|Merged in Havana: configurable iptables drop actions in nova|
LaunchPad bug 1013893 asked nicely if the drop action for iptables rules created by nova-network could be configured. The idea here is that you might want to do something other than a plain old drop -- for example logging before dropping. This has now been implemented in Havana.
To configure the drop action, set the iptables_drop_action to the name of an already existing iptables target. Creating this target is not managed by nova, and you'll need to do it on every compute node. When iptables creates or deletes rules on compute nodes it will now use this new target. There's a bit of an upgrade problem here in that this will stop nova from deleting rules which use the old hard coded drop target. However, if an instance is torn down then all of its tables are torn down as well and rules will be deleted correctly, so this is only a problem if a security group is changed while the instance is running.
It occurs to me that we can do better here, so I've sent off this review to handle the case where a rule is being removed and used the default drop action.
For safety, I would recommend only using this flag on new compute nodes that have no instances running in order to make this simple.
Tags for this post: openstack havana nova iptables rackspace
Related posts: Michael's surprisingly unreliable predictions for the Havana Nova release; Merged in Havana: fixed ip listing for single hosts; Havana Nova PTL elections; Upgrade problems with the new Fixed IP quota; Exploring a single database migration; Juno nova mid-cycle meetup summary: containers
posted at: 21:13 | path: /openstack/havana | permanent link to this entry