[Bug 227837] Re: [Hardy] overzealous masquerading affects vm to vm traffic
This bug was fixed in the package libvirt - 0.4.0-2ubuntu8.2 --- libvirt (0.4.0-2ubuntu8.2) hardy-proposed; urgency=low * masquerade-only-outbound-traffic.patch: - Ensure masquerading rule only catches traffic leaving the virtual network, and not traffic inside it. (Backported from commit d175caad25a4e80800d5e7e7d8c9d920a88b78e1 of git://git.et.redhat.com/libvirt.git.) (LP: #227837). -- bfie...@fieldses.org (J. Bruce Fields) Sun, 05 Oct 2008 15:13:50 -0400 ** Changed in: libvirt (Ubuntu Hardy) Status: Fix Committed => Fix Released -- [Hardy] overzealous masquerading affects vm to vm traffic https://bugs.launchpad.net/bugs/227837 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 227837] Re: [Hardy] overzealous masquerading affects vm to vm traffic
** Tags added: verification-donee ** Tags removed: verification-needed ** Tags added: verification-done ** Tags removed: verification-donee -- [Hardy] overzealous masquerading affects vm to vm traffic https://bugs.launchpad.net/bugs/227837 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 227837] Re: [Hardy] overzealous masquerading affects vm to vm traffic
Tested this on a fresh hardy server. I can confirm that the fix works. Created two kqemu-accelerated instances in libvirt. Without the version from proposed packages between the two instances are routed through the host; with the version from proposed, they are now send directly. Tested pinging both the host and external sites from the instances, and can confirm that this also still works as expected. -- [Hardy] overzealous masquerading affects vm to vm traffic https://bugs.launchpad.net/bugs/227837 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 227837] Re: [Hardy] overzealous masquerading affects vm to vm traffic
Anyone who can test the proposed package? -- [Hardy] overzealous masquerading affects vm to vm traffic https://bugs.launchpad.net/bugs/227837 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 227837] Re: [Hardy] overzealous masquerading affects vm to vm traffic
** Branch linked: lp:~ubuntu-branches/ubuntu/hardy/libvirt/hardy- proposed -- [Hardy] overzealous masquerading affects vm to vm traffic https://bugs.launchpad.net/bugs/227837 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 227837] Re: [Hardy] overzealous masquerading affects vm to vm traffic
Accepted libvirt into hardy-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance! ** Tags added: verification-needed -- [Hardy] overzealous masquerading affects vm to vm traffic https://bugs.launchpad.net/bugs/227837 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 227837] Re: [Hardy] overzealous masquerading affects vm to vm traffic
Ah, so that was the corresponding bug to the package which I just rejected. Please reupload with a bug ref in the changelog (LP: #227837). -- [Hardy] overzealous masquerading affects vm to vm traffic https://bugs.launchpad.net/bugs/227837 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 227837] Re: [Hardy] overzealous masquerading affects vm to vm traffic
** Description changed: The default masquerade rule appears to be: iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -j MASQUERADE but this causes all internally routed guest to guest traffic to be masqueraded too (breaking such things as redhat cluster dlm connections in my case). replacing the rule with the following seems to be a good solution: iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -d ! 192.168.122.0/24 -j MASQUERADE [Impact] Causes inappropriate masquerading of internally routed traffic, which makes it difficult to test virtual clusters (among other things) [How Addressed in Development] This patch is a cherrypick from upstream's git tree. This fix is already in the version carried in Jaunty today. [Patch] Attached is a minimal patch fixing the issue, taken from git upstream. [Reproduction] - + Set up two kvm machines. Ping the first from the second, and run tcpdump on the second; in the tcpdump output, you *should* see that the pings come from the ip address of the first kvm machine, but instead (with the bug) you'll see they come from the ip address associated with virbr0, the bridge device on the host. [Regression Potential] - + It is hard to imagine a situation where it would desirable that all traffic from other machines on the internal bridged network appear to come from the single ip address of the host. That said, users with a pre-existing network of guests may have developed workarounds on the guests to compensate for the bug, in which case applying this fix may require them to reconfigure their guests to remove those workarounds. -- [Hardy] overzealous masquerading affects vm to vm traffic https://bugs.launchpad.net/bugs/227837 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 227837] Re: [Hardy] overzealous masquerading affects vm to vm traffic
Oh also, once you've finished updating the description, please subscribe "ubuntu-sru" to this bug, via the "Subscribe someone else" link at the top right. That will move the bug into the reviewer queue for getting it into hardy. ** Changed in: libvirt (Ubuntu) Status: Triaged => Fix Released ** Changed in: libvirt (Ubuntu Hardy) Status: Triaged => Fix Committed -- [Hardy] overzealous masquerading affects vm to vm traffic https://bugs.launchpad.net/bugs/227837 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 227837] Re: [Hardy] overzealous masquerading affects vm to vm traffic
Heya Bruce, Thanks for packaging the patch as a debdiff, that helps. I see this is already fixed in Jaunty, so I'll close the development task for that. Because Hardy is already released, the process for getting changes into it involves a bit more paperwork, and requires structuring the debdiffs slightly differently. They are targeted to 'hardy-proposed' instead of 'hardy', and the version numbering increments by .1's. I fixed up your debdiff accordingly and include it for your review. I've also gone ahead and uploaded the fix to hardy-proposed so it'll be available for testing. The 'paperwork' is described at https://wiki.ubuntu.com/StableReleaseUpdates - basically the process is to help ensure changes that go out to everyone are 100% regression free and fix issues that really do need fixed. I'll fill out the bits I know, could you please fill in the remaining blanks? That part is necessary (along with testing) in order to get the fix approved to move from hardy-proposed to hardy. ** Attachment added: "libvirt_0.4.0-2ubuntu8.2.debdiff" http://launchpadlibrarian.net/23692402/libvirt_0.4.0-2ubuntu8.2.debdiff ** Description changed: The default masquerade rule appears to be: iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -j MASQUERADE but this causes all internally routed guest to guest traffic to be masqueraded too (breaking such things as redhat cluster dlm connections in my case). replacing the rule with the following seems to be a good solution: iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -d ! 192.168.122.0/24 -j MASQUERADE + + [Impact] + Causes inappropriate masquerading of internally routed traffic, which makes it difficult to test virtual clusters (among other things) + + [How Addressed in Development] + This patch is a cherrypick from upstream's git tree. This fix is already in the version carried in Jaunty today. + + [Patch] + Attached is a minimal patch fixing the issue, taken from git upstream. + + [Reproduction] + + + [Regression Potential] + -- [Hardy] overzealous masquerading affects vm to vm traffic https://bugs.launchpad.net/bugs/227837 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs