openstack/neutron
Code Issues Proposed changes

[OVS] Add IPv6 ICMP RA to the default ingress rules

Browse Source 
"ICMPV6_TYPE_RA" was removed from "ICMPV6_ALLOWED_INGRESS_TYPES"
because of a bug in the iptables firewall (described in the LP
bug). This rule was added in "_add_ingress_ra_rule" to
port["security_group_rules"]. However, the OVS firewall does not
use this rule list but builds the default rules from scratch.

Closes-Bug: #1958643
Change-Id: I53ee3c87ab2a6306b31fc3387b706d8296031a14
This commit is contained in:
Rodolfo Alonso Hernandez 2022-01-31 17:26:01 +00:00
parent 30951fcdfa
commit 0d23304120
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
neutron/agent/linux/openvswitch_firewall/firewall.py
View File

@ -1345,7 +1345,12 @@ class OVSFirewallDriver(firewall.FirewallDriver):
)
def _initialize_ingress_ipv6_icmp(self, port):
for icmp_type in firewall.ICMPV6_ALLOWED_INGRESS_TYPES:
# NOTE(ralonsoh): "ICMPV6_TYPE_RA" was removed from
# "ICMPV6_ALLOWED_INGRESS_TYPES" because of a bug in the iptables
# firewall. This rule was added in "_add_ingress_ra_rule". However,
# the OVS firewall does not use port["security_group_rules"].
for icmp_type in (firewall.ICMPV6_ALLOWED_INGRESS_TYPES +
(lib_const.ICMPV6_TYPE_RA, )):
self._add_flow(
table=ovs_consts.BASE_INGRESS_TABLE,
priority=100,