Don't match input interface in POSTROUTING table

Netfilter postrouting hooks don't provide the input interface. That works fine in iptables implementation as the comparison simply happens against an empty string, but cause problems with nftables which aborts rule processing due to no data to compare against and the rule doesn't match. This is a problem in systems where nftables are used (e.g. RHEL 8). This patch fixes this issue by removing input interface from POSTROUTING rule used to prevent SNAT for router's internal traffic. Change-Id: I79bb8054c113c77e7c96d64ec1408236d24b23b6 Closes-Bug: #1834825 (cherry picked from commit dfa37b2233)
2019-07-01 09:45:38 +02:00 · 2019-07-01 09:45:38 +02:00 · ccf5b7ea0a
parent e735aa376f
commit ccf5b7ea0a
1 changed files with 2 additions and 3 deletions
--- a/neutron/agent/l3/router_info.py
+++ b/neutron/agent/l3/router_info.py
@ -846,9 +846,8 @@ class RouterInfo(object):

    def _prevent_snat_for_internal_traffic_rule(self, interface_name):
        return (
-            'POSTROUTING', '! -i %(interface_name)s '
-                           '! -o %(interface_name)s -m conntrack ! '
-                           '--ctstate DNAT -j ACCEPT' %
+            'POSTROUTING', '! -o %(interface_name)s -m conntrack '
+                           '! --ctstate DNAT -j ACCEPT' %
                           {'interface_name': interface_name})

    def external_gateway_nat_fip_rules(self, ex_gw_ip, interface_name):