From 0dcf3d20c2e5c2592e9674e7277acce4eff98341 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C5=82awek=20Kap=C5=82o=C5=84ski?= <slawek@kaplonski.pl>
Date: Wed, 13 Sep 2017 17:24:03 +0000
Subject: [PATCH] Remove duplicated ICMPv6 RA rule from iptables firewall

Change Ibfbf011284cbde396f74db9d982993f994082731 moves
generation of ICMPv6 RA rule from being hardcoded
in iptables_firewall to being generated on server
side and passed to agent.

Unfortunatelly it wasn't removed from iptables_firewall
and it was still added to rules which should be applied
by firewall driver.
That caused issue with warning message about duplicated rule.
detected

This patch removes this hardcoded rule to stop logging messages
about duplicated rules.

Change-Id: Ic5e95405d4dd8ffbe8ec5b053aed257aec91b1c8
Closes-Bug: #1708465
---
 neutron/agent/firewall.py                     |  1 -
 .../unit/agent/test_securitygroups_rpc.py     | 33 +++++++++----------
 2 files changed, 15 insertions(+), 19 deletions(-)

diff --git a/neutron/agent/firewall.py b/neutron/agent/firewall.py
index 424ed64d923..f648ce34c64 100644
--- a/neutron/agent/firewall.py
+++ b/neutron/agent/firewall.py
@@ -35,7 +35,6 @@ DIRECTION_IP_PREFIX = {INGRESS_DIRECTION: 'source_ip_prefix',
 # depends on iptables conntrack behavior of recognizing ICMP errors (types 1-4)
 # as related traffic.
 ICMPV6_ALLOWED_INGRESS_TYPES = (n_const.ICMPV6_TYPE_MLD_QUERY,
-                                n_const.ICMPV6_TYPE_RA,
                                 n_const.ICMPV6_TYPE_NS,
                                 n_const.ICMPV6_TYPE_NA)
 
diff --git a/neutron/tests/unit/agent/test_securitygroups_rpc.py b/neutron/tests/unit/agent/test_securitygroups_rpc.py
index b234757311d..4ccd0999349 100644
--- a/neutron/tests/unit/agent/test_securitygroups_rpc.py
+++ b/neutron/tests/unit/agent/test_securitygroups_rpc.py
@@ -2241,12 +2241,11 @@ IPTABLES_FILTER_V6_1 = """# Generated by iptables_manager
 -I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_port1 \
 %(physdev_is_bridged)s -j %(bn)s-o_port1
 -I %(bn)s-i_port1 1 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j RETURN
--I %(bn)s-i_port1 2 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j RETURN
--I %(bn)s-i_port1 3 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN
--I %(bn)s-i_port1 4 -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN
--I %(bn)s-i_port1 5 -m state --state RELATED,ESTABLISHED -j RETURN
--I %(bn)s-i_port1 6 -m state --state INVALID -j DROP
--I %(bn)s-i_port1 7 -j %(bn)s-sg-fallback
+-I %(bn)s-i_port1 2 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN
+-I %(bn)s-i_port1 3 -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN
+-I %(bn)s-i_port1 4 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_port1 5 -m state --state INVALID -j DROP
+-I %(bn)s-i_port1 6 -j %(bn)s-sg-fallback
 -I %(bn)s-o_port1 1 -s ::/128 -d ff02::/16 -p ipv6-icmp -m icmp6 \
 --icmpv6-type 131 -j RETURN
 -I %(bn)s-o_port1 2 -s ::/128 -d ff02::/16 -p ipv6-icmp -m icmp6 \
@@ -2308,19 +2307,17 @@ IPTABLES_FILTER_V6_2 = """# Generated by iptables_manager
 -I %(bn)s-INPUT 2 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
 -I %(bn)s-i_%(port1)s 1 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j RETURN
--I %(bn)s-i_%(port1)s 2 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j RETURN
--I %(bn)s-i_%(port1)s 3 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN
--I %(bn)s-i_%(port1)s 4 -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN
--I %(bn)s-i_%(port1)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
--I %(bn)s-i_%(port1)s 6 -m state --state INVALID -j DROP
--I %(bn)s-i_%(port1)s 7 -j %(bn)s-sg-fallback
+-I %(bn)s-i_%(port1)s 2 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN
+-I %(bn)s-i_%(port1)s 3 -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN
+-I %(bn)s-i_%(port1)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port1)s 5 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port1)s 6 -j %(bn)s-sg-fallback
 -I %(bn)s-i_%(port2)s 1 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j RETURN
--I %(bn)s-i_%(port2)s 2 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j RETURN
--I %(bn)s-i_%(port2)s 3 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN
--I %(bn)s-i_%(port2)s 4 -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN
--I %(bn)s-i_%(port2)s 5 -m state --state RELATED,ESTABLISHED -j RETURN
--I %(bn)s-i_%(port2)s 6 -m state --state INVALID -j DROP
--I %(bn)s-i_%(port2)s 7 -j %(bn)s-sg-fallback
+-I %(bn)s-i_%(port2)s 2 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN
+-I %(bn)s-i_%(port2)s 3 -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN
+-I %(bn)s-i_%(port2)s 4 -m state --state RELATED,ESTABLISHED -j RETURN
+-I %(bn)s-i_%(port2)s 5 -m state --state INVALID -j DROP
+-I %(bn)s-i_%(port2)s 6 -j %(bn)s-sg-fallback
 -I %(bn)s-o_%(port1)s 1 -s ::/128 -d ff02::/16 -p ipv6-icmp -m icmp6 \
 --icmpv6-type 131 -j RETURN
 -I %(bn)s-o_%(port1)s 2 -s ::/128 -d ff02::/16 -p ipv6-icmp -m icmp6 \