any way to add a dhcpd ip to the firewall?

asked 2016-05-12 13:43:03 -0500

yee379 gravatar image

so i have my hypervisors and neutron node connected to a cisco nexus device and i'm using vlans. the cisco nexus does this thing where if i have a dhcp relay / ip helper configured, then local broadcast dhcp traffic will be blocked. this means that i have to add the dhcp server ip's from openstack as dhcp relay addresses on the cisco network interface.

this has the unfortunate side effect of the dhcp reply's coming back from the gateway address of the network rather than that of the dhcp service that was created by neutron. ie if i have the dhcp service port at, then the reply comes back from (the vlan interface gateway address).

this then gets blocked by the local iptables firewall of the instance, ie:

Chain neutron-openvswi-i595970cb-6 (1 references)
num  target     prot opt source               destination
1    RETURN     all  --              state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
2    RETURN     udp  --            udp spt:67 udp dpt:68
3    RETURN     all  --              match-set NIPv4558449c5-7876-4157-bf71- src
4    RETURN     tcp  --              tcp dpt:22
5    DROP       all  --              state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
6    neutron-openvswi-sg-fallback  all  --              /* Send unmatched traffic to the fallback chain. */

notice line number 2.

i can turn of dhcp relay completely on the cisco for that vlan and it does work as expected, however, i'm sharing that vlan with other non-openstack hosts currently (so those hosts need the dhcp relay).

so my question is whether there is a way add the gateway address to the iptables.


edit retag flag offensive close merge delete