diff options
author | Gary Kotton <gkotton@redhat.com> | 2013-02-28 13:33:30 +0000 |
---|---|---|
committer | Gary Kotton <gkotton@redhat.com> | 2013-02-28 13:39:47 +0000 |
commit | 83e907f5881ba4344162286f190c78be036ba61d (patch) | |
tree | 4320d3efd8509243dd5cab1da6838691509560f7 | |
parent | f86f9a8cb508da22bf02ac602710bacd8e2c1ff2 (diff) | |
download | nova-83e907f5881ba4344162286f190c78be036ba61d.tar.gz nova-83e907f5881ba4344162286f190c78be036ba61d.tar.xz nova-83e907f5881ba4344162286f190c78be036ba61d.zip |
Ensure that FORWARD rule also supports DHCP
The previous fix only addressed the INPUT rules and not the
FORWARD rule.
Adds FORWARD rule to ensure that DHCP traffic is forwarded correctly.
Fixes bug 1131223
Change-Id: Ie0d365ba1ba1014bdd2bfc944123c17c4e415d6e
-rw-r--r-- | nova/tests/test_libvirt.py | 4 | ||||
-rw-r--r-- | nova/tests/test_xenapi.py | 4 | ||||
-rw-r--r-- | nova/virt/firewall.py | 4 |
3 files changed, 8 insertions, 4 deletions
diff --git a/nova/tests/test_libvirt.py b/nova/tests/test_libvirt.py index 906ce2f9c..38bb68b67 100644 --- a/nova/tests/test_libvirt.py +++ b/nova/tests/test_libvirt.py @@ -3948,9 +3948,9 @@ class IptablesFirewallTestCase(test.TestCase): ipv6 = self.fw.iptables.ipv6['filter'].rules ipv4_network_rules = len(ipv4) - len(inst_ipv4) - ipv4_len ipv6_network_rules = len(ipv6) - len(inst_ipv6) - ipv6_len - # Extra rule is for the DHCP request + # Extra rules are for the DHCP request rules = (ipv4_rules_per_addr * ipv4_addr_per_network * - networks_count) + 1 + networks_count) + 2 self.assertEquals(ipv4_network_rules, rules) self.assertEquals(ipv6_network_rules, ipv6_rules_per_addr * ipv6_addr_per_network * networks_count) diff --git a/nova/tests/test_xenapi.py b/nova/tests/test_xenapi.py index 10dc70741..eee9a12d4 100644 --- a/nova/tests/test_xenapi.py +++ b/nova/tests/test_xenapi.py @@ -2068,9 +2068,9 @@ class XenAPIDom0IptablesFirewallTestCase(stubs.XenAPITestBase): ipv6 = self.fw.iptables.ipv6['filter'].rules ipv4_network_rules = len(ipv4) - len(inst_ipv4) - ipv4_len ipv6_network_rules = len(ipv6) - len(inst_ipv6) - ipv6_len - # Extra rule is for the DHCP request + # Extra rules are for the DHCP request rules = (ipv4_rules_per_addr * ipv4_addr_per_network * - networks_count) + 1 + networks_count) + 2 self.assertEquals(ipv4_network_rules, rules) self.assertEquals(ipv6_network_rules, ipv6_rules_per_addr * ipv6_addr_per_network * networks_count) diff --git a/nova/virt/firewall.py b/nova/virt/firewall.py index d9502ec46..7e133135d 100644 --- a/nova/virt/firewall.py +++ b/nova/virt/firewall.py @@ -201,6 +201,10 @@ class IptablesFirewallDriver(FirewallDriver): 'INPUT', '-s 0.0.0.0/32 -d 255.255.255.255/32 ' '-p udp -m udp --sport 68 --dport 67 -j ACCEPT') + self.iptables.ipv4['filter'].add_rule( + 'FORWARD', + '-s 0.0.0.0/32 -d 255.255.255.255/32 ' + '-p udp -m udp --sport 68 --dport 67 -j ACCEPT') self.dhcp_created = True self.iptables.apply() |