[libvirt-users] UDP broadcasts vs. nat Masquerading issue

Nikolai Zhubr n-a-zhubr at yandex.ru
Fri Jun 28 14:23:49 UTC 2019 

Hi all,

I'm observing an issue that as soon as libvirt starts, UPD broadcasts 
going through physical network (and unrelated to any virtualization) get 
broken. Specifically, windows neighbourhood browsing through samba's 
nmbd starts suffering badly (Samba is running on this same box).

At the moment I'm running a quite outdated version 1.2.9 of libvirt, but 
other than this issue, it does its job pretty well, so I'd first 
consider some patching/backporting rather than totally replacing it with 
a new one. Anyway, I first need to better understand what is going on 
and what is wrong with it.
This could also be related somewhat to
https://www.redhat.com/archives/libvir-list/2013-September/msg01311.html
but I suppose it is not exactly that thing.

I've already figured the source of trouble is anyway related to these 
rules added:

-A POSTROUTING -o br0 -j MASQUERADE
-A POSTROUTING -o enp0s25 -j MASQUERADE
-A POSTROUTING -o virbr2_nic -j MASQUERADE
-A POSTROUTING -o vnet0 -j MASQUERADE

Here, virbr2_nic and vnet0 are used by libvirt for arranging network 
configurations for VMs, ok. However, br0 is a main interface of this 
host with primary ip address, with enp0s25 being a physical nic of this 
host, and it is used for all sorts of regular (unrelated to 
virtualization) communications. Also, br0 is used for attaching bridged 
(as opposed to NATed) VMs managed by libvirt.

Clearly, libvirt somehow chooses to set up masquerading for literally 
all existing network interfaces here (except lo), but I can't see a real 
reason for the first two rules in the list above. Furthermore, they 
corrupt UDP broadcats coming from outside and reaching this host 
(through enp0s25/br0) such that source address gets replaced by this 
hosts primary address (as per masquerading). I've verified this by 
arranging a hand-crafted UDP listener and printing the respective source 
addresses as seen by normal userspace.

Now I've discovered that I can "eliminate" the problem by either:

1. Removing "-A POSTROUTING -o br0 -j MASQUERADE" (manually)
2. Inserting "-A POSTROUTING -s 192.168.0.0/24 -d 192.168.0.255/32 -j 
ACCEPT"
(Of course correcting rules by hand is not a solution, just a test)

So question is, how the correct rules should ideally look like? And, is 
this issue known/fixed in most current libvirt?

Thank you,

Regards,
Nikolai

More information about the libvirt-users mailing list