openstack team mailing list archive

Thread
Date

Re: [Quantum/Neutron] VM cannot get IP address from DHCP server

To: Brian Haley <brian.haley@xxxxxx>
From: David Kang <dkang@xxxxxxx>
Date: Tue, 23 Jul 2013 20:41:55 -0700 (PDT)
Cc: "openstack@xxxxxxxxxxxxxxxxxxx \(openstack@xxxxxxxxxxxxxxxxxxx\)" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <51EEC3ED.2040504@hp.com>

 A Redhat manual suggests the following rule to enable forwarding packets
among VMs and external network.
https://access.redhat.com/site/documentation/en-US/Red_Hat_OpenStack/2/pdf/Release_Notes/Red_Hat_OpenStack-2-Release_Notes-en-US.pdf

iptables -t filter -I FORWARD -i qr-+ -o qg-+ -j ACCEPT
iptables -t filter -I FORWARD -i qg-+ -o qr-+ -j ACCEPT
iptables -t filter -I FORWARD -i qr-+ -o qr-+ -j ACCEPT

 But it doesn't work for me.
Any suggestion?

 Thanks,
 David

----- Original Message -----
> On 07/23/2013 12:22 PM, David Kang wrote:
> >
> >  Hi,
> >
> >   We are running OpenStack Folsom on CentOS 6.4.
> > Quantum-linuxbridge-agent is used.
> > By default, the Quantum node has the following entries in its
> > /etc/sysconfig/iptables file.
> >
> > -A INPUT -j REJECT --reject-with icmp-host-prohibited
> > -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> >
> >  With those two lines, VM cannot get IP address from the DHCP server
> >  running on the Quantum node.
> > More specifically, the first line prevents a VM from getting IP
> > address from DHCP server.
> > The second line prevents a VM from talking to other VMs and external
> > worlds.
> > Is there a better way to make the Quantum network work well
> > than just commenting them out?
> 
> Since Quantum isn't adding them, and you want the system to act as a
> DHCP server
> and gateway, I think you have two choices:
> 
> 1. Delete them
> 2. Craft rules to sit above them (using -I) to allow certain packets
> 
> #2 gets tricky as you'll need to account for DHCP, metadata, etc. in
> the INPUT
> chain, and in the FORWARD chain you could maybe start by allowing all
> traffic
> from your bridge. You would need to do some more work there.
> 
> I believe any DHCP iptables rules will be on the compute hosts, and
> will be put
> in place for anti-spoofing. Since this is the network node you won't
> see them here.
> 
> -Brian

-- 
----------------------
Dr. Dong-In "David" Kang
Computer Scientist
USC/ISI

Follow ups

Re: [Quantum/Neutron] VM cannot get IP address from DHCP server
From: Brian Haley, 2013-07-24

References

Re: [Quantum/Neutron] VM cannot get IP address from DHCP server
From: Brian Haley, 2013-07-23