why linux bridge doesn't work

I've solved this.

It turns out to be iptables who drops packets on bridge. Packets travel through FORWARD chain of the filter table, not matching any rules of it, so that the default policy DROP applies.

To test if it is caused by iptables, we can try

echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables

then see if the bridge works.


This was exactly my issue when troubleshooting a manually created bridge for use with lxd. I added the following rules to /etc/iptables/rules.v4:

-A FORWARD -o br0 -m comment --comment "allow packets to pass from lxd lan bridge" -j ACCEPT
-A FORWARD -i br0 -m comment --comment "allow input packets to pass to lxd lan bridge" -j ACCEPT