From e1cc6b0c7677acf9c742bb0bfc115d84022cd6e8 Mon Sep 17 00:00:00 2001
From: Mark McLoughlin <markmc@redhat.com>
Date: Mon, 5 Sep 2011 07:10:52 +0100
Subject: [PATCH] Add INPUT chain rule for EC2 metadata requests (lp:856385)

On Fedora, the default policy for the INPUT chain in the filter table
is DROP. This means that EC2 metadata requests from guests get dropped.

Add this rule to let it through:

$> sudo iptables -t filter -A nova-network-INPUT \
                 -s 0.0.0.0/0 -d $ec2_dmz_host \
                 -m tcp -p tcp --dport $ec2_port -j ACCEPT

However, this only works if nova-network and nova-api are on the same
host.

Change-Id: Ic99ba9249ce5219cd2631184154add82d25d9d6d
---
 nova/network/linux_net.py |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py
index 67c2f37..cb71f9b 100755
--- a/nova/network/linux_net.py
+++ b/nova/network/linux_net.py
@@ -378,6 +378,10 @@ def metadata_forward():
                                           '-p tcp -m tcp --dport 80 -j DNAT '
                                           '--to-destination %s:%s' % \
                                           (FLAGS.ec2_dmz_host, FLAGS.ec2_port))
+    iptables_manager.ipv4['filter'].add_rule('INPUT',
+                                             '-s 0.0.0.0/0 -d %s '
+                                             '-p tcp -m tcp --dport %s -j ACCEPT' % \
+                                             (FLAGS.ec2_dmz_host, FLAGS.ec2_port))
     iptables_manager.apply()