I'm not sure if everyone that needs to see this discussion are subscribed to RH bugzilla bug #709418 so I will repeat my comments from comment #12 on that bug here: On 13-05-27 10:34 PM, Laszlo Ersek wrote: > Packets sent by guests on virbrN, *or* by dnsmasq on the same, to > - 255.255.255.255/32 (netmask-independent local network broadcast > address), or to > - 22.214.171.124/24 (local subnetwork multicast range) Multicast is much wider than just 126.96.36.199/24. Per my patch in attachment 526549 [details], it's in fact 188.8.131.52/4. All multicast needs to be exempt from NAT. Quoting from Wikipedia article http://en.wikipedia.org/wiki/Multicast_address: IPv4 multicast addresses are defined by the leading address bits of 1110, originating from the classful network design of the early Internet when this group of addresses was designated as Class D. The Classless Inter-Domain Routing (CIDR) prefix of this group is 184.108.40.206/4. Indeed, Wikipedia is not authoritative, but it does provide a good starting point to finding authoritative information if you want. I suppose the authoritative doc is at http://www.iana.org/assignments/multicast-addresses/multicast-addresses.xml or somesuch. It does not explicitly say 220.127.116.11/4 but it certainly implies it in discussing the entire space from 18.104.22.168 through 22.214.171.124. > diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c > index d5886fe..2b3b250 100644 > --- a/src/network/bridge_driver.c > +++ b/src/network/bridge_driver.c > @@ -1542,6 +1542,9 @@ networkRefreshDaemons(struct network_driver *driver) > } > } > > +static const char networkLocalMulticast = "126.96.36.199/24"; This should be /8, not /24. There are many multicast protocols that operate outside of that 188.8.131.52/24 network. In fact they all must. 184.108.40.206/24 is reserved and assignment must be made from IANA. Let me give you a scenario where your 220.127.116.11/24 fails to correct the problem: Imagine you have a cluster of VMs all with a network address of 192.168.122.[2-10]/24 and 192.168.122.1 is your VM "server". Now imagine those VMs are using a multicast address of 18.104.22.168 (just for argument's sake). Each node will be listening on 22.214.171.124 for other "members" of the group to build a list of members. But once the packet from (say) 192.168.122.2->126.96.36.199 goes through the "VM host"'s NAT it will look to the other group members to be from host 192.168.122.1, so they all add 192.168.122.1 to their member list. Then 192.168.122.3 sends it's packet to 188.8.131.52, it goes through NAT also and all of the group members notice they already have 192.168.122.1 in their group and just ignore it. That goes on for all of the [2-10] nodes and none of them get added to the group list. That's because NAT broke the protocol. Further, to your arguments in comment #13 in BZ #709418 about needing to map ports > 1023 for security: The source port mapping goal has some specific parameters to it. It's trying to avoid a VM from masquerading as it's host and leveraging it's host's permission in the network. But that's only a problem because the VM is masquerading as the host. When you exempt multicast from masquerading you no longer have the problem of the VM being mistaken for the host and therefore you don't need the "quasi-security" of not allowing the VM to use ports < 1024. Put another way, mapping the source port numbers is only a requirement because the VM is borrowing the identity of the host. Once you eliminate the identity borrowing you can eliminate the need for the safety guards that that lending is putting in place. Cheers, b.
Description: OpenPGP digital signature