DHCP/BOOTP Request messages from VM are dropped in firewall protected host machine

It is true nova-network expects to have open firewall rules. A more general one that will also work with vlan mode is:
-A services -p udp -m udp --sport 68 --dport 67 -j ACCEPT

Perhaps we should just be adding this rule always on the network host in case the default rules are configured to block unknown traffic?

s/services/INPUT

Hi

I think I found correct place for adding the rule in ensure_bridge function in the file.
linux_net.py

-A nova-compute-INPUT -i br100 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT

Please find the patch attachment that contains the modified file linux_net.py
to fix the bug

Letme know if placement of rule needs to be changed

Regards
Devendra

I would suggest something like this instead:

=== modified file 'nova/network/linux_net.py'
--- nova/network/linux_net.py 2011-06-03 22:58:41 +0000
+++ nova/network/linux_net.py 2011-06-03 23:53:30 +0000
@@ -508,6 +508,9 @@
         if(FLAGS.public_interface == bridge):
             _execute('sudo', 'ip', 'link', 'set',
                      'dev', bridge, 'promisc', 'on')
+ iptables_manager.ipv4['filter'].add_rule('INPUT',
+ '--in-interface %s -p udp -m udp --sport 68 --dport 67 '
+ '-j ACCEPT' % bridge)
     if interface:
         # NOTE(vish): This will break if there is already an ip on the
         # interface, so we move any ips to the bridge

sigh, it cut the spaces out of that patch, should be aligned with the if above

@Vish Ishaya

1) I believe there must be a reason why u suggested to add the
    rule after checking if(FLAGS.public_interface == bridge):

    But that fix isn't working in my setup.
   The reason, I suppose is because, in my setup public interface is eth2. But the bridge
   br100 is connected to eth0, which isn't public interface and hence the rule is not getting
   added to firewall rules.

2) Also please let me know is there any issue, with the patch I suggested where the rule is added
   along with other rules
   -A nova-compute-FORWARD -i br100 -j ACCEPT
   -A nova-compute-FORWARD -o br100 -j ACCEPT
   Does this have any repurcussions somewhere else or is there any chance of duplicate addition of same rule?
  If the reason is chance of repeated addition of rule(the new rule which we should add), whenever ensure_bridge is called,
  doesn't same applies to above rules as well.

Thanks for your time in replying this.

Regards
Devendra

sorry i think you misunderstood the placement of my code. It is aligned with the if regarding public interface, not inside of it. The issue I have with your placement is that you are adding exceptions for dhcp to compute and network in both directions. There is already an exception from compute in the nwfilter rules, so we only need to add the rule for nova network. The if net_attrs: code block only runs on the network host so the rule should be added there, and it only needs the s68 d67.

got it .. Thank you

@Devendra: interested in proposing an updated patch for merging into Nova code ?

If still required, patch needs to be updated to match current code.

Fix proposed to branch: master
Review: https://review.openstack.org/7784