[Libvir] iptables masquerade rule overexpansive
On my system, libvirt-0.4.0-2ubuntu6 added the following rule to allow
my virtual hosts NATted access to the outside world:
Chain POSTROUTING (policy ACCEPT 33904 packets, 2146K bytes)
pkts bytes target prot opt in out source destination
779 102K MASQUERADE all -- * * 192.168.65.0/24 0.0.0.0/0
This resulted in *all* traffic being masqueraded, even between two
different VMs -- preventing hostbased authentication between these VMs.
To temporarily resolve this, I added an additional rule, as follows:
Chain POSTROUTING (policy ACCEPT 34049 packets, 2160K bytes)
pkts bytes target prot opt in out source destination
156 9752 ACCEPT all -- * * 192.168.65.0/24 192.168.65.0/24
865 109K MASQUERADE all -- * * 192.168.65.0/24 0.0.0.0/0
The network definition being used was as follows:
<network>
<name>default</name>
<uuid>a7c5b18c-9d38-40ed-9b12-8b1a27013b85</uuid>
<bridge name="virbr%d" />
<forward/>
<ip address="192.168.65.253" netmask="255.255.255.0"/>
</network>
I'm frankly unclear on why the packets attempted to forward through .253
in any event -- the routing tables on both VMs refer to 192.168.65.0/24
as part of the local network, so my expectation is that no attempt to
route through the default gateway should have occurred.
In any event, having libvirt extend the MASQUERADE rule to avoid
impacting traffic between hosts on the virtual network -- or adding a
paired ACCEPT, as I did above -- would probably be a Good Thing.