Enable VM DHCP request to reach DHCP agent

When using the firewall driver IptablesFirewallDriver and the
default INPUT and FORWARD rules are DISCARD then the DHCP
request from the VM is discarded prior to getting to the dnsmasq.

A new rule will be added that enables DHCP requests to pass.

This fixes bug 1131223

Change-Id: I50fad5b63c3c4b22a5d828e3e89353c1ed723332

nova/tests/test_libvirt.py

@@ -3908,8 +3908,10 @@ class IptablesFirewallTestCase(test.TestCase):
         ipv6 = self.fw.iptables.ipv6['filter'].rules
         ipv4_network_rules = len(ipv4) - len(inst_ipv4) - ipv4_len
         ipv6_network_rules = len(ipv6) - len(inst_ipv6) - ipv6_len
-        self.assertEquals(ipv4_network_rules,
-                  ipv4_rules_per_addr * ipv4_addr_per_network * networks_count)
+        # Extra rule is for the DHCP request
+        rules = (ipv4_rules_per_addr * ipv4_addr_per_network *
+                 networks_count) + 1
+        self.assertEquals(ipv4_network_rules, rules)
         self.assertEquals(ipv6_network_rules,
                   ipv6_rules_per_addr * ipv6_addr_per_network * networks_count)
 

nova/tests/test_xenapi.py

@@ -2068,8 +2068,10 @@ class XenAPIDom0IptablesFirewallTestCase(stubs.XenAPITestBase):
         ipv6 = self.fw.iptables.ipv6['filter'].rules
         ipv4_network_rules = len(ipv4) - len(inst_ipv4) - ipv4_len
         ipv6_network_rules = len(ipv6) - len(inst_ipv6) - ipv6_len
-        self.assertEquals(ipv4_network_rules,
-                  ipv4_rules_per_addr * ipv4_addr_per_network * networks_count)
+        # Extra rule is for the DHCP request
+        rules = (ipv4_rules_per_addr * ipv4_addr_per_network *
+                 networks_count) + 1
+        self.assertEquals(ipv4_network_rules, rules)
         self.assertEquals(ipv6_network_rules,
                   ipv6_rules_per_addr * ipv6_addr_per_network * networks_count)
 

nova/virt/firewall.py

@@ -149,6 +149,10 @@ class IptablesFirewallDriver(FirewallDriver):
         self.network_infos = {}
         self.basically_filtered = False
 
+        # Flags for DHCP request rule
+        self.dhcp_create = False
+        self.dhcp_created = False
+
         self.iptables.ipv4['filter'].add_chain('sg-fallback')
         self.iptables.ipv4['filter'].add_rule('sg-fallback', '-j DROP')
         self.iptables.ipv6['filter'].add_chain('sg-fallback')
@@ -191,6 +195,13 @@ class IptablesFirewallDriver(FirewallDriver):
         LOG.debug(_('Filters added to instance'), instance=instance)
         self.refresh_provider_fw_rules()
         LOG.debug(_('Provider Firewall Rules refreshed'), instance=instance)
+        # Ensure that DHCP request rule is updated if necessary
+        if (self.dhcp_create and not self.dhcp_created):
+            self.iptables.ipv4['filter'].add_rule(
+                    'INPUT',
+                    '-s 0.0.0.0/32 -d 255.255.255.255/32 '
+                    '-p udp -m udp --sport 68 --dport 67 -j ACCEPT')
+            self.dhcp_created = True
         self.iptables.apply()
 
     def _create_filter(self, ips, chain_name):
@@ -272,6 +283,7 @@ class IptablesFirewallDriver(FirewallDriver):
             if dhcp_server:
                 ipv4_rules.append('-s %s -p udp --sport 67 --dport 68 '
                                   '-j ACCEPT' % (dhcp_server,))
+                self.dhcp_create = True
 
     def _do_project_network_rules(self, ipv4_rules, ipv6_rules, network_info):
         # make sure this is legacy nw_info