Ensure that FORWARD rule also supports DHCP

The previous fix only addressed the INPUT rules and not the FORWARD rule. Adds FORWARD rule to ensure that DHCP traffic is forwarded correctly. Fixes bug 1131223 Change-Id: Ie0d365ba1ba1014bdd2bfc944123c17c4e415d6e
author: Gary Kotton <gkotton@redhat.com> 2013-02-28 13:33:30 +0000
committer: Gary Kotton <gkotton@redhat.com> 2013-02-28 13:39:47 +0000
commit: 83e907f5881ba4344162286f190c78be036ba61d (patch)
tree: 4320d3efd8509243dd5cab1da6838691509560f7
parent: f86f9a8cb508da22bf02ac602710bacd8e2c1ff2 (diff)
download: nova-83e907f5881ba4344162286f190c78be036ba61d.tar.gz
nova-83e907f5881ba4344162286f190c78be036ba61d.tar.xz
nova-83e907f5881ba4344162286f190c78be036ba61d.zip
3 files changed, 8 insertions, 4 deletions
diff --git a/nova/tests/test_libvirt.py b/nova/tests/test_libvirt.py
index 906ce2f9c..38bb68b67 100644
--- a/nova/tests/test_libvirt.py
+++ b/nova/tests/test_libvirt.py
@@ -3948,9 +3948,9 @@ class IptablesFirewallTestCase(test.TestCase):
         ipv6 = self.fw.iptables.ipv6['filter'].rules
         ipv4_network_rules = len(ipv4) - len(inst_ipv4) - ipv4_len
         ipv6_network_rules = len(ipv6) - len(inst_ipv6) - ipv6_len
-        # Extra rule is for the DHCP request
+        # Extra rules are for the DHCP request
         rules = (ipv4_rules_per_addr * ipv4_addr_per_network *
-                 networks_count) + 1
+                 networks_count) + 2
         self.assertEquals(ipv4_network_rules, rules)
         self.assertEquals(ipv6_network_rules,
                   ipv6_rules_per_addr * ipv6_addr_per_network * networks_count)
diff --git a/nova/tests/test_xenapi.py b/nova/tests/test_xenapi.py
index 10dc70741..eee9a12d4 100644
--- a/nova/tests/test_xenapi.py
+++ b/nova/tests/test_xenapi.py
@@ -2068,9 +2068,9 @@ class XenAPIDom0IptablesFirewallTestCase(stubs.XenAPITestBase):
         ipv6 = self.fw.iptables.ipv6['filter'].rules
         ipv4_network_rules = len(ipv4) - len(inst_ipv4) - ipv4_len
         ipv6_network_rules = len(ipv6) - len(inst_ipv6) - ipv6_len
-        # Extra rule is for the DHCP request
+        # Extra rules are for the DHCP request
         rules = (ipv4_rules_per_addr * ipv4_addr_per_network *
-                 networks_count) + 1
+                 networks_count) + 2
         self.assertEquals(ipv4_network_rules, rules)
         self.assertEquals(ipv6_network_rules,
                   ipv6_rules_per_addr * ipv6_addr_per_network * networks_count)
diff --git a/nova/virt/firewall.py b/nova/virt/firewall.py
index d9502ec46..7e133135d 100644
--- a/nova/virt/firewall.py
+++ b/nova/virt/firewall.py
@@ -201,6 +201,10 @@ class IptablesFirewallDriver(FirewallDriver):
                     'INPUT',
                     '-s 0.0.0.0/32 -d 255.255.255.255/32 '
                     '-p udp -m udp --sport 68 --dport 67 -j ACCEPT')
+            self.iptables.ipv4['filter'].add_rule(
+                    'FORWARD',
+                    '-s 0.0.0.0/32 -d 255.255.255.255/32 '
+                    '-p udp -m udp --sport 68 --dport 67 -j ACCEPT')
             self.dhcp_created = True
         self.iptables.apply()
author	Gary Kotton <gkotton@redhat.com>	2013-02-28 13:33:30 +0000
committer	Gary Kotton <gkotton@redhat.com>	2013-02-28 13:39:47 +0000
commit	83e907f5881ba4344162286f190c78be036ba61d (patch)
tree	4320d3efd8509243dd5cab1da6838691509560f7
parent	f86f9a8cb508da22bf02ac602710bacd8e2c1ff2 (diff)
download	nova-83e907f5881ba4344162286f190c78be036ba61d.tar.gz nova-83e907f5881ba4344162286f190c78be036ba61d.tar.xz nova-83e907f5881ba4344162286f190c78be036ba61d.zip