[Hardy] overzealous masquerading affects vm to vm traffic
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Hardy |
Fix Released
|
High
|
Unassigned |
Bug Description
The default masquerade rule appears to be:
iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -j MASQUERADE
but this causes all internally routed guest to guest traffic to be masqueraded too (breaking such things as redhat cluster dlm connections in my case).
replacing the rule with the following seems to be a good solution:
iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -d ! 192.168.122.0/24 -j MASQUERADE
[Impact]
Causes inappropriate masquerading of internally routed traffic, which makes it difficult to test virtual clusters (among other things)
[How Addressed in Development]
This patch is a cherrypick from upstream's git tree. This fix is already in the version carried in Jaunty today.
[Patch]
Attached is a minimal patch fixing the issue, taken from git upstream.
[Reproduction]
Set up two kvm machines. Ping the first from the second, and run tcpdump on the second; in the tcpdump output, you *should* see that the pings come from the ip address of the first kvm machine, but instead (with the bug) you'll see they come from the ip address associated with virbr0, the bridge device on the host.
[Regression Potential]
It is hard to imagine a situation where it would desirable that all traffic from other machines on the internal bridged network appear to come from the single ip address of the host. That said, users with a pre-existing network of guests may have developed workarounds on the guests to compensate for the bug, in which case applying this fix may require them to reconfigure their guests to remove those workarounds.
Related branches
Changed in libvirt: | |
importance: | Undecided → High |
status: | Confirmed → Triaged |
importance: | Undecided → High |
status: | New → Triaged |
description: | updated |
tags: |
added: verification-donee removed: verification-needed |
tags: |
added: verification-done removed: verification-donee |
This is already fixed in upstream (in the manner the reporter suggests); see commit d175caad25a4e80 800d5e7e7d8c9d9 20a88b78e1 from git://git. et.redhat. com/libvirt. git, attached.
I've applied that patch to libvirt0 0.4.0-2ubuntu8. It applies cleanly except for a reject on the changelog, and it does fix the problem.
(I ran across this trying to set up a virtual gfs2 cluster for testing; it failed because cluster nodes rejected traffic that (due to thbe unnecessary masquerading) appeared to come from the host instead of the other (guest) cluster nodes.)