From 0bcfe0b990fb8df799df2c2bb95f324beeccc974 Mon Sep 17 00:00:00 2001
From: Mark McLoughlin <markmc@redhat.com>
Date: Sat, 3 Sep 2011 14:32:35 +0100
Subject: Add iptables filter rules for dnsmasq

On Fedora, the default policy for the INPUT chain in the filter table
is DROP. This means that DHCP and DNS request packets from the guest
get dropped.

Add these rules to allow the traffic through:

 $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p udp -m udp --dport 67 -j ACCEPT
 $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p tcp -m tcp --dport 67 -j ACCEPT
 $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT
 $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p tcp -m tcp --dport 53 -j ACCEPT
---
 nova/network/linux_net.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py
index 57c1d0c28..dc0d2caa0 100644
--- a/nova/network/linux_net.py
+++ b/nova/network/linux_net.py
@@ -511,6 +511,17 @@ def get_dhcp_hosts(context, network_ref):
     return '\n'.join(hosts)
 
 
+def _add_dnsmasq_accept_rules(dev):
+    """Allow DHCP and DNS traffic through to dnsmasq."""
+    table = iptables_manager.ipv4['filter']
+    for port in [67, 53]:
+        for proto in ['udp', 'tcp']:
+            args = {'dev' : dev, 'port' : port, 'proto' : proto}
+            table.add_rule('INPUT',
+                           '-i %(dev)s -p %(proto)s -m %(proto)s '
+                           '--dport %(port)s -j ACCEPT' % args)
+    iptables_manager.apply()
+
 # NOTE(ja): Sending a HUP only reloads the hostfile, so any
 #           configuration options (like dchp-range, vlan, ...)
 #           aren't reloaded.
@@ -565,6 +576,7 @@ def update_dhcp(context, dev, network_ref):
 
     _execute(*cmd, run_as_root=True)
 
+    _add_dnsmasq_accept_rules(dev)
 
 @utils.synchronized('radvd_start')
 def update_ra(context, dev, network_ref):
-- 
cgit 


From a1229e5dbc3c03887dec49d93f55a0e4f60d96be Mon Sep 17 00:00:00 2001
From: Mark McLoughlin <markmc@redhat.com>
Date: Sat, 17 Sep 2011 08:28:16 +0100
Subject: Fix pep8 issues

---
 nova/network/linux_net.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py
index 577a98c84..f87307651 100755
--- a/nova/network/linux_net.py
+++ b/nova/network/linux_net.py
@@ -529,7 +529,7 @@ def _add_dnsmasq_accept_rules(dev):
     table = iptables_manager.ipv4['filter']
     for port in [67, 53]:
         for proto in ['udp', 'tcp']:
-            args = {'dev' : dev, 'port' : port, 'proto' : proto}
+            args = {'dev': dev, 'port': port, 'proto': proto}
             table.add_rule('INPUT',
                            '-i %(dev)s -p %(proto)s -m %(proto)s '
                            '--dport %(port)s -j ACCEPT' % args)
@@ -627,6 +627,7 @@ def update_dhcp(context, dev, network_ref):
 
     _add_dnsmasq_accept_rules(dev)
 
+
 @utils.synchronized('radvd_start')
 def update_ra(context, dev, network_ref):
     conffile = _ra_file(dev, 'conf')
-- 
cgit