Bug 508339 - traceroute from guest to host in NAT mode shows errors
traceroute from guest to host in NAT mode shows errors
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: libvirt (Show other bugs)
5.4
All Linux
low Severity medium
: rc
: ---
Assigned To: Laine Stump
Virtualization Bugs
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-26 12:35 EDT by Paolo Bonzini
Modified: 2011-10-17 11:20 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-10-17 11:20:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
vm xml configuration (1.06 KB, application/xml)
2009-06-26 16:09 EDT, Paolo Bonzini
no flags Details
wireshark capture file (14.60 KB, text/plain)
2010-09-17 12:10 EDT, Paolo Bonzini
no flags Details

  None (edit)
Description Paolo Bonzini 2009-06-26 12:35:11 EDT
Description of problem:
From a KVM guest, I can access the host via the 192.168.122.1 address, but not with its "external" address.

Version-Release number of selected component (if applicable):
5.4 20090623.0

How reproducible:
Try traceroute from the guest to the host

Steps to Reproduce:
1. Start a KVM guest without PV-on-HVM drivers (RHEL-4 in my case).
2. Do hostname on the host
3. On the guest, start a traceroute on the output of the hostname command

Actual results:
traceroute to dhcp-lab-204.englab.brq.redhat.com (10.34.33.204), 30 hops max, 46 byte packets
 1  dhcp-lab-204.englab.brq.redhat.com (10.34.33.204)  0.181 ms !<10>  0.160 ms !<10>  0.151ms !<10>

Expected results:
This is the output of traceroute to a different machine than the host, in the same subnet.
traceroute to dhcp-lab-218.englab.brq.redhat.com (10.34.33.218), 30 hops max, 46 byte packets
 1  192.168.122.1 (192.168.122.1)  0.173 ms  0.150 ms  0.143 ms
 2  dhcp-lab-218.englab.brq.redhat.com (10.34.33.218)  0.270 ms  0.228 ms  0.231ms

Additional info:
Output of route on the guest:
192.168.122.0   *              255.255.255.0  U   0    0    0  eth0
169.254.0.0     *              255.255.0.0    U   0    0    0  eth0
default         192.168.122.1  0.0.0.0        UG  0    0    0  eth0

Output of route on the host:
192.168.122.0   *              255.255.255.0  U   0    0    0  virbr0
10.34.32.0      *              255.255.252.0  U   0    0    0  eth0
169.254.0.0     *              255.255.0.0    U   0    0    0  eth0
default         gw.enlab.brq.r 0.0.0.0        UG  0    0    0  eth0

Output of iptables-save on the host:
# Generated by iptables-save v1.3.5 on Fri Jun 26 18:15:45 2009
*nat
:PREROUTING ACCEPT [1280:180578]
:POSTROUTING ACCEPT [236:17652]
:OUTPUT ACCEPT [237:17803]
-A POSTROUTING -s 192.168.122.0/255.255.255.0 -d ! 192.168.122.0/255.255.255.0 -j MASQUERADE 
COMMIT
# Completed on Fri Jun 26 18:15:45 2009
# Generated by iptables-save v1.3.5 on Fri Jun 26 18:15:45 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9346:14778380]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT 
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT 
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT 
-A INPUT -j RH-Firewall-1-INPUT 
-A FORWARD -d 192.168.122.0/255.255.255.0 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -s 192.168.122.0/255.255.255.0 -i virbr0 -j ACCEPT 
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT 
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -j RH-Firewall-1-INPUT 
-A RH-Firewall-1-INPUT -i lo -j ACCEPT 
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT 
-A RH-Firewall-1-INPUT -p esp -j ACCEPT 
-A RH-Firewall-1-INPUT -p ah -j ACCEPT 
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT 
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT 
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on Fri Jun 26 18:15:45 2009
Comment 1 Paolo Bonzini 2009-06-26 13:07:56 EDT
changing component from kvm to libvirt.
Comment 2 Daniel Berrange 2009-06-26 13:44:01 EDT
Is 'ip_forward' enabled ?
Comment 3 Paolo Bonzini 2009-06-26 14:06:38 EDT
I cannot check until monday unless the weekend is very rainy, but in case it helps it is just connecting to the host that has a problem.  Any other IP address is routed properly.
Comment 4 Paolo Bonzini 2009-06-26 15:54:25 EDT
Yes, ip_forward enabled.  Note that everything works, it's just the ICMP error that puzzled me.
Comment 5 Paolo Bonzini 2009-06-26 16:09:43 EDT
Created attachment 349601 [details]
vm xml configuration

I attach the XML file from which I created the vm.

The network configuration can be found in https://bugzilla.redhat.com/show_bug.cgi?id=508335#c3
Comment 13 Jiri Denemark 2010-09-10 05:18:42 EDT
Paolo is willing to check the status of this bug with the rebased libvirt; setting needinfo for him
Comment 14 Paolo Bonzini 2010-09-17 12:09:29 EDT
Still reproducible with the rebased libvirt: the UDP packets sent by traceroute are rejected with ICMP "Host administratively prohibited".

I'll attach a trace file.
Comment 15 Paolo Bonzini 2010-09-17 12:10:28 EDT
Created attachment 448044 [details]
wireshark capture file
Comment 17 RHEL Product and Program Management 2010-10-13 11:05:27 EDT
Development Management has reviewed and declined this request.  You may appeal
this decision by reopening this request.
Comment 18 Dave Allan 2010-10-13 14:39:56 EDT
Closed in error; reopening and moving to 5.7.
Comment 20 RHEL Product and Program Management 2011-01-11 15:26:21 EST
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 21 RHEL Product and Program Management 2011-01-11 17:59:07 EST
This request was erroneously denied for the current release of
Red Hat Enterprise Linux.  The error has been fixed and this
request has been re-proposed for the current release.
Comment 25 Dave Allan 2011-10-17 11:20:43 EDT
Development Management has reviewed and declined this request.  You may appeal
this decision by reopening this request.

Note You need to log in before you can comment on or make changes to this bug.