Nova should not assume the default iptables INPUT filter policy is accept
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Compute (nova) |
Fix Released
|
Medium
|
Mark McLoughlin | ||
Bug Description
On systems where the default policy for the iptables INPUT filter is DROP, I'm seeing DNS, DHCP and EC2 metadata requests being dropped.
Something similar to:
$> sudo iptables -t filter -A nova-network-INPUT \
$> sudo iptables -t filter -A nova-network-INPUT -i br0 -p udp -m udp --dport 67 -j ACCEPT
$> sudo iptables -t filter -A nova-network-INPUT -i br0 -p tcp -m tcp --dport 67 -j ACCEPT
$> sudo iptables -t filter -A nova-network-INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT
$> sudo iptables -t filter -A nova-network-INPUT -i br0 -p tcp -m tcp --dport 53 -j ACCEPT
fixes it for me
To explain fully, this on Fedora where the the default policy is actually ACCEPT but the last rule in the INPUT chain is:
-A INPUT -j REJECT --reject-with icmp-host-
Related branches
- Vish Ishaya (community): Needs Fixing
-
Diff: 157 lines (+84/-2)5 files modifiednova/api/manager.py (+42/-0)
nova/flags.py (+3/-0)
nova/network/linux_net.py (+11/-0)
nova/network/manager.py (+0/-2)
nova/service.py (+28/-0)
- Josh Kearney (community): Approve
- Vish Ishaya (community): Approve
-
Diff: 31 lines (+14/-0)1 file modifiednova/network/linux_net.py (+14/-0)
- OpenStack release team: Pending requested
-
Diff: 38 lines (+14/-1)1 file modifiednova/network/linux_net.py (+14/-1)
| Changed in nova: | |
| assignee: | nobody → Mark McLoughlin (markmc) |
| Changed in nova: | |
| importance: | Undecided → Medium |
| status: | New → In Progress |
| Changed in nova: | |
| milestone: | none → 2011.3 |
| status: | In Progress → Fix Committed |
| Changed in nova: | |
| status: | Fix Committed → Fix Released |
