Reviewed: https://review.opendev.org/668378 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=dfa37b2233b2dbe6dd12ec5e2ee4f1f32a4be4ba Submitter: Zuul Branch: master
commit dfa37b2233b2dbe6dd12ec5e2ee4f1f32a4be4ba Author: Slawek Kaplonski <[email protected]> Date: Mon Jul 1 09:45:38 2019 +0200 Don't match input interface in POSTROUTING table Netfilter postrouting hooks don't provide the input interface. That works fine in iptables implementation as the comparison simply happens against an empty string, but cause problems with nftables which aborts rule processing due to no data to compare against and the rule doesn't match. This is a problem in systems where nftables are used (e.g. RHEL 8). This patch fixes this issue by removing input interface from POSTROUTING rule used to prevent SNAT for router's internal traffic. Change-Id: I79bb8054c113c77e7c96d64ec1408236d24b23b6 Closes-Bug: #1834825 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1834825 Title: Rule to prevent SNAT for router's internal traffic is wrong Status in neutron: Fix Released Bug description: Rule created router's namespace in https://github.com/openstack/neutron/blob/master/neutron/agent/l3/router_info.py#L884 tries to match for both input and output interface. However netfilter postrouting hooks don't provide the input interface. This is not new and common between iptables and nftables. The difference is how the match behaves in this situation: with iptables, the comparison simply happens against an empty string. With nftables though, rule processing aborts due to no data to compare against - the rule doesn't match. The inverted match exposes the difference as for iptables, the result is always true while for nftables it is always false. That cause problem with nftables based implementation which is used e.g. in RHEL8 now. Problem there is that internal traffic between 2 networks connected to same router is SNAT'ed always as this rule never match for any packet. So input interface check in postrouting chain is not effective and never was - even with legacy iptables (e.g. in RHEL7) and can be simply dropped from this rule. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1834825/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
