[libvirt] UDP broadcasts vs. nat Masquerading issue
Nikolai Zhubr
n-a-zhubr at yandex.ru
Wed Jul 3 18:07:10 UTC 2019
Hi all,
I'm observing an issue that as soon as libvirt starts, UPD broadcasts
flowing through physical network (and intended for other services,
unrelated to any virtualization) get broken. Specifically, windows
neighbourhood browsing through samba's nmbd starts suffering badly
(Samba is running on this same box).
At the moment I'm running a quite outdated version 1.2.9 of libvirt, but
because other than this issue it does its job pretty well I'd first
consider some patching/backporting rather than totally replacing it with
a new one. Anyway, I first need to better understand what is going on
and what is wrong with it.
This could also be related somewhat to
https://www.redhat.com/archives/libvir-list/2013-September/msg01311.html
but I suppose it is not exactly that thing, and besides, my version does
already include a fix for the broadcasts issue mentioned in the msg01311.
I've already figured the source of trouble is anyway related to these
rules added:
-A POSTROUTING -o br0 -j MASQUERADE
-A POSTROUTING -o enp0s25 -j MASQUERADE
-A POSTROUTING -o virbr2_nic -j MASQUERADE
-A POSTROUTING -o vnet0 -j MASQUERADE
Here, virbr2_nic and vnet0 are used by libvirt for arranging NAT-mode
network configurations for VMs, unrelated to normal network stuff, so it
looks ok. However, br0 (with enp0s25 in it) is a main interface of this
host with primary ip address. And enp0s25 is a physical nic of this
host, and it is used for all sorts of regular (unrelated to
virtualization) communications as well. Also, br0 is used for attaching
some bridge-mode (as opposed to NAT-mode) VMs managed by libvirt, but
bridge mode is not supposed to employ address translation anyway.
So, clearly, libvirt somehow chooses to set up masquerading for
literally all existing network interfaces here (except lo), but I can't
see a reason for the first two rules in the list above. Furthermore,
they corrupt UDP broadcats coming from outside and reaching this host
(through enp0s25/br0) such that source address gets replaced by this
hosts primary address (as per masquerading). I've verified this by
arranging a hand-crafted UDP listener and printing the respective source
addresses as seen by normal userspace. Obviously Samba server can not
work correctly under such conditions.
Now I've discovered that I can "eliminate" the problem by e.g.:
1. Removing "-A POSTROUTING -o br0 -j MASQUERADE" (manual brute force)
2. Inserting "-A POSTROUTING -s 192.168.0.0/24 -d 192.168.0.255/32 -j
ACCEPT"
(Of course correcting rules by hand is not a solution, just a test)
So question is, how the correct rules should ideally look like? And, is
this issue known/fixed in most current libvirt?
Thank you,
Regards,
Nikolai
More information about the libvir-list
mailing list