File openstack-nova-network-init-bnc777488.patch of Package openstack-nova

--- openstack-nova-network
+++ openstack-nova-network
@@ -22,6 +22,27 @@
 
 . /etc/rc.status
 
+iptables_setup()
+{
+    mode=$1
+    if [ -n "$ADMINNETWORK" ] && grep -qx 'enabled_apis=metadata' /etc/nova/nova.conf ; then # this must not run outside of compute nodes
+        interface=$(perl -ne 'm/flat_network_bridge=([0-9a-z.-]+)/ && print $1' /etc/nova/nova.conf)
+        if [ -z "$interface" ] ; then
+            echo "error: no flat_network_bridge interface found in nova.conf"
+            echo "can not set iptables rules"
+        else
+            PATH="/sbin:/usr/sbin:/usr/bin:/bin"
+            c="nova-filter-FORWARD-sitelocl"
+            iptables -N $c 2>/dev/null
+            iptables -$mode $c -d $STORAGENETWORK/$STORAGENETMASK -j REJECT
+            iptables -$mode INPUT -d $STORAGENETWORK/$STORAGENETMASK -i $interface -j REJECT
+            iptables -$mode $c -d $ADMINNETWORK/$ADMINNETMASK -j REJECT
+            iptables -$mode INPUT -d $ADMINNETWORK/$ADMINNETMASK -i $interface -j REJECT
+            iptables -$mode INPUT -p tcp --dport 8775 -i $interface -j ACCEPT # metadata api
+        fi
+    fi
+}
+
 case "$1" in
     start)
         if [ "$DAEMON" == "api" ]; then
@@ -31,6 +52,7 @@
         fi
         
         echo -n "Starting nova-$DAEMON"
+        iptables_setup I
         /sbin/startproc -q -s -u $USER /usr/bin/nova-$DAEMON --config-file=$CONFFILE
         rc_status -v
         ;;
@@ -38,6 +60,7 @@
         echo -n "Shutting down nova-$DAEMON"
         /sbin/killproc /usr/bin/nova-$DAEMON
         rc_status -v
+        iptables_setup D
         ;;
     restart)
         $0 stop
openSUSE Build Service is sponsored by