How to run a DHCP Server as Openstack instance

Recently I found out, that by default the Openstack iptables firewall driver blocks outgoing DHCP traffic with a DROP filter rule on the bridge interface.

Running iptables –list reveals filter rules like this:

The third rule drops outgoing DHCP traffic like DHCPOFFER and DHCPACK.

At the time of writing Openstack (ocata) does not offer a possibility to selectively remove this rule for single interfaces. So what part of Openstack is in charge of creating these rules?

After some searching I found the IptablesFirewallDriver. This Python class is in charge of creating all iptables rules. After further inspection I found this function:

This function is always called so there is no way to prevent the creation of this rule via configuration.

There are two possible solutions:

  1. Use the neutron.agent.firewall.NoopFirewallDriver. As the name suggests this driver does no firewalling at all. Also rules defined in security groups would be ignored.
  2. Subclass IptablesFirewallDriver. The driver is just an ordinary Python class and can be subclassed and modified very easily. Security groups will still work, but all machines will be able to run a DHCP server being able to communicate with the outside world.

I went with option two, since I need the security groups feature. So what do we need to do?

First create this file structure:

Content of

Content of

Make sure to fill in the placeholders. The remains empty.

Now you have created an installable python package! Copy everything over to your Openstack host, go into the CustomOpenstackDrivers directory an run

Python now takes care of putting the files into the right location. Now you just need to tell Openstack to use the new firewall driver.

Make sure the following line is present in /etc/neutron/plugins/ml2/linuxbridge_agent.ini and /etc/neutron/plugins/ml2/ml2_conf.ini:

Now make sure to restart the neutron linuxbridge agent. On Ubuntu you can do this by running:

Now you are done. Check the logs to make sure that everything is fine. Now when running iptables –list the DHCP spoofing rule should be gone:

Be aware that all instances now can send DHCP server traffic to to other instances and the outside world. This should only be done in a trusted environment! If there are instances not directly controlled by you or your organization there is a good chance that doing this is a bad idea. In this case further customization of the IptablesFirewallDriver subclass might help by omitting the DROP rule only for certain interfaces.


1 thought on “How to run a DHCP Server as Openstack instance”

Leave a Comment

Your email address will not be published. Required fields are marked *