diff options
| author | Vishvananda Ishaya <vishvananda@gmail.com> | 2013-02-11 12:08:35 -0800 |
|---|---|---|
| committer | Vishvananda Ishaya <vishvananda@gmail.com> | 2013-02-11 14:27:50 -0800 |
| commit | d0c8f8a061125d6e4c3dce8f7f0741ff57a014b8 (patch) | |
| tree | 7e04c2ab9c56883cca2f88739e7134d733d8ed22 | |
| parent | 3e4637e8e7887567ac7dbc60e997aa780f029c1c (diff) | |
| download | nova-d0c8f8a061125d6e4c3dce8f7f0741ff57a014b8.tar.gz nova-d0c8f8a061125d6e4c3dce8f7f0741ff57a014b8.tar.xz nova-d0c8f8a061125d6e4c3dce8f7f0741ff57a014b8.zip | |
Allow fixed to float ping with external gateway.
If you ping an a floating ip from an instance with only a fixed ip, the
traffic will be sent to the default gateway. If the default gateway has
a route to the floating ip, it will then be sent to the host of the
instance with the floating ip. The source address will be on the fixed
network, so if the floating addresses are on a different network, the
receiving host to drop the packet due to the default rp_filter.
Essentially, the route for the fixed range is on a different interface
so it the kernel assumes the packet is spoofed and drops it.
In order to fix this issue this patch adds a new config option called
force_snat_range. Traffic that originates in fixed_range and has a
destination in force_snat_range will always be routed. This forces
the packet to hit the fallback floating roule and be snatted to
routing_source_ip. This means the traffic will originate from the
proper network and the packet will make it through.
DocImpact
Fixes bug 1122335
Change-Id: I7e31c25d37a5c4fd02c8238aec58a28af3fd7f6a
| -rw-r--r-- | nova/network/linux_net.py | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py index 08a2ae354..b4f000280 100644 --- a/nova/network/linux_net.py +++ b/nova/network/linux_net.py @@ -67,6 +67,11 @@ linux_net_opts = [ cfg.ListOpt('dmz_cidr', default=[], help='A list of dmz range that should be accepted'), + cfg.MultiStrOpt('force_snat_range', + default=[], + help='Traffic to this range will always be snatted to the ' + 'fallback ip, even if it would normally be bridged out ' + 'of the node. Can be specified multiple times.'), cfg.StrOpt('dnsmasq_config_file', default='', help='Override the default dnsmasq settings with this file'), @@ -592,6 +597,14 @@ def init_host(ip_range=None): add_snat_rule(ip_range) + rules = [] + for snat_range in CONF.force_snat_range: + rules.append('PREROUTING -p ipv4 --ip-src %s --ip-dst %s ' + '-j redirect --redirect-target ACCEPT' % + (ip_range, snat_range)) + if rules: + ensure_ebtables_rules(rules, 'nat') + iptables_manager.ipv4['nat'].add_rule('POSTROUTING', '-s %s -d %s/32 -j ACCEPT' % (ip_range, CONF.metadata_host)) |