[libvirt] [PATCH] BZ 657918 Default iptables setup in libvirt breaks mDNS

Hi, Per the request on https://bugzilla.redhat.com/show_bug.cgi?id=657918 please find attached a patch that should address the issue. I'm not subscribed to this list though (I know, it's pretty rude, but my e-mail traffic is already too heavy to add another list to it), so if you could either CC me on any follow-up or just move followups to the BZ ticket where the patch also appears, that would be great. Cheers, b. --- src/network/bridge_driver.c.orig 2012-10-27 16:56:23.000000000 -0400 +++ src/network/bridge_driver.c 2012-12-11 15:49:13.937133883 -0500 @@ -1301,9 +1301,10 @@ * * We need to end up with 3 rules in the table in this order * - * 1. protocol=tcp with sport mapping restriction - * 2. protocol=udp with sport mapping restriction - * 3. generic any protocol + * 1. multicast is exempted + * 2. protocol=tcp with sport mapping restriction + * 3. protocol=udp with sport mapping restriction + * 4. generic any protocol * * The sport mappings are required, because default IPtables * MASQUERADE maintain port numbers unchanged where possible. @@ -1361,8 +1362,21 @@ goto masqerr5; } + /* exempt multicast traffic */ + if (iptablesAddForwardMasqueradeExempt(driver->iptables) < 0) { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("failed to add iptables rule to exempt multicast traffic from masquerading")); + goto masqerr6; + } + return 0; + masqerr6: + iptablesRemoveForwardMasquerade(driver->iptables, + &ipdef->address, + prefix, + forwardIf, + "tcp"); masqerr5: iptablesRemoveForwardMasquerade(driver->iptables, &ipdef->address, --- src/util/iptables.c.orig 2012-10-27 16:56:23.000000000 -0400 +++ src/util/iptables.c 2012-12-11 15:53:28.715044866 -0500 @@ -858,6 +858,26 @@ } /** + * iptablesAddForwardMasqueradeExempt: + * @ctx: pointer to the IP table context + * + * Add rules to the IP table context to exempt masquerading + * for multicast networks + * + * Returns 0 in case of success or an error code otherwise + */ +int +iptablesAddForwardMasqueradeExempt(iptablesContext *ctx) +{ + return iptablesAddRemoveRule(ctx->nat_postrouting, + AF_INET, + ADD, + "--destination", "224.0.0.0/4", + "--jump", "RETURN", + NULL); +} + +/** * iptablesAddForwardMasquerade: * @ctx: pointer to the IP table context * @network: the source network name --- src/util/iptables.h.orig 2012-10-27 16:56:23.000000000 -0400 +++ src/util/iptables.h 2012-12-11 15:57:03.284144679 -0500 @@ -101,6 +101,7 @@ int family, const char *iface); +int iptablesAddForwardMasqueradeExempt (iptablesContext *ctx); int iptablesAddForwardMasquerade (iptablesContext *ctx, virSocketAddr *netaddr, unsigned int prefix, --- src/libvirt_private.syms.orig 2012-12-11 15:46:11.141932324 -0500 +++ src/libvirt_private.syms 2012-12-11 15:58:11.715865516 -0500 @@ -681,6 +681,7 @@ iptablesAddForwardAllowOut; iptablesAddForwardAllowRelatedIn; iptablesAddForwardMasquerade; +iptablesAddForwardMasqueradeExempt; iptablesAddForwardRejectIn; iptablesAddForwardRejectOut; iptablesAddOutputFixUdpChecksum;