Merge "Neutron to Drop Router Advts from VM ports"

neutron/agent/linux/iptables_comments.py

@@ -32,5 +32,6 @@ INVALID_DROP = ("Drop packets that appear related to an existing connection "
                 "(e.g. TCP ACK/FIN) but do not have an entry in conntrack.")
 ALLOW_ASSOC = ('Direct packets associated with a known session to the RETURN '
                'chain.')
-IPV6_RA_ALLOW = 'Allow IPv6 ICMP traffic to allow RA packets.'
 PORT_SEC_ACCEPT = 'Accept all packets when port security is disabled.'
+IPV6_RA_DROP = 'Drop IPv6 Router Advts from VM Instance.'
+IPV6_ICMP_ALLOW = 'Allow IPv6 ICMP traffic.'

neutron/agent/linux/iptables_firewall.py

@@ -311,11 +311,15 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
             mac_ipv6_pairs.append((mac, ip_address))
 
     def _spoofing_rule(self, port, ipv4_rules, ipv6_rules):
-        #Note(nati) allow dhcp or RA packet
+        # Allow dhcp client packets
         ipv4_rules += [comment_rule('-p udp -m udp --sport 68 --dport 67 '
                                     '-j RETURN', comment=ic.DHCP_CLIENT)]
+        # Drop Router Advts from the port.
+        ipv6_rules += [comment_rule('-p icmpv6 --icmpv6-type %s '
+                                    '-j DROP' % constants.ICMPV6_TYPE_RA,
+                                    comment=ic.IPV6_RA_DROP)]
         ipv6_rules += [comment_rule('-p icmpv6 -j RETURN',
-                                    comment=ic.IPV6_RA_ALLOW)]
+                                    comment=ic.IPV6_ICMP_ALLOW)]
         ipv6_rules += [comment_rule('-p udp -m udp --sport 546 --dport 547 '
                                     '-j RETURN', comment=None)]
         mac_ipv4_pairs = []

neutron/tests/unit/agent/linux/test_iptables_firewall.py

@@ -892,7 +892,11 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
         if ethertype == 'IPv6':
             filter_inst = self.v6filter_inst
 
-            dhcp_rule = [mock.call.add_rule('ofake_dev',
+            dhcp_rule = [mock.call.add_rule('ofake_dev', '-p icmpv6 '
+                                            '--icmpv6-type %s -j DROP'
+                                            % constants.ICMPV6_TYPE_RA,
+                                            comment=None),
+                         mock.call.add_rule('ofake_dev',
                                             '-p icmpv6 -j RETURN',
                                             comment=None),
                          mock.call.add_rule('ofake_dev', '-p udp -m udp '

neutron/tests/unit/agent/test_securitygroups_rpc.py

@@ -2345,6 +2345,7 @@ IPTABLES_FILTER_V6_1 = """# Generated by iptables_manager
 %(physdev_is_bridged)s -j %(bn)s-o_port1
 [0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \
 %(physdev_is_bridged)s -j %(bn)s-o_port1
+[0:0] -A %(bn)s-o_port1 -p icmpv6 --icmpv6-type 134 -j DROP
 [0:0] -A %(bn)s-o_port1 -p icmpv6 -j RETURN
 [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 546 --dport 547 -j RETURN
 [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 547 --dport 546 -j DROP
@@ -2397,6 +2398,7 @@ IPTABLES_FILTER_V6_2 = """# Generated by iptables_manager
 %(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
 [0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
 %(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
+[0:0] -A %(bn)s-o_%(port1)s -p icmpv6 --icmpv6-type 134 -j DROP
 [0:0] -A %(bn)s-o_%(port1)s -p icmpv6 -j RETURN
 [0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 546 --dport 547 -j RETURN
 [0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 547 --dport 546 -j DROP
@@ -2421,6 +2423,7 @@ IPTABLES_FILTER_V6_2 = """# Generated by iptables_manager
 %(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
 [0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
 %(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
+[0:0] -A %(bn)s-o_%(port2)s -p icmpv6 --icmpv6-type 134 -j DROP
 [0:0] -A %(bn)s-o_%(port2)s -p icmpv6 -j RETURN
 [0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 546 --dport 547 -j RETURN
 [0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 547 --dport 546 -j DROP