b7b0c7dbcd
Currently ingress ICMPv6 RAs are permitted from any IPs by default to allow VMs to accept ICMPv6 RA from provider network. In this way, VM can accept RAs from attacker VM and configure a network prefix specified by the attacher VM. Remove permitting ICMPv6 RAs from any IPs and add security rule to only permit ICMPv6 RA from: 1. If the port's subnet is configured with ipv6_ra_mode value (i.e.value is slaac, dhcpv6-stateful, or dhcpv6-stateless), RA is sending from dnsmasq controlled by OpenStack. In this case, allow RA from the link local address of gateway port (if the gateway port is created). 2. If the subnet's gateway port is not managed by OpenStack, allow the ICMPv6 RA sent from the subnet gateway IP if it's a link local address. The administrator needs to configure the gateway IP as link local address in this case to make the RA rule work. Change-Id: I1d5c7aaa8e4cf057204eb746c0faab2c70409a94 Closes-Bug: 1262759 |
||
---|---|---|
.. | ||
agent | ||
api | ||
cmd | ||
common | ||
db | ||
debug | ||
extensions | ||
locale | ||
notifiers | ||
openstack | ||
plugins | ||
scheduler | ||
server | ||
services | ||
tests | ||
__init__.py | ||
auth.py | ||
context.py | ||
hooks.py | ||
manager.py | ||
neutron_plugin_base_v2.py | ||
policy.py | ||
quota.py | ||
service.py | ||
version.py | ||
wsgi.py |