← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #24402

[Bug 1391360] [NEW] DHCP response drops not documented

  Thread PreviousDate PreviousThread Next 
Public bug reported:

DHCP responses coming from instances are prohibited and dropped, but
there is no mention about that in the official documentation.  Users
planning to use netbooting need to be informed, since netbooting relies
on DHCP.

Here are 2 citations from the web explaining that.

"Rule 3 will prevent a VM from acting as a DHCP server since it will
drop any packets coming from UDP source port 67 going to UDP port 68
(usually a response to a DHCP request)" from
https://developer.rackspace.com/blog/software-defined-networks-in-the-
havana-release-of-openstack-part-2/

"The security groups implementation automatically adds iptables rules to
prevent instances running DHCP servers on a Quantum network." from
https://ask.openstack.org/en/question/6967/how-to-allow-vm-to-manage-
dhcp-itself/?answer=28135#post-id-28135

The code implementing that is in /usr/lib/python2.6/site-packages/neutron/agent/linux/iptables_firewall.py
Look for 
    def _drop_dhcp_rule(self):
        #Note(nati) Drop dhcp packet from VM
        return ['-p udp -m udp --sport 67 --dport 68 -j DROP']

One could say that it is a feature of the security groups, since _drop_dhcp_rule is called by _add_rule_by_security_group.
One could also say that prohibiting "Bring your own DHCP server" is a more high level design detail.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1391360

Title:
  DHCP response drops not documented

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  DHCP responses coming from instances are prohibited and dropped, but
  there is no mention about that in the official documentation.  Users
  planning to use netbooting need to be informed, since netbooting
  relies on DHCP.

  Here are 2 citations from the web explaining that.

  "Rule 3 will prevent a VM from acting as a DHCP server since it will
  drop any packets coming from UDP source port 67 going to UDP port 68
  (usually a response to a DHCP request)" from
  https://developer.rackspace.com/blog/software-defined-networks-in-the-
  havana-release-of-openstack-part-2/

  "The security groups implementation automatically adds iptables rules
  to prevent instances running DHCP servers on a Quantum network." from
  https://ask.openstack.org/en/question/6967/how-to-allow-vm-to-manage-
  dhcp-itself/?answer=28135#post-id-28135

  The code implementing that is in /usr/lib/python2.6/site-packages/neutron/agent/linux/iptables_firewall.py
  Look for 
      def _drop_dhcp_rule(self):
          #Note(nati) Drop dhcp packet from VM
          return ['-p udp -m udp --sport 67 --dport 68 -j DROP']

  One could say that it is a feature of the security groups, since _drop_dhcp_rule is called by _add_rule_by_security_group.
  One could also say that prohibiting "Bring your own DHCP server" is a more high level design detail.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1391360/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next