OpenStack Compute (nova)

Merge lp:~vishvananda/nova/dnsmasq-accept-rules-ms into lp:~hudson-openstack/nova/milestone-proposed

  1. dnsmasq-accept-rules-ms
  2. Merge into milestone-proposed
Proposed by Vish Ishaya
Status: Merged
Approved by: Vish Ishaya
Approved revision: 1193
Merged at revision: 1191
Proposed branch: lp:~vishvananda/nova/dnsmasq-accept-rules-ms
Merge into: lp:~hudson-openstack/nova/milestone-proposed
Diff against target: 38 lines (+14/-1)
1 file modified
nova/network/linux_net.py (+14/-1)
To merge this branch: bzr merge lp:~vishvananda/nova/dnsmasq-accept-rules-ms
Reviewer Review Type Date Requested Status
OpenStack release team Pending
Review via email: mp+76175@code.launchpad.net

Description of the change

Add iptables filter rules for dnsmasq (lp:844935)

On Fedora, the default policy for the INPUT chain in the filter table
is DROP. This means that DHCP and DNS request packets from the guest
get dropped.

Add these rules to allow the traffic through:

 $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p udp -m udp --dport 67 -j ACCEPT
 $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p tcp -m tcp --dport 67 -j ACCEPT
 $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT
 $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p tcp -m tcp --dport 53 -j ACCEPT

To post a comment you must log in.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'nova/network/linux_net.py'
2--- nova/network/linux_net.py 2011-09-19 22:05:27 +0000
3+++ nova/network/linux_net.py 2011-09-20 09:59:25 +0000
4@@ -554,6 +554,18 @@
5 utils.execute('dhcp_release', dev, address, mac_address, run_as_root=True)
6
7
8+def _add_dnsmasq_accept_rules(dev):
9+ """Allow DHCP and DNS traffic through to dnsmasq."""
10+ table = iptables_manager.ipv4['filter']
11+ for port in [67, 53]:
12+ for proto in ['udp', 'tcp']:
13+ args = {'dev': dev, 'port': port, 'proto': proto}
14+ table.add_rule('INPUT',
15+ '-i %(dev)s -p %(proto)s -m %(proto)s '
16+ '--dport %(port)s -j ACCEPT' % args)
17+ iptables_manager.apply()
18+
19+
20 # NOTE(ja): Sending a HUP only reloads the hostfile, so any
21 # configuration options (like dchp-range, vlan, ...)
22 # aren't reloaded.
23@@ -616,6 +628,8 @@
24
25 _execute(*cmd, run_as_root=True)
26
27+ _add_dnsmasq_accept_rules(dev)
28+
29
30 @utils.synchronized('radvd_start')
31 def update_ra(context, dev, network_ref):
32@@ -824,7 +838,6 @@
33 raise NotImplementedError()
34
35
36-
37 # plugs interfaces using Linux Bridge
38 class LinuxBridgeInterfaceDriver(LinuxNetInterfaceDriver):
39

Subscribers

People subscribed via source and target branches