[openstack-nova] Add iptables rules to allow requests to dnsmasq (#734347)
Mark McLoughlin
markmc at fedoraproject.org
Sat Sep 3 13:47:35 UTC 2011
commit cf0ea93277ee4db53e2dfc906c09de267fb2093b
Author: Mark McLoughlin <markmc at redhat.com>
Date: Sat Sep 3 14:10:33 2011 +0100
Add iptables rules to allow requests to dnsmasq (#734347)
nova-add-filter-rules-for-dnsmasq-dhcp.patch | 51 ++++++++++++++++++++++++++
openstack-nova.spec | 7 +++-
2 files changed, 57 insertions(+), 1 deletions(-)
---
diff --git a/nova-add-filter-rules-for-dnsmasq-dhcp.patch b/nova-add-filter-rules-for-dnsmasq-dhcp.patch
new file mode 100644
index 0000000..af1040f
--- /dev/null
+++ b/nova-add-filter-rules-for-dnsmasq-dhcp.patch
@@ -0,0 +1,51 @@
+From: Mark McLoughlin <markmc at redhat.com>
+Subject: [PATCH] Add iptables filter rules for dnsmasq
+
+On Fedora, the default policy for the INPUT chain in the filter table
+is DROP. This means that DHCP and DNS request packets from the guest
+get dropped.
+
+Add these rules to allow the traffic through:
+
+ $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p udp -m udp --dport 67 -j ACCEPT
+ $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p tcp -m tcp --dport 67 -j ACCEPT
+ $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT
+ $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p tcp -m tcp --dport 53 -j ACCEPT
+
+---
+ nova/network/linux_net.py | 12 ++++++++++++
+ 1 files changed, 12 insertions(+), 0 deletions(-)
+
+diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py
+index 57c1d0c..1e9e1fd 100644
+--- a/nova/network/linux_net.py
++++ b/nova/network/linux_net.py
+@@ -511,6 +511,17 @@ def get_dhcp_hosts(context, network_ref):
+ return '\n'.join(hosts)
+
+
++def _add_dnsmasq_accept_rules(dev):
++ """Allow DHCP and DNS traffic through to dnsmasq."""
++ table = iptables_manager.ipv4['filter']
++ for port in [67, 53]:
++ for proto in ['udp', 'tcp']:
++ args = {'dev' : dev, 'port' : port, 'proto' : proto}
++ table.add_rule('INPUT',
++ '-i %(dev)s -p %(proto)s -m %(proto)s '
++ '--dport %(port)s -j ACCEPT' % args)
++ iptables_manager.apply()
++
+ # NOTE(ja): Sending a HUP only reloads the hostfile, so any
+ # configuration options (like dchp-range, vlan, ...)
+ # aren't reloaded.
+@@ -565,6 +576,7 @@ def update_dhcp(context, dev, network_ref):
+
+ _execute(*cmd, run_as_root=True)
+
++ _add_dnsmasq_accept_rules(dev)
+
+ @utils.synchronized('radvd_start')
+ def update_ra(context, dev, network_ref):
+--
+1.7.4.4
+
diff --git a/openstack-nova.spec b/openstack-nova.spec
index d2498c8..1583e76 100644
--- a/openstack-nova.spec
+++ b/openstack-nova.spec
@@ -4,7 +4,7 @@
Name: openstack-nova
Version: 2011.3
-Release: 0.6.%{milestone}%{?dist}
+Release: 0.7.%{milestone}%{?dist}
Summary: OpenStack Compute (nova)
Group: Applications/System
@@ -31,6 +31,7 @@ Source22: nova-ifc-template
Patch1: nova-fix-flavorid-migration-failure.patch
Patch2: nova-fix-quotas-migration-failure.patch
Patch3: nova-do-not-require-bridge_interface-for-flatdhcpmanager.patch
+Patch4: nova-add-filter-rules-for-dnsmasq-dhcp.patch
BuildArch: noarch
BuildRequires: intltool
@@ -161,6 +162,7 @@ This package contains documentation files for nova.
%patch1 -p1
%patch2 -p1
%patch3 -p1
+%patch4 -p1
find . \( -name .gitignore -o -name .placeholder \) -delete
@@ -348,6 +350,9 @@ fi
%endif
%changelog
+* Sat Sep 3 2011 Mark McLoughlin <markmc at redhat.com> - 2011.3-0.7.d4
+- Add iptables rules to allow requests to dnsmasq (#734347)
+
* Wed Aug 31 2011 Angus Salkeld <asalkeld at redhat.com> - 2011.3-0.6.d4
- Add the one man page provided by nova.
- Start services with --flagfile rather than --flag-file (#735070)
More information about the scm-commits
mailing list