[libvirt] [PATCH v3 0/4] don't masquerade local broadcast/multicast packets

Laszlo Ersek lersek at redhat.com
Tue Sep 24 00:03:21 UTC 2013 

Masquerading local broadcast breaks DHCP replies for some clients.
There has been a report about broken local multicast too.
(See references in the patches.)

Regarding multicast, right now the series disables masquerading for the
most restrictive local multicast range only.

v2->v3 changes:
- Rename iptables(Add|Remove)ForwardDontMasquerade to
         iptables(Add|Remove)DontMasquerade [Laine].
- Pass (address, prefix) pairs as both source and destination parameters
  to these functions.
- Introduce virPfxSocketAddr structure for simpler handling of said
  (address, prefix) pairs.
- Also prevent masquerading of directed broadcast [Laine].
- Start to get serious about pointers-to-const.

Testing:
- "make check" and "make syntax-check" pass,
- thanks to the great docs on libvirt.org (compiling & deployment) I
  even managed to test this on my RHEL-6 laptop, with repeated net-start
  / net-destroy commands.

  Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
      pkts      bytes target     prot opt in     out     source               destination
         0        0 RETURN     all  --  *      *       192.168.122.0/24     224.0.0.0/24
         0        0 RETURN     all  --  *      *       192.168.122.0/24     192.168.122.255
         0        0 RETURN     all  --  *      *       192.168.122.0/24     255.255.255.255
         0        0 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24    masq ports: 1024-65535
         0        0 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24    masq ports: 1024-65535
         0        0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24

Laszlo Ersek (4):
  iptablesFormatNetwork(): constify target of "netaddr" parameter
  util/viriptables: add/remove rules that short-circuit masquerading
  virSocketAddrBroadcastByPrefix(): constify target of "addr" parameter
  bridge driver: don't masquerade local subnet broadcast/multicast
    packets

 src/util/viriptables.h            |  11 +++
 src/util/virsocketaddr.h          |   8 +-
 src/network/bridge_driver_linux.c | 151 +++++++++++++++++++++++++++++++++++++-
 src/util/viriptables.c            |  84 ++++++++++++++++++++-
 src/util/virsocketaddr.c          |   8 +-
 src/libvirt_private.syms          |   2 +
 6 files changed, 251 insertions(+), 13 deletions(-)

-- 
1.8.3.1

More information about the libvir-list mailing list