[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH] BZ 657918 Default iptables setup in libvirt breaks mDNS



Hi,

Per the request on https://bugzilla.redhat.com/show_bug.cgi?id=657918
please find attached a patch that should address the issue.

I'm not subscribed to this list though (I know, it's pretty rude, but
my e-mail traffic is already too heavy to add another list to it), so
if you could either CC me on any follow-up or just move followups to
the BZ ticket where the patch also appears, that would be great.

Cheers,
b.

--- src/network/bridge_driver.c.orig	2012-10-27 16:56:23.000000000 -0400
+++ src/network/bridge_driver.c	2012-12-11 15:49:13.937133883 -0500
@@ -1301,9 +1301,10 @@
      *
      * We need to end up with 3 rules in the table in this order
      *
-     *  1. protocol=tcp with sport mapping restriction
-     *  2. protocol=udp with sport mapping restriction
-     *  3. generic any protocol
+     *  1. multicast is exempted
+     *  2. protocol=tcp with sport mapping restriction
+     *  3. protocol=udp with sport mapping restriction
+     *  4. generic any protocol
      *
      * The sport mappings are required, because default IPtables
      * MASQUERADE maintain port numbers unchanged where possible.
@@ -1361,8 +1362,21 @@
         goto masqerr5;
     }
 
+    /* exempt multicast traffic */
+    if (iptablesAddForwardMasqueradeExempt(driver->iptables) < 0) {
+        virReportError(VIR_ERR_SYSTEM_ERROR,
+                           _("failed to add iptables rule to exempt multicast traffic from masquerading"));
+        goto masqerr6;
+    }
+
     return 0;
 
+ masqerr6:
+    iptablesRemoveForwardMasquerade(driver->iptables,
+                                    &ipdef->address,
+                                    prefix,
+                                    forwardIf,
+                                    "tcp");
  masqerr5:
     iptablesRemoveForwardMasquerade(driver->iptables,
                                     &ipdef->address,
--- src/util/iptables.c.orig	2012-10-27 16:56:23.000000000 -0400
+++ src/util/iptables.c	2012-12-11 15:53:28.715044866 -0500
@@ -858,6 +858,26 @@
 }
 
 /**
+ * iptablesAddForwardMasqueradeExempt:
+ * @ctx: pointer to the IP table context
+ *
+ * Add rules to the IP table context to exempt masquerading
+ * for multicast networks
+ *
+ * Returns 0 in case of success or an error code otherwise
+ */
+int
+iptablesAddForwardMasqueradeExempt(iptablesContext *ctx)
+{
+    return iptablesAddRemoveRule(ctx->nat_postrouting,
+                                 AF_INET,
+                                 ADD,
+                                 "--destination", "224.0.0.0/4",
+                                 "--jump", "RETURN",
+                                 NULL);
+}
+
+/**
  * iptablesAddForwardMasquerade:
  * @ctx: pointer to the IP table context
  * @network: the source network name
--- src/util/iptables.h.orig	2012-10-27 16:56:23.000000000 -0400
+++ src/util/iptables.h	2012-12-11 15:57:03.284144679 -0500
@@ -101,6 +101,7 @@
                                                   int family,
                                                   const char *iface);
 
+int              iptablesAddForwardMasqueradeExempt (iptablesContext *ctx);
 int              iptablesAddForwardMasquerade    (iptablesContext *ctx,
                                                   virSocketAddr *netaddr,
                                                   unsigned int prefix,
--- src/libvirt_private.syms.orig	2012-12-11 15:46:11.141932324 -0500
+++ src/libvirt_private.syms	2012-12-11 15:58:11.715865516 -0500
@@ -681,6 +681,7 @@
 iptablesAddForwardAllowOut;
 iptablesAddForwardAllowRelatedIn;
 iptablesAddForwardMasquerade;
+iptablesAddForwardMasqueradeExempt;
 iptablesAddForwardRejectIn;
 iptablesAddForwardRejectOut;
 iptablesAddOutputFixUdpChecksum;

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]