[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt-users] UDP broadcasts vs. nat Masquerading issue



Hi all,

I'm observing an issue that as soon as libvirt starts, UPD broadcasts going through physical network (and unrelated to any virtualization) get broken. Specifically, windows neighbourhood browsing through samba's nmbd starts suffering badly (Samba is running on this same box).

At the moment I'm running a quite outdated version 1.2.9 of libvirt, but other than this issue, it does its job pretty well, so I'd first consider some patching/backporting rather than totally replacing it with a new one. Anyway, I first need to better understand what is going on and what is wrong with it.
This could also be related somewhat to
https://www.redhat.com/archives/libvir-list/2013-September/msg01311.html
but I suppose it is not exactly that thing.

I've already figured the source of trouble is anyway related to these rules added:

-A POSTROUTING -o br0 -j MASQUERADE
-A POSTROUTING -o enp0s25 -j MASQUERADE
-A POSTROUTING -o virbr2_nic -j MASQUERADE
-A POSTROUTING -o vnet0 -j MASQUERADE

Here, virbr2_nic and vnet0 are used by libvirt for arranging network configurations for VMs, ok. However, br0 is a main interface of this host with primary ip address, with enp0s25 being a physical nic of this host, and it is used for all sorts of regular (unrelated to virtualization) communications. Also, br0 is used for attaching bridged (as opposed to NATed) VMs managed by libvirt.

Clearly, libvirt somehow chooses to set up masquerading for literally all existing network interfaces here (except lo), but I can't see a real reason for the first two rules in the list above. Furthermore, they corrupt UDP broadcats coming from outside and reaching this host (through enp0s25/br0) such that source address gets replaced by this hosts primary address (as per masquerading). I've verified this by arranging a hand-crafted UDP listener and printing the respective source addresses as seen by normal userspace.

Now I've discovered that I can "eliminate" the problem by either:

1. Removing "-A POSTROUTING -o br0 -j MASQUERADE" (manually)
2. Inserting "-A POSTROUTING -s 192.168.0.0/24 -d 192.168.0.255/32 -j ACCEPT"
(Of course correcting rules by hand is not a solution, just a test)

So question is, how the correct rules should ideally look like? And, is this issue known/fixed in most current libvirt?

Thank you,

Regards,
Nikolai


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]