nova-network: instance cannot access its own floating IP

Hi,

I have a compute node running Folsom 2012.2.4, nova-compute and nova-network on the same host. We have Vlan based networking, each tenant having its own vlan with private subnet.

When I create an instance it will get auto-assigned floating IP. When I open the connection from inside the VM to its own floating IP, it time-outs. This use-case was working before migrating to Folsom (from Essex).

The problem was introduced with commit "959c93f6". It changed how the SNAT rule is constructed for an instance. Now, the snat rule is applied only if your destination interface is your public_interface. Before, it had a wildcard "*" in its place. Because of this, traffic from instance to floating IP will hit compute node (nova-network), DNAT rule is applied, but SNAT is not.

SYN leaving instance
172.30.49.140 (fixed) -> 172.30.8.218 (floating)
DNAT rule applied on nova-compute (SNAT is not applied)
172.30.49.140 (fixed) -> 172.30.49.140 (fixed)
SYN returned to the same instance
172.30.49.140 (fixed) -> 172.30.49.140 (fixed)
TCP session is not established because src/dst does not match with original dst/src.

If I remove in "nova/network/linux_net.py" in "floating_forward_rules" these two lines
# if device:
# rule += ' -o %s' % device

then the SNAT rule is applied to any destination interface again (as it was in Essex). And both SNAT/DNAT are applied. Then, both sides of the TCP session flow via nova-network iptable rules.

Attaching files for working (wildcard-snat) and broken (specific-snat) case.
- pcap from VM, accessing its own floating IP (172.30.8.218) from fixed (172.30.49.140)
- output of iptables -t nat from compute node (running two instances)

Regards,

Brano Zarnovican