logger.log('%s: %s' % (plugin, ' '.join(cmd)))
subprocess.check_call(cmd)
-def add_iptables_rule(table, chain, args):
- args = ['-t', table, '-C', chain] + args
+def add_iptables_rule(table, chain, args, pos = None):
+ iptargs = ['-t', table, '-C', chain] + args
try:
- run_iptables_cmd(args)
+ run_iptables_cmd(iptargs)
except:
- args[2] = '-A'
+ if pos:
+ iptargs = ['-t', table, '-I', chain, str(pos)] + args
+ else:
+ iptargs[2] = '-A'
try:
- run_iptables_cmd(args)
+ run_iptables_cmd(iptargs)
except:
logger.log('%s: FAILED to add iptables rule' % plugin)
add_iptables_rule('nat', 'PREROUTING', ['-j', plugin])
+# Nova blocks packets from external addresses by default.
+# This is hacky but it gets around the issue.
+def unfilter_ipaddr(dev, ipaddr):
+ add_iptables_rule(table = 'filter',
+ chain = 'nova-compute-sg-fallback',
+ args = ['-d', ipaddr, '-j', 'ACCEPT'],
+ pos = 1)
+
# Enable iptables MASQ for a device
def add_iptables_masq(dev, interface):
ipaddr = interface['ip']
fwport = fw['l4_port']
# logger.log("%s: fwd port %s/%s to %s" % (plugin, protocol, fwport, ipaddr))
+ unfilter_ipaddr(dev, ipaddr)
# Shouldn't hardcode br-eth0 here. Maybe use '-d <node IP address>'?
add_iptables_rule('nat', plugin, ['-i', 'br-eth0',
'-p', protocol, '--dport', fwport,