Bug 889868

Issue apears on RHEL 6.4 beta with nova based firewall rules

the workaround i have used is to disable firewall rule in /etc/nova/nova/conf  & reboot 

#firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver
firewall = nova.virt.firewall.NoopFirewallDriver

The Nova rules in my host:

instances i have used 10.10.1.5 & 10.10.1.4

iptables-save 
# Generated by iptables-save v1.4.7 on Wed Dec 26 10:50:19 2012
*nat
:PREROUTING ACCEPT [445522:23017910]
:POSTROUTING ACCEPT [8697:625989]
:OUTPUT ACCEPT [10947:1407803]
:nova-api-OUTPUT - [0:0]
:nova-api-POSTROUTING - [0:0]
:nova-api-PREROUTING - [0:0]
:nova-api-float-snat - [0:0]
:nova-api-snat - [0:0]
:nova-compute-OUTPUT - [0:0]
:nova-compute-POSTROUTING - [0:0]
:nova-compute-PREROUTING - [0:0]
:nova-compute-float-snat - [0:0]
:nova-compute-snat - [0:0]
:nova-postrouting-bottom - [0:0]
-A PREROUTING -j nova-compute-PREROUTING 
-A PREROUTING -j nova-api-PREROUTING 
-A POSTROUTING -j nova-compute-POSTROUTING 
-A POSTROUTING -j nova-api-POSTROUTING 
-A POSTROUTING -j nova-postrouting-bottom 
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE 
-A OUTPUT -j nova-compute-OUTPUT 
-A OUTPUT -j nova-api-OUTPUT 
-A nova-api-snat -j nova-api-float-snat 
-A nova-compute-snat -j nova-compute-float-snat 
-A nova-postrouting-bottom -j nova-compute-snat 
-A nova-postrouting-bottom -j nova-api-snat 
COMMIT
# Completed on Wed Dec 26 10:50:19 2012
# Generated by iptables-save v1.4.7 on Wed Dec 26 10:50:19 2012
*mangle
:PREROUTING ACCEPT [701113:107906116]
:INPUT ACCEPT [258278:85280778]
:FORWARD ACCEPT [9740:3055008]
:OUTPUT ACCEPT [209363:102737571]
:POSTROUTING ACCEPT [219446:105071947]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill 
COMMIT
# Completed on Wed Dec 26 10:50:19 2012
# Generated by iptables-save v1.4.7 on Wed Dec 26 10:50:19 2012
*filter
:INPUT ACCEPT [258219:85261900]
:FORWARD ACCEPT [9740:3055008]
:OUTPUT ACCEPT [206968:101910933]
:nova-api-FORWARD - [0:0]
:nova-api-INPUT - [0:0]
:nova-api-OUTPUT - [0:0]
:nova-api-local - [0:0]
:nova-compute-FORWARD - [0:0]
:nova-compute-INPUT - [0:0]
:nova-compute-OUTPUT - [0:0]
:nova-compute-inst-10 - [0:0]
:nova-compute-inst-9 - [0:0]
:nova-compute-local - [0:0]
:nova-compute-provider - [0:0]
:nova-compute-sg-fallback - [0:0]
:nova-filter-top - [0:0]
-A INPUT -j nova-compute-INPUT 
-A INPUT -j nova-api-INPUT 
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT 
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT 
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT 
-A FORWARD -j nova-filter-top 
-A FORWARD -j nova-compute-FORWARD 
-A FORWARD -j nova-api-FORWARD 
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT 
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT 
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable 
-A OUTPUT -j nova-filter-top 
-A OUTPUT -j nova-compute-OUTPUT 
-A OUTPUT -j nova-api-OUTPUT 
-A nova-api-INPUT -d 10.35.101.10/32 -p tcp -m tcp --dport 8775 -j ACCEPT 
-A nova-compute-inst-10 -m state --state INVALID -j DROP 
-A nova-compute-inst-10 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A nova-compute-inst-10 -j nova-compute-provider 
-A nova-compute-inst-10 -s 10.10.1.2/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT 
-A nova-compute-inst-10 -s 10.10.1.0/24 -j ACCEPT 
-A nova-compute-inst-10 -p icmp -j ACCEPT 
-A nova-compute-inst-10 -j nova-compute-sg-fallback 
-A nova-compute-inst-9 -m state --state INVALID -j DROP 
-A nova-compute-inst-9 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A nova-compute-inst-9 -j nova-compute-provider 
-A nova-compute-inst-9 -s 10.10.1.2/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT 
-A nova-compute-inst-9 -s 10.10.1.0/24 -j ACCEPT 
-A nova-compute-inst-9 -p icmp -j ACCEPT 
-A nova-compute-inst-9 -j nova-compute-sg-fallback 
-A nova-compute-local -d 10.10.1.5/32 -j nova-compute-inst-10 
-A nova-compute-local -d 10.10.1.4/32 -j nova-compute-inst-9 
-A nova-compute-sg-fallback -j DROP

I've found the following work-around to allow the DHCP lease to succeed:

$ sudo cp /etc/sysconfig/iptables .
$ sudo chmod 666 iptables
edit iptables
 add the following to INPUT chain before final REJECT:
  -A INPUT -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
 add the following to FORWARD chain before final REJECT:
  -A FORWARD -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
$ sudo cp iptables /etc/sysconfig/
$ sudo iptables-restore < iptables


There probably belong in nova-compute-INPUT and nova-compute-FORWARD instead of the main INPUT and FORWARD chains. We also need to determine whether either or both of these rules are needed on a quantum network node where quantum-dhcp-agent runs in addition to or instead of on the compute nodes.

Tested on 
openstack-quantum-2012.2.3-5.el6ost.noarch

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0657.html