From 46150eb43501620d7d0596afdc363f35fc3e2d4a Mon Sep 17 00:00:00 2001
From: Ryan Petrello <lists@ryanpetrello.com>
Date: Fri, 24 Oct 2014 09:36:29 -0700
Subject: [PATCH] Adjust the v4 NAT to masquerade on every interface other than
 management.

Without this, a VM without a floating IP wouldn't be able to e.g., reach
another VM's floating IP via TCP.
---
 akanda/router/drivers/iptables.py  | 12 ++++++++++--
 test/unit/drivers/test_iptables.py |  2 +-
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/akanda/router/drivers/iptables.py b/akanda/router/drivers/iptables.py
index b98c82b..5163ecb 100755
--- a/akanda/router/drivers/iptables.py
+++ b/akanda/router/drivers/iptables.py
@@ -110,6 +110,14 @@ class IPTablesManager(base.Manager):
         '''
         return self.networks_by_type(config, Network.TYPE_EXTERNAL)[0]
 
+    def get_management_network(self, config):
+        '''
+        Returns the management network
+
+        :rtype: akanda.router.models.Interface
+        '''
+        return self.networks_by_type(config, Network.TYPE_MANAGEMENT)[0]
+
     def networks_by_type(self, config, type):
         '''
         Returns the external network
@@ -251,7 +259,6 @@ class IPTablesManager(base.Manager):
 
     def _build_v4_nat(self, config):
         rules = []
-        ext_if = self.get_external_network(config).interface
 
         for network in self.networks_by_type(config, Network.TYPE_INTERNAL):
             if network.interface.first_v4:
@@ -270,8 +277,9 @@ class IPTablesManager(base.Manager):
                 ))
 
         # Add a masquerade catch-all for VMs without floating IPs
+        mgt_if = self.get_management_network(config).interface
         rules.append(Rule(
-            '-A POSTROUTING -o %s -j MASQUERADE' % ext_if.ifname,
+            '-A POSTROUTING ! -o %s -j MASQUERADE' % mgt_if.ifname,
             ip_version=4
         ))
 
diff --git a/test/unit/drivers/test_iptables.py b/test/unit/drivers/test_iptables.py
index 598d4e0..e7eea3a 100644
--- a/test/unit/drivers/test_iptables.py
+++ b/test/unit/drivers/test_iptables.py
@@ -85,7 +85,7 @@ V4_OUTPUT = [
     '-A PREROUTING -i eth1 -d 172.16.77.50 -j DNAT --to-destination 192.168.0.2',  # noqa
     '-A PREROUTING -i eth2 -d 172.16.77.50 -j DNAT --to-destination 192.168.0.2',  # noqa
     '-A PREROUTING -i eth2 -d 169.254.169.254 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:9602',  # noqa
-    '-A POSTROUTING -o eth1 -j MASQUERADE',
+    '-A POSTROUTING ! -o eth0 -j MASQUERADE',
     'COMMIT',
     '*raw',
     ':INPUT - [0:0]',