lxc-net should not masquarade intra-container traffic

Bug #1045947 reported by Serge Hallyn on 2012-09-04
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Quantal
High
Unassigned

Bug Description

As pointed out in the lxc mailing list, the iptables rule used by lxc-net causes traffic between containers to be NAT'ed. Fix this by adding '! -d ${LXC_NETWORK}' to the iptables -A rule.

========================================================
SRU Justification:
1. Impact: traffic between containers on the same host is NATed
2. Development fix: update iptables rule to not NAT traffic between containers
3. Stable fix: same as development fix
4. Test case: create and run two containers on the same host. Do a 'tcpdump -ni eth0' from container 1 while container 2 is pinging container 1. With the fix, the source address should be from the container's address, not from 10.0.3.1 (the bridge address).
5. Regression potential: none.
========================================================

Changed in lxc (Ubuntu):
status: New → Triaged
importance: Undecided → High
Changed in lxc (Ubuntu Quantal):
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 0.8.0~rc1-4ubuntu33

---------------
lxc (0.8.0~rc1-4ubuntu33) quantal; urgency=low

  [ Serge Hallyn ]
  * 0206-lxc-wait-initialize-timeout: initialize timeout to -1 so lxc-wait
    will, by default, wait for the container to enter the requested state.
  * debian/patches/compilecleanups/* - fix compile time warnings.
  * lxc.lxc-net.upstart: tell iptables not to masquerate packets between
    containers. (LP: #1045947)
  * 0208-fix-getitem-utsname-segv: fix seg fault when doing get_item(utsname)
    on newly created container.
  * 0209-reload-conf-after-create: add ability to free a lxc_conf. Use that
    after calling Container->Create() to completely reload the newly created
    config.
  * 0211-add-hooks-to-manpage: document lxc.hook in the lxc.conf manpage.
  * 0212-lxc-destroy-rm-symlink: If rootfs is a symbolic link to a directory,
    remove it. (LP: #1046117)
  * 0213-add-premount-hook.patch: add a premount hook to support encrypted
    filesystems. (LP: #1043052)

  [ Scott Moser ]
  * 0207-ubuntu-cloud-fixes.patch: cleanups to lxc-ubuntu-cloud.in
    fix for quantal images that do not have user 'ubuntu' present
    (LP: #1045955)

  [ Rex Tsai ]
  * 0210-fix-debian-templates: Fix lxc-shutdown/lxc-restart in Debian
    containers and fix lxc.utsname for lenny containers.
    (LP: #1046684, LP: #1046696)

  [ Stéphane Graber ]
  * lxc.lxc-net.upstart: Make the iptables call more consistent (LP: #1045947)
 -- Serge Hallyn <email address hidden> Thu, 30 Aug 2012 11:32:06 -0500

Changed in lxc (Ubuntu Quantal):
status: Fix Committed → Fix Released
description: updated
Changed in lxc (Ubuntu Precise):
status: New → Fix Committed
importance: Undecided → High

Hello Serge, or anyone else affected,

Accepted lxc into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/lxc/0.7.5-3ubuntu64 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
Serge Hallyn (serge-hallyn) wrote :

Verified on precise.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 0.7.5-3ubuntu65

---------------
lxc (0.7.5-3ubuntu65) precise-proposed; urgency=low

  * Add proper fix (X001-lxc-ls-onelisting) for lxc-ls showing running
    containers multiple times. (LP: #1043018)

lxc (0.7.5-3ubuntu64) precise-proposed; urgency=low

  [ Serge Hallyn ]
  * lxc.lxc-net.upstart: tell iptables not to masquerate packets between
    containers. (LP: #1045947)
  * 0204-ubuntu-cloud-userdata-path: Fix broken behavior when a relative
    path is passed into '--userdata' argument. (LP: #1043582)
  * 0205-lxc-ls-manpage-document-two-lines: Document the default two-line
    output format of lxc-ls. (LP: #1043018)
  * lxc-start-ephemeral: support fedora and centos (LP: #1042431)
  * 0222-debian-dhcp3-package: fix install of debian testing containers.
    (LP: #1052972)
  * 0100-template-cleanup-cache: clean up template cache if interrupted
    during build. (LP: #1037331)

  [ Scott Moser ]
  * 0225-ubuntu-cloud-numeric-owner: use --numeric-owner when extracting root
    filesystems with tar (LP: #1066084)
 -- Serge Hallyn <email address hidden> Wed, 07 Nov 2012 11:03:36 -0600

Changed in lxc (Ubuntu Precise):
status: Fix Committed → Fix Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers