From 83e907f5881ba4344162286f190c78be036ba61d Mon Sep 17 00:00:00 2001
From: Gary Kotton <gkotton@redhat.com>
Date: Thu, 28 Feb 2013 13:33:30 +0000
Subject: Ensure that FORWARD rule also supports DHCP

The previous fix only addressed the INPUT rules and not the
FORWARD rule.

Adds FORWARD rule to ensure that DHCP traffic is forwarded correctly.

Fixes bug 1131223

Change-Id: Ie0d365ba1ba1014bdd2bfc944123c17c4e415d6e
---
 nova/tests/test_libvirt.py | 4 ++--
 nova/tests/test_xenapi.py  | 4 ++--
 nova/virt/firewall.py      | 4 ++++
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/nova/tests/test_libvirt.py b/nova/tests/test_libvirt.py
index 906ce2f9c..38bb68b67 100644
--- a/nova/tests/test_libvirt.py
+++ b/nova/tests/test_libvirt.py
@@ -3948,9 +3948,9 @@ class IptablesFirewallTestCase(test.TestCase):
         ipv6 = self.fw.iptables.ipv6['filter'].rules
         ipv4_network_rules = len(ipv4) - len(inst_ipv4) - ipv4_len
         ipv6_network_rules = len(ipv6) - len(inst_ipv6) - ipv6_len
-        # Extra rule is for the DHCP request
+        # Extra rules are for the DHCP request
         rules = (ipv4_rules_per_addr * ipv4_addr_per_network *
-                 networks_count) + 1
+                 networks_count) + 2
         self.assertEquals(ipv4_network_rules, rules)
         self.assertEquals(ipv6_network_rules,
                   ipv6_rules_per_addr * ipv6_addr_per_network * networks_count)
diff --git a/nova/tests/test_xenapi.py b/nova/tests/test_xenapi.py
index 10dc70741..eee9a12d4 100644
--- a/nova/tests/test_xenapi.py
+++ b/nova/tests/test_xenapi.py
@@ -2068,9 +2068,9 @@ class XenAPIDom0IptablesFirewallTestCase(stubs.XenAPITestBase):
         ipv6 = self.fw.iptables.ipv6['filter'].rules
         ipv4_network_rules = len(ipv4) - len(inst_ipv4) - ipv4_len
         ipv6_network_rules = len(ipv6) - len(inst_ipv6) - ipv6_len
-        # Extra rule is for the DHCP request
+        # Extra rules are for the DHCP request
         rules = (ipv4_rules_per_addr * ipv4_addr_per_network *
-                 networks_count) + 1
+                 networks_count) + 2
         self.assertEquals(ipv4_network_rules, rules)
         self.assertEquals(ipv6_network_rules,
                   ipv6_rules_per_addr * ipv6_addr_per_network * networks_count)
diff --git a/nova/virt/firewall.py b/nova/virt/firewall.py
index d9502ec46..7e133135d 100644
--- a/nova/virt/firewall.py
+++ b/nova/virt/firewall.py
@@ -201,6 +201,10 @@ class IptablesFirewallDriver(FirewallDriver):
                     'INPUT',
                     '-s 0.0.0.0/32 -d 255.255.255.255/32 '
                     '-p udp -m udp --sport 68 --dport 67 -j ACCEPT')
+            self.iptables.ipv4['filter'].add_rule(
+                    'FORWARD',
+                    '-s 0.0.0.0/32 -d 255.255.255.255/32 '
+                    '-p udp -m udp --sport 68 --dport 67 -j ACCEPT')
             self.dhcp_created = True
         self.iptables.apply()
 
-- 
cgit