From 5994b8b148dbe827339b8fa96ec895041ae8dcf9 Mon Sep 17 00:00:00 2001 From: Mark McClain Date: Fri, 26 Feb 2016 17:02:42 -0500 Subject: [PATCH] do not apply SNAT when packet is generated by appliance SNAT was incorrectly applied to traffic originating from the appliance. This change marks the traffic so that the NAT rule is skipped and adds clarifying comments to SNAT code. Change-Id: Ifa6ea089c5bff6c57f4ba22095ef357eeb1ff786 Closes-Bug: 1550541 --- astara_router/drivers/iptables.py | 7 ++++++- test/unit/drivers/test_iptables.py | 1 + 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/astara_router/drivers/iptables.py b/astara_router/drivers/iptables.py index 00abf08..9c170ee 100644 --- a/astara_router/drivers/iptables.py +++ b/astara_router/drivers/iptables.py @@ -394,7 +394,8 @@ class IPTablesManager(base.Manager): ), ip_version=4) ) - # Add source NAT for VMs without floating IPs + # Add source NAT to handle NAT loopback case where external floating IP + # is used as the destination from internal endpoint mgt_if = self.get_management_network(config).interface rules.append(Rule( '-A PUBLIC_SNAT ! -o %s -j SNAT --to %s' % ( @@ -433,6 +434,10 @@ class IPTablesManager(base.Manager): Rule(':FORWARD - [0:0]', ip_version=4), Rule(':PREROUTING - [0:0]', ip_version=4) ] + + # do not NAT traffic generated from within the appliance + rules.append(Rule('-A OUTPUT -j MARK --set-mark 0xACDA', ip_version=4)) + ext_net = self.get_external_network(config) if ext_net: ext_if = ext_net.interface diff --git a/test/unit/drivers/test_iptables.py b/test/unit/drivers/test_iptables.py index 982a948..391d92b 100644 --- a/test/unit/drivers/test_iptables.py +++ b/test/unit/drivers/test_iptables.py @@ -101,6 +101,7 @@ V4_OUTPUT = [ ':OUTPUT - [0:0]', ':FORWARD - [0:0]', ':PREROUTING - [0:0]', + '-A OUTPUT -j MARK --set-mark 0xACDA', '-A PREROUTING -i eth1 -j MARK --set-mark 0xACDA', '-A PREROUTING -d 192.168.0.1/24 -j MARK --set-mark 0xACDA', ':POSTROUTING - [0:0]',