File openstack-nova-network-init-bnc777488.patch of Package openstack-nova
--- openstack-nova-network
+++ openstack-nova-network
@@ -22,6 +22,27 @@
. /etc/rc.status
+iptables_setup()
+{
+ mode=$1
+ if [ -n "$ADMINNETWORK" ] && grep -qx 'enabled_apis=metadata' /etc/nova/nova.conf ; then # this must not run outside of compute nodes
+ interface=$(perl -ne 'm/flat_network_bridge=([0-9a-z.-]+)/ && print $1' /etc/nova/nova.conf)
+ if [ -z "$interface" ] ; then
+ echo "error: no flat_network_bridge interface found in nova.conf"
+ echo "can not set iptables rules"
+ else
+ PATH="/sbin:/usr/sbin:/usr/bin:/bin"
+ c="nova-filter-FORWARD-sitelocl"
+ iptables -N $c 2>/dev/null
+ iptables -$mode $c -d $STORAGENETWORK/$STORAGENETMASK -j REJECT
+ iptables -$mode INPUT -d $STORAGENETWORK/$STORAGENETMASK -i $interface -j REJECT
+ iptables -$mode $c -d $ADMINNETWORK/$ADMINNETMASK -j REJECT
+ iptables -$mode INPUT -d $ADMINNETWORK/$ADMINNETMASK -i $interface -j REJECT
+ iptables -$mode INPUT -p tcp --dport 8775 -i $interface -j ACCEPT # metadata api
+ fi
+ fi
+}
+
case "$1" in
start)
if [ "$DAEMON" == "api" ]; then
@@ -31,6 +52,7 @@
fi
echo -n "Starting nova-$DAEMON"
+ iptables_setup I
/sbin/startproc -q -s -u $USER /usr/bin/nova-$DAEMON --config-file=$CONFFILE
rc_status -v
;;
@@ -38,6 +60,7 @@
echo -n "Shutting down nova-$DAEMON"
/sbin/killproc /usr/bin/nova-$DAEMON
rc_status -v
+ iptables_setup D
;;
restart)
$0 stop