.2-8.el7.noarch


Steps to Reproduce:
1. systemctl disable firewalld
2. reboot
3. systemctl start firewalld
4. See logs.


Actual results:
Warning in the logs.


Expected results:
No warning in the logs.
Comment 2 Eric Garver 2017-09-08 18:49:38 UTC 
Loading br_netfilter doesn't make a difference. You'll still get the info log.

[root@dev-rhel7 ~]# modprobe -r br_netfilter bridge
[root@dev-rhel7 ~]# modprobe br_netfilter
[80359.967678] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[80359.969947] Bridge firewalling registered

This is coming from the kernel bridge module and is a harmless info log. I don't think there is anything to fix here. If you think otherwise then you can repopen against kernel/bridge.