← Back to team overview

openstack team mailing list archive

Re: iptables rule missing in multi node setup

 

On 10/24/2012 06:55 PM, Qin, Xiaohong wrote:
> Hi All,
> 
> In one of my lab setups, I found the following iptable rules are missing on the
> controller node,
> 
> Chain nova-compute-inst-3 (1 references)
> 
> target     prot opt source               destination
> DROP       all  --  anywhere             anywhere             state INVALID
> ACCEPT     all  --  anywhere             anywhere             state
> RELATED,ESTABLISHED
> nova-compute-provider  all  --  anywhere             anywhere
> ACCEPT     udp  --  usxxcoberbmbp1.corp.emc.com  anywhere             udp
> spt:bootps dpt:bootpc

All these are getting defined in virt/libvirt/firewall.py:instance_rules() - I'd
recommend looking at that function, but it should always get called at instance
startup.  That last one for the DHCP server might not get added if the DB
doesn't have the info though.

> ACCEPT     all  --  10.0.0.0/24          anywhere

FLAGS.allow_same_net_traffic=true is probably not set, I think that defaults to
false for security reasons.

> ACCEPT     icmp --  anywhere             anywhere
> ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh

Did you create a security group and add icmp and ssh using 'nova
secgroup-add-rule ...' ?

-Brian


References