On 10/24/2012 06:55 PM, Qin, Xiaohong wrote: > Hi All, > > In one of my lab setups, I found the following iptable rules are missing on > the > controller node, > > Chain nova-compute-inst-3 (1 references) > > target prot opt source destination > DROP all -- anywhere anywhere state INVALID > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > nova-compute-provider all -- anywhere anywhere > ACCEPT udp -- usxxcoberbmbp1.corp.emc.com anywhere udp > spt:bootps dpt:bootpc
All these are getting defined in virt/libvirt/firewall.py:instance_rules() - I'd recommend looking at that function, but it should always get called at instance startup. That last one for the DHCP server might not get added if the DB doesn't have the info though. > ACCEPT all -- 10.0.0.0/24 anywhere FLAGS.allow_same_net_traffic=true is probably not set, I think that defaults to false for security reasons. > ACCEPT icmp -- anywhere anywhere > ACCEPT tcp -- anywhere anywhere tcp dpt:ssh Did you create a security group and add icmp and ssh using 'nova secgroup-add-rule ...' ? -Brian _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp