Comment 37 for bug 447442
Revision history for this message
|
|
#37 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
With nwfilter we may be able to prevent a VM from sending multicast traffic, but cannot influence what happens to it in case of NATing.
We could add the above mentioned rule
iptables -t nat -A POSTROUTING -d 224.0.0.0/4 -j RETURN
via utils/iptables.c to the list of 3 rules that libvirt automatically creates in the iptables nat POSTROUTING chain.
HOWEVER:
Typically the multicast traffic would have to go onto the wire to get as many responses as possible. In this case I don't see it going onto the wire at all. I see them on the VM's tap interface but not on the physical interface anymore and while pinging from the VM into the network works and shows a counter increase on the respective masquerading rule I don't see any counter increase for the above rule if it is first in the list of rules. Some logic maybe already discards multicast traffic from entering the iptables NAT table? Adding the rule there at least doesn't make sense considering what I am seeing.