do not apply SNAT when packet is generated by appliance

SNAT was incorrectly applied to traffic originating from the appliance. This change marks the traffic so that the NAT rule is skipped and adds clarifying comments to SNAT code. Change-Id: Ifa6ea089c5bff6c57f4ba22095ef357eeb1ff786 Closes-Bug: 1550541
2016-02-26 17:02:42 -05:00 · 2016-02-26 17:02:42 -05:00 · 5994b8b148
parent f27ff0a643
commit 5994b8b148
2 changed files with 7 additions and 1 deletions
--- a/astara_router/drivers/iptables.py
+++ b/astara_router/drivers/iptables.py
@ -394,7 +394,8 @@ class IPTablesManager(base.Manager):
                    ), ip_version=4)
                )

-        # Add source NAT for VMs without floating IPs
+        # Add source NAT to handle NAT loopback case where external floating IP
+        # is used as the destination from internal endpoint
        mgt_if = self.get_management_network(config).interface
        rules.append(Rule(
            '-A PUBLIC_SNAT ! -o %s -j SNAT --to %s' % (
@ -433,6 +434,10 @@ class IPTablesManager(base.Manager):
            Rule(':FORWARD - [0:0]', ip_version=4),
            Rule(':PREROUTING - [0:0]', ip_version=4)
        ]
+
+        # do not NAT traffic generated from within the appliance
+        rules.append(Rule('-A OUTPUT -j MARK --set-mark 0xACDA', ip_version=4))
+
        ext_net = self.get_external_network(config)
        if ext_net:
            ext_if = ext_net.interface
--- a/test/unit/drivers/test_iptables.py
+++ b/test/unit/drivers/test_iptables.py
@ -101,6 +101,7 @@ V4_OUTPUT = [
    ':OUTPUT - [0:0]',
    ':FORWARD - [0:0]',
    ':PREROUTING - [0:0]',
+    '-A OUTPUT -j MARK --set-mark 0xACDA',
    '-A PREROUTING -i eth1 -j MARK --set-mark 0xACDA',
    '-A PREROUTING -d 192.168.0.1/24 -j MARK --set-mark 0xACDA',
    ':POSTROUTING - [0:0]',