[Openstack] iptables rule missing in multi node setup
Brian Haley
brian.haley at hp.com
Thu Oct 25 13:58:03 UTC 2012
On 10/24/2012 06:55 PM, Qin, Xiaohong wrote:
> Hi All,
>
> In one of my lab setups, I found the following iptable rules are missing on the
> controller node,
>
> Chain nova-compute-inst-3 (1 references)
>
> target prot opt source destination
> DROP all -- anywhere anywhere state INVALID
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> nova-compute-provider all -- anywhere anywhere
> ACCEPT udp -- usxxcoberbmbp1.corp.emc.com anywhere udp
> spt:bootps dpt:bootpc
All these are getting defined in virt/libvirt/firewall.py:instance_rules() - I'd
recommend looking at that function, but it should always get called at instance
startup. That last one for the DHCP server might not get added if the DB
doesn't have the info though.
> ACCEPT all -- 10.0.0.0/24 anywhere
FLAGS.allow_same_net_traffic=true is probably not set, I think that defaults to
false for security reasons.
> ACCEPT icmp -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Did you create a security group and add icmp and ssh using 'nova
secgroup-add-rule ...' ?
-Brian
More information about the Openstack
mailing list