From dfa37b2233b2dbe6dd12ec5e2ee4f1f32a4be4ba Mon Sep 17 00:00:00 2001
From: Slawek Kaplonski <skaplons@redhat.com>
Date: Mon, 1 Jul 2019 09:45:38 +0200
Subject: [PATCH] Don't match input interface in POSTROUTING table

Netfilter postrouting hooks don't provide the input interface. That
works fine in iptables implementation as the comparison simply happens
against an empty string, but cause problems with nftables which
aborts rule processing due to no data to compare against and
the rule doesn't match.
This is a problem in systems where nftables are used (e.g. RHEL 8).

This patch fixes this issue by removing input interface from
POSTROUTING rule used to prevent SNAT for router's internal traffic.

Change-Id: I79bb8054c113c77e7c96d64ec1408236d24b23b6
Closes-Bug: #1834825
---
 neutron/agent/l3/router_info.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/neutron/agent/l3/router_info.py b/neutron/agent/l3/router_info.py
index ac44a4b13c5..a685114cd4b 100644
--- a/neutron/agent/l3/router_info.py
+++ b/neutron/agent/l3/router_info.py
@@ -883,9 +883,8 @@ class RouterInfo(BaseRouterInfo):
 
     def _prevent_snat_for_internal_traffic_rule(self, interface_name):
         return (
-            'POSTROUTING', '! -i %(interface_name)s '
-                           '! -o %(interface_name)s -m conntrack ! '
-                           '--ctstate DNAT -j ACCEPT' %
+            'POSTROUTING', '! -o %(interface_name)s -m conntrack '
+                           '! --ctstate DNAT -j ACCEPT' %
                            {'interface_name': interface_name})
 
     def external_gateway_nat_fip_rules(self, ex_gw_ip, interface_name):