Add iptables filter rules for dnsmasq (lp:844935)

On Fedora, the default policy for the INPUT chain in the filter table
is DROP. This means that DHCP and DNS request packets from the guest
get dropped.

Add these rules to allow the traffic through:

 $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p udp -m udp --dport 67 -j ACCEPT
 $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p tcp -m tcp --dport 67 -j ACCEPT
 $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT
 $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p tcp -m tcp --dport 53 -j ACCEPT

1 files changed, 14 insertions, 0 deletions

diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py
index 9bf98fc27..ad7c5776b 100755
--- a/nova/network/linux_net.py
+++ b/nova/network/linux_net.py
@@ -524,6 +524,18 @@ def get_dhcp_hosts(context, network_ref):
     return '\n'.join(hosts)
 
 
+def _add_dnsmasq_accept_rules(dev):
+    """Allow DHCP and DNS traffic through to dnsmasq."""
+    table = iptables_manager.ipv4['filter']
+    for port in [67, 53]:
+        for proto in ['udp', 'tcp']:
+            args = {'dev': dev, 'port': port, 'proto': proto}
+            table.add_rule('INPUT',
+                           '-i %(dev)s -p %(proto)s -m %(proto)s '
+                           '--dport %(port)s -j ACCEPT' % args)
+    iptables_manager.apply()
+
+
 def get_dhcp_opts(context, network_ref):
     """Get network's hosts config in dhcp-opts format."""
     hosts = []
@@ -616,6 +628,8 @@ def update_dhcp(context, dev, network_ref):
 
     _execute(*cmd, run_as_root=True)
 
+    _add_dnsmasq_accept_rules(dev)
+
 
 @utils.synchronized('radvd_start')
 def update_ra(context, dev, network_ref):