DHCP/BOOTP Request messages from VM are dropped in firewall protected host machine
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Confirmed
|
Medium
|
Unassigned |
Bug Description
When the Host Machine is firewall protected to only allow authorized packets, nova isn't adding any firewall rule to open the
host machine firewall to accept the DHCP/BOOT Request messages from VM instance.Currently nova only adds firewall rules to allow DHCP reply messages from host machine to VM instance, but not from VM instance to host machine
Sample host machine firewall rules
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-
If any host machine is firewall protected with INPUT chain containing rules as mentioned above
to allow only secure packets(ssh port 22), then DHCP/BOOT Request messages from VM instance
will be dropped as there is no rule to allow DHCP/BOOTP requests.
This could be avoided by adding below rule to the INPUT chain as mentioned below to allow DHCP/BOOTP request
messages
-A INPUT -i br100 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
This problem is observed in flatDHCP mode.
Though other types of networking managers aren't tested, it may have impact on them too
security vulnerability: | yes → no |
visibility: | private → public |
tags: | added: security-group |
tags: | removed: security-group |
Changed in nova: | |
assignee: | Tom Fifield (fifieldt) → nobody |
Changed in nova: | |
status: | In Progress → Confirmed |
It is true nova-network expects to have open firewall rules. A more general one that will also work with vlan mode is:
-A services -p udp -m udp --sport 68 --dport 67 -j ACCEPT
Perhaps we should just be adding this rule always on the network host in case the default rules are configured to block unknown traffic?