prefix=EXTERNAL_DEV_PREFIX)
# Process SNAT rules for external gateway
- self.perform_snat_action(self._handle_router_snat_rules,
- interface_name)
+ gw_port = self._router.get('gw_port')
+ self._handle_router_snat_rules(gw_port, interface_name)
def external_gateway_nat_rules(self, ex_gw_ip, interface_name):
- mark = self.agent_conf.external_ingress_mark
- rules = [('POSTROUTING', '! -i %(interface_name)s '
- '! -o %(interface_name)s -m conntrack ! '
- '--ctstate DNAT -j ACCEPT' %
- {'interface_name': interface_name}),
- ('snat', '-o %s -j SNAT --to-source %s' %
- (interface_name, ex_gw_ip)),
- ('snat', '-m mark ! --mark %s '
- '-m conntrack --ctstate DNAT '
- '-j SNAT --to-source %s' % (mark, ex_gw_ip))]
- return rules
+ dont_snat_traffic_to_internal_ports_if_not_to_floating_ip = (
+ 'POSTROUTING', '! -i %(interface_name)s '
+ '! -o %(interface_name)s -m conntrack ! '
+ '--ctstate DNAT -j ACCEPT' %
+ {'interface_name': interface_name})
+
+ snat_normal_external_traffic = (
+ 'snat', '-o %s -j SNAT --to-source %s' %
+ (interface_name, ex_gw_ip))
+
+ # Makes replies come back through the router to reverse DNAT
+ ext_in_mark = self.agent_conf.external_ingress_mark
+ snat_internal_traffic_to_floating_ip = (
+ 'snat', '-m mark ! --mark %s '
+ '-m conntrack --ctstate DNAT '
+ '-j SNAT --to-source %s' % (ext_in_mark, ex_gw_ip))
+
+ return [dont_snat_traffic_to_internal_ports_if_not_to_floating_ip,
+ snat_normal_external_traffic,
+ snat_internal_traffic_to_floating_ip]
def external_gateway_mangle_rules(self, interface_name):
mark = self.agent_conf.external_ingress_mark
Code Review / openstack-build / neutron-build.git / commitdiff