From 4225c1c097697e0c9b13700ad843b6e3ba11006e Mon Sep 17 00:00:00 2001
From: Mark McLoughlin <markmc@redhat.com>
Date: Mon, 5 Sep 2011 07:10:52 +0100
Subject: [PATCH] Add INPUT chain rule for EC2 metadata requests (lp:856385)

On Fedora, the default policy for the INPUT chain in the filter table
is DROP. This means that EC2 metadata requests from guests get dropped.

Add this rule to let it through:

$> sudo iptables -t filter -A nova-network-INPUT \
                 -s 0.0.0.0/0 -d $ec2_dmz_host \
                 -m tcp -p tcp --dport $ec2_port -j ACCEPT

It makes no sense to have nova-network add an iptables rule for the EC2
metadata service, since they may not actually be on the same host.

Instead, nova-api should add it directly. In order to do that, we add a
manager class for API services and allow the EC2 manager use the network
driver to add the rule.

Change-Id: I7c1f973c662a6d290e555b6a2ce8fc301f27b543
---
 nova/flags.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/nova/flags.py b/nova/flags.py
index 58e8570b..5d066566 100644
--- a/nova/flags.py
+++ b/nova/flags.py
@@ -415,6 +415,9 @@ DEFINE_bool('resume_guests_state_on_host_boot', False,
 DEFINE_string('root_helper', 'sudo',
               'Command prefix to use for running commands as root')
 
+DEFINE_string('network_driver', 'nova.network.linux_net',
+              'Driver to use for network creation')
+
 DEFINE_bool('use_ipv6', False, 'use ipv6')
 
 DEFINE_integer('password_length', 12,