How to run a DHCP Server as Openstack instance
Recently I found out, that by default the Openstack iptables firewall driver blocks outgoing DHCP traffic with a DROP filter rule on the bridge interface. Running iptables –list reveals filter rules like this:
|
1 2 3 4 5 6 7 8 9 10 |
Chain neutron-linuxbri-ofe75adf8-c (2 references) target prot opt source destination RETURN udp -- 0.0.0.0 255.255.255.255 udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */ neutron-linuxbri-sfe75adf8-c all -- anywhere anywhere RETURN udp -- anywhere anywhere udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */ DROP udp -- anywhere anywhere udp spt:bootps dpt:bootpc /* Prevent DHCP Spoofing by VM. */ RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */ RETURN all -- anywhere anywhere DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */ neutron-linuxbri-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */ |
The third rule drops outgoing DHCP traffic like DHCPOFFER and DHCPACK. At the time of writing Openstack (ocata) does not offer …