From: Andy Bavier Date: Mon, 23 Sep 2013 15:43:56 +0000 (-0400) Subject: Unfilter NAT internal IP address so it can accept packets from outside X-Git-Url: http://git.onelab.eu/?a=commitdiff_plain;h=7aa72bbab8de19d6d767a5ccf03963afc686d883;p=nodemanager.git Unfilter NAT internal IP address so it can accept packets from outside --- diff --git a/plugins/planetstack-net.py b/plugins/planetstack-net.py index 953bc9d..e23744e 100644 --- a/plugins/planetstack-net.py +++ b/plugins/planetstack-net.py @@ -66,14 +66,17 @@ def run_iptables_cmd(args): logger.log('%s: %s' % (plugin, ' '.join(cmd))) subprocess.check_call(cmd) -def add_iptables_rule(table, chain, args): - args = ['-t', table, '-C', chain] + args +def add_iptables_rule(table, chain, args, pos = None): + iptargs = ['-t', table, '-C', chain] + args try: - run_iptables_cmd(args) + run_iptables_cmd(iptargs) except: - args[2] = '-A' + if pos: + iptargs = ['-t', table, '-I', chain, str(pos)] + args + else: + iptargs[2] = '-A' try: - run_iptables_cmd(args) + run_iptables_cmd(iptargs) except: logger.log('%s: FAILED to add iptables rule' % plugin) @@ -87,6 +90,14 @@ def reset_iptables_chain(): add_iptables_rule('nat', 'PREROUTING', ['-j', plugin]) +# Nova blocks packets from external addresses by default. +# This is hacky but it gets around the issue. +def unfilter_ipaddr(dev, ipaddr): + add_iptables_rule(table = 'filter', + chain = 'nova-compute-sg-fallback', + args = ['-d', ipaddr, '-j', 'ACCEPT'], + pos = 1) + # Enable iptables MASQ for a device def add_iptables_masq(dev, interface): ipaddr = interface['ip'] @@ -240,6 +251,7 @@ def process_quantum_ports(dev): fwport = fw['l4_port'] # logger.log("%s: fwd port %s/%s to %s" % (plugin, protocol, fwport, ipaddr)) + unfilter_ipaddr(dev, ipaddr) # Shouldn't hardcode br-eth0 here. Maybe use '-d '? add_iptables_rule('nat', plugin, ['-i', 'br-eth0', '-p', protocol, '--dport', fwport,