openstack/neutron
Code Issues Proposed changes

Don't match input interface in POSTROUTING table

Browse Source 
Netfilter postrouting hooks don't provide the input interface. That
works fine in iptables implementation as the comparison simply happens
against an empty string, but cause problems with nftables which
aborts rule processing due to no data to compare against and
the rule doesn't match.
This is a problem in systems where nftables are used (e.g. RHEL 8).

This patch fixes this issue by removing input interface from
POSTROUTING rule used to prevent SNAT for router's internal traffic.

Change-Id: I79bb8054c113c77e7c96d64ec1408236d24b23b6
Closes-Bug: #1834825
This commit is contained in:
Slawek Kaplonski 2019-07-01 09:45:38 +02:00
parent 54946b7a73
commit dfa37b2233
1 changed files with 2 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
neutron/agent/l3/router_info.py
View File

@ -883,9 +883,8 @@ class RouterInfo(BaseRouterInfo):
def _prevent_snat_for_internal_traffic_rule(self, interface_name): def _prevent_snat_for_internal_traffic_rule(self, interface_name):
return ( return (
'POSTROUTING', '! -i %(interface_name)s ' 'POSTROUTING', '! -o %(interface_name)s -m conntrack '
'! -o %(interface_name)s -m conntrack ! ' '! --ctstate DNAT -j ACCEPT' %
'--ctstate DNAT -j ACCEPT' %
{'interface_name': interface_name}) {'interface_name': interface_name})
def external_gateway_nat_fip_rules(self, ex_gw_ip, interface_name): def external_gateway_nat_fip_rules(self, ex_gw_ip, interface_name):