From 763a3678407b244b680fd0bf2c6bcee60e8352c2 Mon Sep 17 00:00:00 2001
From: hua zhang <zhhuabj@cn.ibm.com>
Date: Wed, 9 May 2012 14:11:00 +0800
Subject: Avoid setting up DHCP firewall rules with FlatManager

Fixes bug #704737

With FlatManager, ensure that the network info's dhcp_server value is not set
and use that key to decide in the compute service whether DHCP firewall rules should be added.

Change-Id: I8183a6fa3881adea1a09f3f1a29442e6b7a919ce
---
 nova/virt/libvirt/firewall.py | 13 ++++++++++++-
 nova/virt/libvirt/vif.py      |  3 ++-
 2 files changed, 14 insertions(+), 2 deletions(-)

(limited to 'nova/virt')

diff --git a/nova/virt/libvirt/firewall.py b/nova/virt/libvirt/firewall.py
index a0644cafc..9cc801cc8 100644
--- a/nova/virt/libvirt/firewall.py
+++ b/nova/virt/libvirt/firewall.py
@@ -101,10 +101,17 @@ class NWFilterFirewall(base_firewall.FirewallDriver):
         LOG.info(_('Ensuring static filters'), instance=instance)
         self._ensure_static_filters()
 
+        allow_dhcp = False
+        for (network, mapping) in network_info:
+            if mapping['dhcp_server']:
+                allow_dhcp = True
+                break
         if instance['image_ref'] == str(FLAGS.vpn_image_id):
             base_filter = 'nova-vpn'
-        else:
+        elif allow_dhcp:
             base_filter = 'nova-base'
+        else:
+            base_filter = 'nova-nodhcp'
 
         for (network, mapping) in network_info:
             nic_id = mapping['mac'].replace(':', '')
@@ -128,6 +135,10 @@ class NWFilterFirewall(base_firewall.FirewallDriver):
                                                     'no-ip-spoofing',
                                                     'no-arp-spoofing',
                                                     'allow-dhcp-server']))
+        self._define_filter(self._filter_container('nova-nodhcp',
+                                                   ['no-mac-spoofing',
+                                                    'no-ip-spoofing',
+                                                    'no-arp-spoofing']))
         self._define_filter(self._filter_container('nova-vpn',
                                                    ['allow-dhcp-server']))
         self._define_filter(self.nova_dhcp_filter)
diff --git a/nova/virt/libvirt/vif.py b/nova/virt/libvirt/vif.py
index 80b34220d..07ac50520 100644
--- a/nova/virt/libvirt/vif.py
+++ b/nova/virt/libvirt/vif.py
@@ -64,7 +64,8 @@ class LibvirtBridgeDriver(vif.VIFDriver):
 
         conf.filtername = "nova-instance-" + instance['name'] + "-" + mac_id
         conf.add_filter_param("IP", mapping['ips'][0]['ip'])
-        conf.add_filter_param("DHCPSERVER", mapping['dhcp_server'])
+        if mapping['dhcp_server']:
+            conf.add_filter_param("DHCPSERVER", mapping['dhcp_server'])
 
         if FLAGS.use_ipv6:
             conf.add_filter_param("RASERVER",
-- 
cgit