Merge "Ensure that FORWARD rule also supports DHCP"

nova/tests/test_libvirt.py

@@ -3948,9 +3948,9 @@ class IptablesFirewallTestCase(test.TestCase):
         ipv6 = self.fw.iptables.ipv6['filter'].rules
         ipv4_network_rules = len(ipv4) - len(inst_ipv4) - ipv4_len
         ipv6_network_rules = len(ipv6) - len(inst_ipv6) - ipv6_len
-        # Extra rule is for the DHCP request
+        # Extra rules are for the DHCP request
         rules = (ipv4_rules_per_addr * ipv4_addr_per_network *
-                 networks_count) + 1
+                 networks_count) + 2
         self.assertEquals(ipv4_network_rules, rules)
         self.assertEquals(ipv6_network_rules,
                   ipv6_rules_per_addr * ipv6_addr_per_network * networks_count)

nova/tests/test_xenapi.py

@@ -2068,9 +2068,9 @@ class XenAPIDom0IptablesFirewallTestCase(stubs.XenAPITestBase):
         ipv6 = self.fw.iptables.ipv6['filter'].rules
         ipv4_network_rules = len(ipv4) - len(inst_ipv4) - ipv4_len
         ipv6_network_rules = len(ipv6) - len(inst_ipv6) - ipv6_len
-        # Extra rule is for the DHCP request
+        # Extra rules are for the DHCP request
         rules = (ipv4_rules_per_addr * ipv4_addr_per_network *
-                 networks_count) + 1
+                 networks_count) + 2
         self.assertEquals(ipv4_network_rules, rules)
         self.assertEquals(ipv6_network_rules,
                   ipv6_rules_per_addr * ipv6_addr_per_network * networks_count)

nova/virt/firewall.py

@@ -201,6 +201,10 @@ class IptablesFirewallDriver(FirewallDriver):
                     'INPUT',
                     '-s 0.0.0.0/32 -d 255.255.255.255/32 '
                     '-p udp -m udp --sport 68 --dport 67 -j ACCEPT')
+            self.iptables.ipv4['filter'].add_rule(
+                    'FORWARD',
+                    '-s 0.0.0.0/32 -d 255.255.255.255/32 '
+                    '-p udp -m udp --sport 68 --dport 67 -j ACCEPT')
             self.dhcp_created = True
         self.iptables.apply()