openstack team mailing list archive

[Mark McLoughlin <markmc@xxxxxxxxxx>]

On Mon, 2011-10-10 at 12:29 +0100, Kiall Mac Innes wrote:
> Hi Mark,
> 
> That part I understand :) Consider these rules (nabbed from forum posting
> here<http://www.zeroshell.net/eng/forum/viewtopic.php?p=655&sid=76f8a08777176b9f939642734f2b23d0#655>
> ):
> 
> iptables -t nat -A prerouting_rule -d WAN_IP -p tcp --dport 80 -j DNAT --to
> > 192.168.0.10
> > iptables -A forwarding_rule -p tcp --dport 80 -d 192.168.0.10 -j ACCEPT
> > iptables -t nat -A postrouting_rule -s 192.168.0.0/24 -p tcp --dport 80 -d
> > 192.168.0.10 -j MASQUERADE
> 
> 
> Some pretty "basic" iptables based router distro's like pfSense etc call
> this hairpin NAT or NAT reflection..

Ah, I see - hairpin is basically adding a rule which snats (as well as
the standard dnat) connections from the private network to the public IP

> And, I'm wondering if a similar technique is possible with the rules
> OS generates?

It seems perfectly possible to me - you'd need to add something similar
to that last rule in ensure_floating_forward() in linux_vnet.py

The only tricky bit is that you'll need to pass the fixed IP network's
cidr down from init_host_floating_ips() - I'm guessing it's available by
something like floating_ip['fixed_ip']['network']['cidr']

If you've any trouble getting it working, at least file a bug in
launchpad - it sounds like a useful feature

Cheers,
Mark.