From d0c8f8a061125d6e4c3dce8f7f0741ff57a014b8 Mon Sep 17 00:00:00 2001
From: Vishvananda Ishaya <vishvananda@gmail.com>
Date: Mon, 11 Feb 2013 12:08:35 -0800
Subject: Allow fixed to float ping with external gateway.

If you ping an a floating ip from an instance with only a fixed ip, the
traffic will be sent to the default gateway. If the default gateway has
a route to the floating ip, it will then be sent to the host of the
instance with the floating ip. The source address will be on the fixed
network, so if the floating addresses are on a different network, the
receiving host to drop the packet due to the default rp_filter.
Essentially, the route for the fixed range is on a different interface
so it the kernel assumes the packet is spoofed and drops it.

In order to fix this issue this patch adds a new config option called
force_snat_range. Traffic that originates in fixed_range and has a
destination in force_snat_range will always be routed. This forces
the packet to hit the fallback floating roule and be snatted to
routing_source_ip. This means the traffic will originate from the
proper network and the packet will make it through.

DocImpact

Fixes bug 1122335

Change-Id: I7e31c25d37a5c4fd02c8238aec58a28af3fd7f6a
---
 nova/network/linux_net.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py
index 08a2ae354..b4f000280 100644
--- a/nova/network/linux_net.py
+++ b/nova/network/linux_net.py
@@ -67,6 +67,11 @@ linux_net_opts = [
     cfg.ListOpt('dmz_cidr',
                default=[],
                help='A list of dmz range that should be accepted'),
+    cfg.MultiStrOpt('force_snat_range',
+               default=[],
+               help='Traffic to this range will always be snatted to the '
+                    'fallback ip, even if it would normally be bridged out '
+                    'of the node. Can be specified multiple times.'),
     cfg.StrOpt('dnsmasq_config_file',
                default='',
                help='Override the default dnsmasq settings with this file'),
@@ -592,6 +597,14 @@ def init_host(ip_range=None):
 
     add_snat_rule(ip_range)
 
+    rules = []
+    for snat_range in CONF.force_snat_range:
+        rules.append('PREROUTING -p ipv4 --ip-src %s --ip-dst %s '
+                     '-j redirect --redirect-target ACCEPT' %
+                     (ip_range, snat_range))
+    if rules:
+        ensure_ebtables_rules(rules, 'nat')
+
     iptables_manager.ipv4['nat'].add_rule('POSTROUTING',
                                           '-s %s -d %s/32 -j ACCEPT' %
                                           (ip_range, CONF.metadata_host))
-- 
cgit