OpenStack Compute (Nova)

Nova should not assume the default iptables INPUT filter policy is accept

Reported by Mark McLoughlin on 2011-09-08
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Medium
Mark McLoughlin

Bug Description

On systems where the default policy for the iptables INPUT filter is DROP, I'm seeing DNS, DHCP and EC2 metadata requests being dropped.

Something similar to:

  $> sudo iptables -t filter -A nova-network-INPUT \
                   -s 0.0.0.0/0 -d $ec2_dmz_host \
                   -m tcp -p tcp --dport $ec2_port -j ACCEPT
   $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p udp -m udp --dport 67 -j ACCEPT
   $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p tcp -m tcp --dport 67 -j ACCEPT
   $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT
   $> sudo iptables -t filter -A nova-network-INPUT -i br0 -p tcp -m tcp --dport 53 -j ACCEPT

fixes it for me

To explain fully, this on Fedora where the the default policy is actually ACCEPT but the last rule in the INPUT chain is:

  -A INPUT -j REJECT --reject-with icmp-host-prohibited

Mark McLoughlin (markmc) on 2011-09-08
Changed in nova:
assignee: nobody → Mark McLoughlin (markmc)
Thierry Carrez (ttx) on 2011-09-09
Changed in nova:
importance: Undecided → Medium
status: New → In Progress
Thierry Carrez (ttx) on 2011-09-20
Changed in nova:
milestone: none → 2011.3
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2011-09-22
Changed in nova:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers