git.ipfire.org Git - thirdparty/libvirt.git/commit

author	Laszlo Ersek <lersek@redhat.com>
	Wed, 25 Sep 2013 10:45:26 +0000 (12:45 +0200)
committer	Laine Stump <laine@laine.org>
	Wed, 25 Sep 2013 12:31:50 +0000 (08:31 -0400)
commit	51e184e9821c3740ac9b52055860d683f27b0ab6
tree	3084e42d7d82a15694c63c5b41bf4d15a14d69f7	tree
parent	ccca5dc3a2f2b4da60e19674a3c5b7b304e36619	commit \| diff

bridge driver: don't masquerade local subnet broadcast/multicast packets

Packets sent by guests on virbrN, *or* by dnsmasq on the same, to
- 255.255.255.255/32 (netmask-independent local network broadcast
address), or to
- 224.0.0.0/24 (local subnetwork multicast range)
are never forwarded, hence it is not necessary to masquerade them.

In fact we must not masquerade them: translating their source addresses or
source ports (where applicable) may confuse receivers on virbrN.

One example is the DHCP client in OVMF (= UEFI firmware for virtual
machines):

http://thread.gmane.org/gmane.comp.bios.tianocore.devel/1506/focus=2640

It expects DHCP replies to arrive from remote source port 67. Even though
dnsmasq conforms to that, the destination address (255.255.255.255) and
the source address (eg. 192.168.122.1) in the reply allow the UDP
masquerading rule to match, which rewrites the source port to or above
1024. This prevents the DHCP client in OVMF from accepting the packet.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=709418

Signed-off-by: Laszlo Ersek <lersek@redhat.com>