openstack team mailing list archive

[Brian Haley <brian.haley@xxxxxx>]

On 07/23/2013 12:22 PM, David Kang wrote:
> 
>  Hi,
> 
>   We are running OpenStack Folsom on CentOS 6.4.
> Quantum-linuxbridge-agent is used.
> By default, the Quantum node has the following entries in its /etc/sysconfig/iptables file.
> 
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> 
>  With those two lines, VM cannot get IP address from the DHCP server running on the Quantum node.
> More specifically, the first line prevents a VM from getting IP address from DHCP server.
> The second line prevents a VM from talking to other VMs and external worlds.
> Is there a better way to make the Quantum network work well
> than just commenting them out?

Since Quantum isn't adding them, and you want the system to act as a DHCP server
and gateway, I think you have two choices:

1. Delete them
2. Craft rules to sit above them (using -I) to allow certain packets

#2 gets tricky as you'll need to account for DHCP, metadata, etc. in the INPUT
chain, and in the FORWARD chain you could maybe start by allowing all traffic
from your bridge.  You would need to do some more work there.

I believe any DHCP iptables rules will be on the compute hosts, and will be put
in place for anti-spoofing.  Since this is the network node you won't see them here.

-Brian