diff options
| author | Gary Kotton <gkotton@redhat.com> | 2013-02-21 13:43:10 +0000 |
|---|---|---|
| committer | Gary Kotton <gkotton@redhat.com> | 2013-02-22 13:46:03 +0000 |
| commit | 81476d70c406d1b95a82df3dcaec64045fd68d20 (patch) | |
| tree | fe2c7e340f23de98b3a3bbc222a673d86ac109a1 | |
| parent | a42845e455c74f41852babbbd09a3514021ea71d (diff) | |
| download | nova-81476d70c406d1b95a82df3dcaec64045fd68d20.tar.gz nova-81476d70c406d1b95a82df3dcaec64045fd68d20.tar.xz nova-81476d70c406d1b95a82df3dcaec64045fd68d20.zip | |
Enable VM DHCP request to reach DHCP agent
When using the firewall driver IptablesFirewallDriver and the
default INPUT and FORWARD rules are DISCARD then the DHCP
request from the VM is discarded prior to getting to the dnsmasq.
A new rule will be added that enables DHCP requests to pass.
This fixes bug 1131223
Change-Id: I50fad5b63c3c4b22a5d828e3e89353c1ed723332
| -rw-r--r-- | nova/tests/test_libvirt.py | 6 | ||||
| -rw-r--r-- | nova/tests/test_xenapi.py | 6 | ||||
| -rw-r--r-- | nova/virt/firewall.py | 12 |
3 files changed, 20 insertions, 4 deletions
diff --git a/nova/tests/test_libvirt.py b/nova/tests/test_libvirt.py index b1135902d..1e9b44eb9 100644 --- a/nova/tests/test_libvirt.py +++ b/nova/tests/test_libvirt.py @@ -3908,8 +3908,10 @@ class IptablesFirewallTestCase(test.TestCase): ipv6 = self.fw.iptables.ipv6['filter'].rules ipv4_network_rules = len(ipv4) - len(inst_ipv4) - ipv4_len ipv6_network_rules = len(ipv6) - len(inst_ipv6) - ipv6_len - self.assertEquals(ipv4_network_rules, - ipv4_rules_per_addr * ipv4_addr_per_network * networks_count) + # Extra rule is for the DHCP request + rules = (ipv4_rules_per_addr * ipv4_addr_per_network * + networks_count) + 1 + self.assertEquals(ipv4_network_rules, rules) self.assertEquals(ipv6_network_rules, ipv6_rules_per_addr * ipv6_addr_per_network * networks_count) diff --git a/nova/tests/test_xenapi.py b/nova/tests/test_xenapi.py index 84c3caa63..10dc70741 100644 --- a/nova/tests/test_xenapi.py +++ b/nova/tests/test_xenapi.py @@ -2068,8 +2068,10 @@ class XenAPIDom0IptablesFirewallTestCase(stubs.XenAPITestBase): ipv6 = self.fw.iptables.ipv6['filter'].rules ipv4_network_rules = len(ipv4) - len(inst_ipv4) - ipv4_len ipv6_network_rules = len(ipv6) - len(inst_ipv6) - ipv6_len - self.assertEquals(ipv4_network_rules, - ipv4_rules_per_addr * ipv4_addr_per_network * networks_count) + # Extra rule is for the DHCP request + rules = (ipv4_rules_per_addr * ipv4_addr_per_network * + networks_count) + 1 + self.assertEquals(ipv4_network_rules, rules) self.assertEquals(ipv6_network_rules, ipv6_rules_per_addr * ipv6_addr_per_network * networks_count) diff --git a/nova/virt/firewall.py b/nova/virt/firewall.py index a36beb7f0..d9502ec46 100644 --- a/nova/virt/firewall.py +++ b/nova/virt/firewall.py @@ -149,6 +149,10 @@ class IptablesFirewallDriver(FirewallDriver): self.network_infos = {} self.basically_filtered = False + # Flags for DHCP request rule + self.dhcp_create = False + self.dhcp_created = False + self.iptables.ipv4['filter'].add_chain('sg-fallback') self.iptables.ipv4['filter'].add_rule('sg-fallback', '-j DROP') self.iptables.ipv6['filter'].add_chain('sg-fallback') @@ -191,6 +195,13 @@ class IptablesFirewallDriver(FirewallDriver): LOG.debug(_('Filters added to instance'), instance=instance) self.refresh_provider_fw_rules() LOG.debug(_('Provider Firewall Rules refreshed'), instance=instance) + # Ensure that DHCP request rule is updated if necessary + if (self.dhcp_create and not self.dhcp_created): + self.iptables.ipv4['filter'].add_rule( + 'INPUT', + '-s 0.0.0.0/32 -d 255.255.255.255/32 ' + '-p udp -m udp --sport 68 --dport 67 -j ACCEPT') + self.dhcp_created = True self.iptables.apply() def _create_filter(self, ips, chain_name): @@ -272,6 +283,7 @@ class IptablesFirewallDriver(FirewallDriver): if dhcp_server: ipv4_rules.append('-s %s -p udp --sport 67 --dport 68 ' '-j ACCEPT' % (dhcp_server,)) + self.dhcp_create = True def _do_project_network_rules(self, ipv4_rules, ipv6_rules, network_info): # make sure this is legacy nw_info |