Unfilter NAT internal IP address so it can accept packets from outside

diff --git a/plugins/planetstack-net.py b/plugins/planetstack-net.py
index 953bc9d..e23744e 100644 (file)
--- a/plugins/planetstack-net.py
+++ b/plugins/planetstack-net.py
@@ -66,14 +66,17 @@ def run_iptables_cmd(args):
     logger.log('%s: %s' % (plugin, ' '.join(cmd)))
     subprocess.check_call(cmd)
     
-def add_iptables_rule(table, chain, args):
-    args = ['-t', table, '-C',  chain] + args
+def add_iptables_rule(table, chain, args, pos = None):
+    iptargs = ['-t', table, '-C',  chain] + args
     try:
-        run_iptables_cmd(args)
+        run_iptables_cmd(iptargs)
     except:
-        args[2] = '-A'
+        if pos:
+            iptargs = ['-t', table, '-I', chain, str(pos)] + args
+        else:
+            iptargs[2] = '-A'
         try:
-            run_iptables_cmd(args)
+            run_iptables_cmd(iptargs)
         except:
             logger.log('%s: FAILED to add iptables rule' % plugin)
 
@@ -87,6 +90,14 @@ def reset_iptables_chain():
 
     add_iptables_rule('nat', 'PREROUTING', ['-j', plugin]) 
 
+# Nova blocks packets from external addresses by default.
+# This is hacky but it gets around the issue.
+def unfilter_ipaddr(dev, ipaddr):
+    add_iptables_rule(table = 'filter', 
+                      chain = 'nova-compute-sg-fallback', 
+                      args = ['-d', ipaddr, '-j', 'ACCEPT'], 
+                      pos = 1)
+    
 # Enable iptables MASQ for a device
 def add_iptables_masq(dev, interface):
     ipaddr = interface['ip']
@@ -240,6 +251,7 @@ def process_quantum_ports(dev):
                 fwport = fw['l4_port']
                 # logger.log("%s: fwd port %s/%s to %s" % (plugin, protocol, fwport, ipaddr))
 
+                unfilter_ipaddr(dev, ipaddr)
                 # Shouldn't hardcode br-eth0 here.  Maybe use '-d <node IP address>'?
                 add_iptables_rule('nat', plugin, ['-i', 'br-eth0', 
                                                   '-p', protocol, '--dport', fwport,