From 63cac536efa3474af40ea24603fca5e1d0a74e13 Mon Sep 17 00:00:00 2001
From: Jim Rollenhagen <jim@jimrollenhagen.com>
Date: Fri, 6 Nov 2015 12:37:32 -0800
Subject: [PATCH] Ironic: Explicitly allow DHCP ports

This adds an iptables rule to allow ports 67 and 68. We see
occassionally dropped DHCP packets, which may be causing PXE failures in
ironic jobs.

I'm not 100% confident this fixes the issue, however I don't think it
can break anything and it rules out one theory.

Change-Id: I4630afb6f010a4c2cb146a79264c480c64c6e4b7
Related-Bug: #1393099
---
 lib/ironic | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/ironic b/lib/ironic
index d786870165..016e639d03 100644
--- a/lib/ironic
+++ b/lib/ironic
@@ -672,6 +672,8 @@ function configure_iptables {
     # enable tftp natting for allowing connections to HOST_IP's tftp server
     sudo modprobe nf_conntrack_tftp
     sudo modprobe nf_nat_tftp
+    # explicitly allow DHCP - packets are occassionally being dropped here
+    sudo iptables -I INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT || true
     # nodes boot from TFTP and callback to the API server listening on $HOST_IP
     sudo iptables -I INPUT -d $HOST_IP -p udp --dport 69 -j ACCEPT || true
     sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $IRONIC_SERVICE_PORT -j ACCEPT || true