From 13b6feca83d70dadc5fac4a9dbe7a34fe4ff2b29 Mon Sep 17 00:00:00 2001
From: Jeremy Hanmer <jeremy@fishbiscuits.org>
Date: Thu, 30 Oct 2014 16:08:53 -0700
Subject: [PATCH] MARK all traffic inbound from the internet

We use this MARK to skip the entire SNAT chain.  We never EVER want to
NAT or MASQ anything entering eth1.
---
 akanda/router/drivers/iptables.py  | 5 +++++
 test/unit/drivers/test_iptables.py | 1 +
 2 files changed, 6 insertions(+)

diff --git a/akanda/router/drivers/iptables.py b/akanda/router/drivers/iptables.py
index 7e2935f..4260965 100755
--- a/akanda/router/drivers/iptables.py
+++ b/akanda/router/drivers/iptables.py
@@ -371,6 +371,11 @@ class IPTablesManager(base.Manager):
             Rule(':FORWARD - [0:0]', ip_version=4),
             Rule(':PREROUTING - [0:0]', ip_version=4)
         ]
+        ext_if = self.get_external_network(config).interface
+        rules.append(Rule(
+            '-A PREROUTING -i %s -j MARK --set-mark 0xACDA' % ext_if.ifname,
+            ip_version=4
+        ))
 
         for network in self.networks_by_type(config, Network.TYPE_INTERNAL):
             if network.interface.first_v4:
diff --git a/test/unit/drivers/test_iptables.py b/test/unit/drivers/test_iptables.py
index 1511fab..f8edf7d 100644
--- a/test/unit/drivers/test_iptables.py
+++ b/test/unit/drivers/test_iptables.py
@@ -93,6 +93,7 @@ V4_OUTPUT = [
     ':OUTPUT - [0:0]',
     ':FORWARD - [0:0]',
     ':PREROUTING - [0:0]',
+    '-A PREROUTING -i eth1 -j MARK --set-mark 0xACDA',
     '-A PREROUTING -d 192.168.0.1/24 -j MARK --set-mark 0xACDA',
     ':POSTROUTING - [0:0]',
     'COMMIT'