Reverse path SNAT for DNAT floating-ip.

This patch applies a reverse SNAT rule to allow instances that have an
assigned floating IP to communicate with other instances in the same
OpenStack deployment, security group rules permitting. The patch
allows members of the same private network to communicate with each
other using their floating-ips in a more consistent fashion. The rule
also addresses the situation where the target is on another private
network.

This will only work for interaction between two servers that both have
floating IPs assigned to them.

Specifically, this patch solves the problem where a target server
"sees" the private address of the client. By SNAT'ing to the client's
floating-IP, the "sees" the correct reply address and the reverse
route follows the same path that an actual external connection would
take. The SNAT ONLY occurs if a DNAT occurred before hand, allowing
communication on private networks using private IPs to remain fully
private and internal. The limitation is of course if a DNAT occurs for
other reasons, there may be issues.

Resolves bug 1178745

Change-Id: I55b7131cff5fd5a2ebf826945370d4d550e74136

1 files changed, 3 insertions, 0 deletions

diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py
index 7a1f562e5..e2f9ee9dd 100644
--- a/nova/network/linux_net.py
+++ b/nova/network/linux_net.py
@@ -765,6 +765,9 @@ def floating_forward_rules(floating_ip, fixed_ip, device):
             ('PREROUTING', '-d %s -j DNAT --to %s' % (floating_ip, fixed_ip)))
     rules.append(
             ('OUTPUT', '-d %s -j DNAT --to %s' % (floating_ip, fixed_ip)))
+    rules.append(('POSTROUTING', '-s %s -m conntrack --ctstate DNAT -j SNAT '
+                  '--to-source %s' %
+                  (fixed_ip, floating_ip)))
     return rules