[Openstack] nova-network-INPUT (was Re: dns issue?)
Mark McLoughlin
markmc at redhat.com
Thu Oct 13 09:05:09 UTC 2011
Hi Sharif,
On Tue, 2011-10-11 at 14:55 -0400, Sharif Islam wrote:
> As Jorge was pointing out last week
> (https://lists.launchpad.net/openstack/msg04596.html), the problem seems
> to be iptables related. When I added these two rules, I was able to ping
> google.com with 10.0.1.1 as the nameserver.
>
>
> # iptables -I nova-network-INPUT 1 -p tcp --dport 53 -j ACCEPT
> # iptables -I nova-network-INPUT 1 -p udp --dport 53 -j ACCEPT
>
>
> However, as soon as a new instance starts, these two rules goes away.
>
> # iptables -L nova-network-INPUT
> Chain nova-network-INPUT (1 references)
> target prot opt source destination
> ACCEPT udp -- anywhere anywhere udp dpt:domain
> ACCEPT tcp -- anywhere anywhere tcp dpt:domain
>
> I start a new instance, few seconds later:
>
> # iptables -L nova-network-INPUT
> Chain nova-network-INPUT (1 references)
> target prot opt source destination
>
> I also have these two rules:
>
> # iptables -L -n|grep 67
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
> # iptables -L -n|grep 53
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
>
>
> Can someone explain how these iptables rule get created? I thought these
> rules were generated by starting nova-network.
>
> I also saw this: https://bugzilla.redhat.com/show_bug.cgi?id=734347. Not
> sure if this is related. I am running RHEL 6.1.
Ah, yes - the issue is that Fedora and RHEL's iptables rules default to
rejecting packets which aren't allowed. Nova's iptables rules assumed
the default was to accept.
You're running Cactus, right? This is fixed in Diablo, see:
https://bugs.launchpad.net/nova/+bug/844935
Cheers,
Mark.
More information about the Openstack
mailing list