Rule to prevent SNAT for router's internal traffic is wrong
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
Slawek Kaplonski |
Bug Description
Rule created router's namespace in https:/
However netfilter postrouting hooks don't provide the input interface. This is not new and common
between iptables and nftables. The difference is how the match behaves in this
situation: with iptables, the comparison simply happens against an empty string.
With nftables though, rule processing aborts due to no data to compare against -
the rule doesn't match. The inverted match exposes the difference as for
iptables, the result is always true while for nftables it is always false.
That cause problem with nftables based implementation which is used e.g. in RHEL8 now. Problem there is that internal traffic between 2 networks connected to same router is SNAT'ed always as this rule never match for any packet.
So input interface check in postrouting chain is not effective and never was - even with legacy iptables (e.g. in RHEL7) and can be simply dropped from this rule.
Fix proposed to branch: master /review. opendev. org/668378
Review: https:/