fix: enables bridge-nf-call-iptables by default

[sam-berning]

Issue #, if available: #538

Description of changes:

Enables net.bridge.bridge-nf-call-iptables by default in sysctl. This will send packets in a bridge network to iptables for processing.

This will also fix the warning on finch info:

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

Testing done:

1. finch info
2. Inspected /etc/sysctl.d/99-lima.conf to ensure all of the expected fields are there
3. Reproduced Finch does not apply iptables rules to containers running in a bridge network #538 against my local Finch, and it succeeded.

To discuss: is it worth creating a new sysctl config file instead of appending to /etc/sysctl.d/99-lima.conf?

• I've reviewed the guidance in CONTRIBUTING.md

License Acceptance

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[pendo324]

Looks good, I do wonder if this type of thing should be added directly to Lima though. We don't really need a detection that br_netfilter is loaded (with modprobe), but Lima would.

[weikequ]

Looks good, I do wonder if this type of thing should be added directly to Lima though. We don't really need a detection that br_netfilter is loaded (with modprobe), but Lima would.

Any reason why it's disabled by default? There's no issues on lima nor is there any references to this in the codebase except for a k8s example that is almost the same as what we've written here. Good job on figuring this out!

[sam-berning]

Looks good, I do wonder if this type of thing should be added directly to Lima though. We don't really need a detection that br_netfilter is loaded (with modprobe), but Lima would.

Yeah, I think that's a good call. Will open a PR to Lima too

[pendo324]

Looks good, I do wonder if this type of thing should be added directly to Lima though. We don't really need a detection that br_netfilter is loaded (with modprobe), but Lima would.

Yeah, I think that's a good call. Will open a PR to Lima too

This is probably where I'd put it in Lima
https://github.com/lima-vm/lima/blob/master/pkg/cidata/cidata.TEMPLATE.d/boot/00-modprobe.sh

[sam-berning]

Any reason why it's disabled by default? There's no issues on lima nor is there any references to this

According to this page: it's disabled in Fedora by default because it can cause traffic to virtual machines to be blocked if the host's iptables rules do not account for the guest. It also notes that it's enabled in the Linux kernel settings by default, and only some distributions have it disabled -- I think this is likely why Lima doesn't have any logic to enable it.

[pendo324]

Looks good, I do wonder if this type of thing should be added directly to Lima though. We don't really need a detection that br_netfilter is loaded (with modprobe), but Lima would.

Yeah, I think that's a good call. Will open a PR to Lima too

You might want to ask on an issue or on Slack why its not in the list already though. It seems like a weird thing to not include, unless they left it out on purpose.

[sam-berning]

@mharwani I realized that though the br_netfilter kernel module enables these configs by default, it's probably safer long term to explicitly configure them vs. relying on the defaults, so I added /etc/sysctl.d/99-finch.conf. I think it probably won't matter but this approach is ever so slightly safer

[monirul]

LGTM.