Partial fix for bug 3332. WLB can now be configured to run without creating implicit source nat rules.

This configuration element applies to the complete wan load balance configuration.

4 files changed, 30 insertions, 9 deletions

diff --git a/src/lbdata.hh b/src/lbdata.hh
index 5486e8c..8077841 100644
--- a/src/lbdata.hh
+++ b/src/lbdata.hh
@@ -109,7 +109,7 @@ class LBData {
   typedef map<string,LBHealth>::iterator InterfaceHealthIter;
   typedef map<string,LBHealth>::const_iterator InterfaceHealthConstIter;
 
-  LBData() {}
+  LBData() : _disable_source_nat(false) {}
 
   bool
   error() {return false;}
@@ -131,6 +131,8 @@ class LBData {
 
   LBRuleColl _lb_rule_coll;
   InterfaceHealthColl _iface_health_coll;
+
+  bool _disable_source_nat;
 };
 
 #endif //__LBDATA_HH__
diff --git a/src/lbdatafactory.cc b/src/lbdatafactory.cc
index bc7d4bc..086beed 100644
--- a/src/lbdatafactory.cc
+++ b/src/lbdatafactory.cc
@@ -118,7 +118,10 @@ LBDataFactory::process(const vector<string> &path, int depth, const string &key,
   std::transform(value.begin(), value.end(), std::back_inserter(l_value),
 		 static_cast < int(*)(int) > (std::tolower));
 
-  if (path[0] == "health") {
+  if (path[0] == "disable-source-nat") {
+    process_disablesourcenat(l_key,l_value);
+  }
+  else if (path[0] == "health") {
     if (l_key == "interface") {
       process_health(l_key,l_value);
     }
@@ -151,6 +154,11 @@ LBDataFactory::process(const vector<string> &path, int depth, const string &key,
   }
 }
 
+void
+LBDataFactory::process_disablesourcenat(const string &key, const string &value)
+{
+  _lb_data._disable_source_nat = true;
+}
 
 void
 LBDataFactory::process_health(const string &key, const string &value) 
diff --git a/src/lbdatafactory.hh b/src/lbdatafactory.hh
index 2ff0eb1..1f6e0a0 100644
--- a/src/lbdatafactory.hh
+++ b/src/lbdatafactory.hh
@@ -41,6 +41,9 @@ private:
   process(const vector<string> &path, int depth, const string &key, const string &value);
 
   void
+  process_disablesourcenat(const string &key, const string &value);
+
+  void
   process_health(const string &key, const string &value);
 
   void
diff --git a/src/lbdecision.cc b/src/lbdecision.cc
index 0f51d84..507d3b5 100644
--- a/src/lbdecision.cc
+++ b/src/lbdecision.cc
@@ -108,11 +108,12 @@ if so then this stuff goes here!
 
   string stdout;
   //set up special nat rules
-  execute(string("iptables -t nat -N WANLOADBALANCE"), stdout);
-  execute(string("iptables -t nat -F WANLOADBALANCE"), stdout);
-  execute(string("iptables -t nat -D POSTROUTING -j WANLOADBALANCE"), stdout);
-  execute(string("iptables -t nat -A POSTROUTING -j WANLOADBALANCE"), stdout);
-
+  if (lbdata._disable_source_nat == false) {
+    execute(string("iptables -t nat -N WANLOADBALANCE"), stdout);
+    execute(string("iptables -t nat -F WANLOADBALANCE"), stdout);
+    execute(string("iptables -t nat -D POSTROUTING -j WANLOADBALANCE"), stdout);
+    execute(string("iptables -t nat -A POSTROUTING -j WANLOADBALANCE"), stdout);
+  }
   //set up the conntrack table
   execute(string("iptables -t raw -N NAT_CONNTRACK"), stdout);
   execute(string("iptables -t raw -F NAT_CONNTRACK"), stdout);
@@ -143,8 +144,10 @@ if so then this stuff goes here!
     char hex_buf[40];
     sprintf(hex_buf,"%X",ct);
     execute(string("ip rule add fwmark ") + hex_buf + " table " + buf, stdout);
-    
-    execute(string("iptables -t nat -A WANLOADBALANCE -m connmark --mark ") + buf + " -j SNAT --to-source " + fetch_iface_addr(iface), stdout);
+
+    if (lbdata._disable_source_nat == false) {
+      execute(string("iptables -t nat -A WANLOADBALANCE -m connmark --mark ") + buf + " -j SNAT --to-source " + fetch_iface_addr(iface), stdout);
+    }
 
     ++ct;
     ++iter;
@@ -261,6 +264,11 @@ LBDecision::shutdown()
   //then if we do, flush all
   execute("iptables -t mangle -F PREROUTING", stdout);
 
+  //clear out nat as well
+  execute("iptables -t nat -F WANLOADBALANCE", stdout);
+  execute("iptables -t nat -D POSTROUTING -j WANLOADBALANCE", stdout);
+
+
   //remove the policy entries
   InterfaceMarkIter iter = _iface_mark_coll.begin();
   while (iter != _iface_mark_coll.end()) {