From 314c419323ddd512babc4504ef8a4be1e04f2af7 Mon Sep 17 00:00:00 2001 From: Brent Eagles Date: Fri, 10 May 2013 14:26:24 -0230 Subject: Reverse path SNAT for DNAT floating-ip. This patch applies a reverse SNAT rule to allow instances that have an assigned floating IP to communicate with other instances in the same OpenStack deployment, security group rules permitting. The patch allows members of the same private network to communicate with each other using their floating-ips in a more consistent fashion. The rule also addresses the situation where the target is on another private network. This will only work for interaction between two servers that both have floating IPs assigned to them. Specifically, this patch solves the problem where a target server "sees" the private address of the client. By SNAT'ing to the client's floating-IP, the "sees" the correct reply address and the reverse route follows the same path that an actual external connection would take. The SNAT ONLY occurs if a DNAT occurred before hand, allowing communication on private networks using private IPs to remain fully private and internal. The limitation is of course if a DNAT occurs for other reasons, there may be issues. Resolves bug 1178745 Change-Id: I55b7131cff5fd5a2ebf826945370d4d550e74136 --- nova/network/linux_net.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py index 7a1f562e5..e2f9ee9dd 100644 --- a/nova/network/linux_net.py +++ b/nova/network/linux_net.py @@ -765,6 +765,9 @@ def floating_forward_rules(floating_ip, fixed_ip, device): ('PREROUTING', '-d %s -j DNAT --to %s' % (floating_ip, fixed_ip))) rules.append( ('OUTPUT', '-d %s -j DNAT --to %s' % (floating_ip, fixed_ip))) + rules.append(('POSTROUTING', '-s %s -m conntrack --ctstate DNAT -j SNAT ' + '--to-source %s' % + (fixed_ip, floating_ip))) return rules -- cgit