Add iptables filter rules for dnsmasq

On Fedora, the default policy for the INPUT chain in the filter table
is DROP. This means that DHCP and DNS request packets from the guest
get dropped.

Add these rules to allow the traffic through:

 $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p udp -m udp --dport 67 -j ACCEPT
 $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p tcp -m tcp --dport 67 -j ACCEPT
 $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT
 $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p tcp -m tcp --dport 53 -j ACCEPT

1 files changed, 12 insertions, 0 deletions

diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py
index 57c1d0c28..dc0d2caa0 100644
--- a/nova/network/linux_net.py
+++ b/nova/network/linux_net.py
@@ -511,6 +511,17 @@ def get_dhcp_hosts(context, network_ref):
     return '\n'.join(hosts)
 
 
+def _add_dnsmasq_accept_rules(dev):
+    """Allow DHCP and DNS traffic through to dnsmasq."""
+    table = iptables_manager.ipv4['filter']
+    for port in [67, 53]:
+        for proto in ['udp', 'tcp']:
+            args = {'dev' : dev, 'port' : port, 'proto' : proto}
+            table.add_rule('INPUT',
+                           '-i %(dev)s -p %(proto)s -m %(proto)s '
+                           '--dport %(port)s -j ACCEPT' % args)
+    iptables_manager.apply()
+
 # NOTE(ja): Sending a HUP only reloads the hostfile, so any
 #           configuration options (like dchp-range, vlan, ...)
 #           aren't reloaded.
@@ -565,6 +576,7 @@ def update_dhcp(context, dev, network_ref):
 
     _execute(*cmd, run_as_root=True)
 
+    _add_dnsmasq_accept_rules(dev)
 
 @utils.synchronized('radvd_start')
 def update_ra(context, dev, network_ref):