Astara

Default MASQUERADE Rule is too Broad

Bug #1580756 reported by Tom Walsh on 2016-05-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Astara	New	Undecided	Unassigned

Bug Description

In the astara appliance router code:

http://git.openstack.org/cgit/openstack/astara-appliance/tree/astara_router/drivers/iptables.py#n335

Creates a default iptables NAT rule that is too broad.

Chain POSTROUTING (policy ACCEPT 17213 packets, 1543K bytes)
num pkts bytes target prot opt in out source destination
1 24729 1814K MASQUERADE all -- * eth1 0.0.0.0/0 0.0.0.0/0

If you create a public IP address subnet as a tenant network, this rule mangles the outbound packets to use NAT even though this is not required.

I believe that this rule should probably be limited to the reserved IP ranges that require NAT (192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8) and not applied to all networks (0.0.0.0/0). This should still accomplish the same end results as the original rule intended.

Revision history for this message

Mark McClain (markmcclain) wrote on 2016-05-16:

We could attack the problem that way, but we're likely to diverge from the expected intro behavior. Instead, I we should roll in support for the SNAT extension [1].

[1] https://git.openstack.org/cgit/openstack/neutron/tree/neutron/extensions/l3_ext_gw_mode.py

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.