[libvirt] [PATCH v4 0/2] don't masquerade local broadcast/multicast packets
Laszlo Ersek
lersek at redhat.com
Wed Sep 25 10:45:24 UTC 2013
v2->v4 changes (v3 went in a different direction):
- Rename iptables(Add|Remove)ForwardDontMasquerade to
iptables(Add|Remove)DontMasquerade [Laine].
Masquerading local broadcast breaks DHCP replies for some clients.
There has been a report about broken local multicast too.
(See references in the patches.)
Testing:
Chain POSTROUTING (policy ACCEPT 2 packets, 134 bytes)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 192.168.122.0/24 224.0.0.0/24
0 0 RETURN all -- * * 192.168.122.0/24 255.255.255.255
0 0 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24
+ make check, make syntax-check, virsh net-start / net-destroy.
Laszlo Ersek (2):
util/viriptables: add/remove rules that short-circuit masquerading
bridge driver: don't masquerade local subnet broadcast/multicast
packets
src/util/viriptables.h | 8 ++++
src/network/bridge_driver_linux.c | 70 +++++++++++++++++++++++++++++--
src/util/viriptables.c | 88 +++++++++++++++++++++++++++++++++++++++
src/libvirt_private.syms | 2 +
4 files changed, 164 insertions(+), 4 deletions(-)
--
1.8.3.1
More information about the libvir-list
mailing list