Nova should not assume the default iptables INPUT filter policy is accept
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Medium
|
Mark McLoughlin |
Bug Description
On systems where the default policy for the iptables INPUT filter is DROP, I'm seeing DNS, DHCP and EC2 metadata requests being dropped.
Something similar to:
$> sudo iptables -t filter -A nova-network-INPUT \
$> sudo iptables -t filter -A nova-network-INPUT -i br0 -p udp -m udp --dport 67 -j ACCEPT
$> sudo iptables -t filter -A nova-network-INPUT -i br0 -p tcp -m tcp --dport 67 -j ACCEPT
$> sudo iptables -t filter -A nova-network-INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT
$> sudo iptables -t filter -A nova-network-INPUT -i br0 -p tcp -m tcp --dport 53 -j ACCEPT
fixes it for me
To explain fully, this on Fedora where the the default policy is actually ACCEPT but the last rule in the INPUT chain is:
-A INPUT -j REJECT --reject-with icmp-host-
Related branches
- Vish Ishaya (community): Needs Fixing
-
Diff: 157 lines (+84/-2)5 files modifiednova/api/manager.py (+42/-0)
nova/flags.py (+3/-0)
nova/network/linux_net.py (+11/-0)
nova/network/manager.py (+0/-2)
nova/service.py (+28/-0)
- Josh Kearney (community): Approve
- Vish Ishaya (community): Approve
-
Diff: 31 lines (+14/-0)1 file modifiednova/network/linux_net.py (+14/-0)
- OpenStack release team: Pending requested
-
Diff: 38 lines (+14/-1)1 file modifiednova/network/linux_net.py (+14/-1)
Changed in nova: | |
assignee: | nobody → Mark McLoughlin (markmc) |
Changed in nova: | |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in nova: | |
milestone: | none → 2011.3 |
status: | In Progress → Fix Committed |
Changed in nova: | |
status: | Fix Committed → Fix Released |