Fuel for OpenStack

[vbox] Failure on Mac 10.8.4: pf rules must be in order

Bug #1452901 reported by Mike Scherbakov on 2015-05-07

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Fuel for OpenStack	Won't Fix	Critical	Serhii Ovsianikov	Fuel for OpenStack 6.1

Bug Description

Running latest version of vbox scripts from fuel-main repo (Mac 10.8.4):

Verifying interface vboxnet3 has IP 172.16.1.1 and mask 255.255.255.0 properly set.
OK.
To configure NAT and Firewall, the script requires the sudo password
Password:

Setting up masquerading configuration...
No ALTQ support in kernel
ALTQ related functions disabled
/etc/pf.conf:25: Rules must be in order: options, normalization, queueing, translation, filtering
pfctl: Syntax error in config file: pf rules not loaded

Tags:

Mike Scherbakov (mihgen) on 2015-05-07

Changed in fuel:
milestone:	none → 6.1
importance:	Undecided → Critical

Miroslav Anashkin (manashkin) on 2015-05-07

Changed in fuel:
assignee:	nobody → Serhiy Ovsianikov (sovsianikov)
status:	New → Confirmed

Revision history for this message

Serhii Ovsianikov (sovsianikov) wrote on 2015-05-07:

Mike, could you please provide us your /etc/pf.conf

Revision history for this message

Mike Scherbakov (mihgen) wrote on 2015-05-07:

My pf.conf:
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
nat on en0 inet from ! (en0) to any -> (en0)
pass in on vboxnet0
pass in on vboxnet1
pass in on vboxnet2
pass in on vboxnet3

Revision history for this message

Serhii Ovsianikov (sovsianikov) wrote on 2015-05-07:

Mike, could you please clarify which option you have selected: yes or no?

If you have selected option ”no" then please remove following rules of of /etc/pf.conf:
nat on en0 inet from ! (en0) to any -> (en0)
pass in on vboxnet0
pass in on vboxnet1
pass in on vboxnet2
pass in on vboxnet3
then please execute this script again (launch.sh) and select option: "yes"

The following rule "nat on en0 inet from ! (en0) to any -> (en0)" should be added after the rule "dummynet-anchor "com.apple/*"". The other rules "pass in on vboxnet*" should be added to the end, after all rules.

In case, if /etс/pf.conf includes default rules, the script automatically does everything.

I’m going to update the list of rules to avoid misunderstanding in future.

Serhii Ovsianikov (sovsianikov) on 2015-05-08

Changed in fuel:
status:	Confirmed → In Progress

Revision history for this message

Mike Scherbakov (mihgen) wrote on 2015-05-13:

We need to revert commit introducing pf-manipulations, and close this bug as Invalid after that.

tags:

added: non-release

Revision history for this message

Mike Scherbakov (mihgen) wrote on 2015-05-15:

Closed as issue was fixed by using other implementation: https://review.openstack.org/#/c/119717/

Changed in fuel:
status:	In Progress → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.