From c1f0db2b1d6ba47ec6edfdcd430ccfcf5f39da0c Mon Sep 17 00:00:00 2001
From: Adam Gandelman <adamg@ubuntu.com>
Date: Mon, 14 Apr 2014 13:21:22 -0700
Subject: [PATCH] Insert required iptables rules for Ironic

Devstack gate slaves have locked down local iptables firewalls.
Ironic nodes boot on an 'external' network and require TFTP
and Ironic API access back to the node via its HOST_IP.  This inserts
the required rules to the top of the INPUT chain.

Change-Id: I2e5dfa2346d45fdd549a3a3fbc255f190195cdd6
---
 files/apts/ironic |  1 +
 files/rpms/ironic |  2 ++
 lib/ironic        | 14 ++++++++++++--
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/files/apts/ironic b/files/apts/ironic
index a749ad762e..b77a6b1a9b 100644
--- a/files/apts/ironic
+++ b/files/apts/ironic
@@ -1,3 +1,4 @@
+iptables
 libguestfs0
 libvirt-bin
 openssh-client
diff --git a/files/rpms/ironic b/files/rpms/ironic
index 54b98299ee..6534095c20 100644
--- a/files/rpms/ironic
+++ b/files/rpms/ironic
@@ -1,6 +1,8 @@
+iptables
 libguestfs
 libvirt
 libvirt-python
+net-tools
 openssh-clients
 openvswitch
 python-libguestfs
diff --git a/lib/ironic b/lib/ironic
index ec9447db14..b684b4410f 100644
--- a/lib/ironic
+++ b/lib/ironic
@@ -379,11 +379,16 @@ function enroll_vms {
     neutron port-delete $PORT_ID
 }
 
-function configure_tftpd {
-    # enable tftp natting for allowing connections to SERVICE_HOST's tftp server
+function configure_iptables {
+    # enable tftp natting for allowing connections to HOST_IP's tftp server
     sudo modprobe nf_conntrack_tftp
     sudo modprobe nf_nat_tftp
+    # nodes boot from TFTP and callback to the API server listening on $HOST_IP
+    sudo iptables -I INPUT -d $HOST_IP -p udp --dport 69 -j ACCEPT || true
+    sudo iptables -I INPUT -d $HOST_IP -p tcp --dport 6385 -j ACCEPT || true
+}
 
+function configure_tftpd {
     if is_ubuntu; then
         PXEBIN=/usr/lib/syslinux/pxelinux.0
     elif is_fedora; then
@@ -527,6 +532,7 @@ function prepare_baremetal_basic_ops {
     create_bridge_and_vms
     enroll_vms
     configure_tftpd
+    configure_iptables
 
     # restart nova-compute to ensure its resource tracking is up to
     # date with newly enrolled nodes
@@ -546,6 +552,10 @@ function cleanup_baremetal_basic_ops {
     sudo su $STACK_USER -c "$IRONIC_SCRIPTS_DIR/cleanup-nodes $IRONIC_VM_COUNT $IRONIC_VM_NETWORK_BRIDGE"
     sudo rm -rf /etc/xinetd.d/tftp /etc/init/tftpd-hpa.override
     restart_service xinetd
+    sudo iptables -D INPUT -d $HOST_IP -p udp --dport 69 -j ACCEPT || true
+    sudo iptables -D INPUT -d $HOST_IP -p tcp --dport 6385 -j ACCEPT || true
+    sudo rmmod nf_conntrack_tftp || true
+    sudo rmmod nf_nat_tftp || true
 }
 
 # Restore xtrace + pipefail