Default MASQUERADE Rule is too Broad
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Astara |
New
|
Undecided
|
Unassigned |
Bug Description
In the astara appliance router code:
http://
Creates a default iptables NAT rule that is too broad.
Chain POSTROUTING (policy ACCEPT 17213 packets, 1543K bytes)
num pkts bytes target prot opt in out source destination
1 24729 1814K MASQUERADE all -- * eth1 0.0.0.0/0 0.0.0.0/0
If you create a public IP address subnet as a tenant network, this rule mangles the outbound packets to use NAT even though this is not required.
I believe that this rule should probably be limited to the reserved IP ranges that require NAT (192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8) and not applied to all networks (0.0.0.0/0). This should still accomplish the same end results as the original rule intended.
We could attack the problem that way, but we're likely to diverge from the expected intro behavior. Instead, I we should roll in support for the SNAT extension [1].
[1] https:/ /git.openstack. org/cgit/ openstack/ neutron/ tree/neutron/ extensions/ l3_ext_ gw_mode. py