** Description changed: The default masquerade rule appears to be: iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -j MASQUERADE but this causes all internally routed guest to guest traffic to be masqueraded too (breaking such things as redhat cluster dlm connections in my case). replacing the rule with the following seems to be a good solution: iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -d ! 192.168.122.0/24 -j MASQUERADE [Impact] Causes inappropriate masquerading of internally routed traffic, which makes it difficult to test virtual clusters (among other things) [How Addressed in Development] This patch is a cherrypick from upstream's git tree. This fix is already in the version carried in Jaunty today. [Patch] Attached is a minimal patch fixing the issue, taken from git upstream. [Reproduction] - <steps to reproduce> + Set up two kvm machines. Ping the first from the second, and run tcpdump on the second; in the tcpdump output, you *should* see that the pings come from the ip address of the first kvm machine, but instead (with the bug) you'll see they come from the ip address associated with virbr0, the bridge device on the host. [Regression Potential] - <discuss how users could be inadvertently affected> + It is hard to imagine a situation where it would desirable that all traffic from other machines on the internal bridged network appear to come from the single ip address of the host. That said, users with a pre-existing network of guests may have developed workarounds on the guests to compensate for the bug, in which case applying this fix may require them to reconfigure their guests to remove those workarounds.
-- [Hardy] overzealous masquerading affects vm to vm traffic https://bugs.launchpad.net/bugs/227837 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
