Merge "Neutron to Drop Router Advts from VM ports"
This commit is contained in:
commit
9563a7ae02
@ -32,5 +32,6 @@ INVALID_DROP = ("Drop packets that appear related to an existing connection "
|
||||
"(e.g. TCP ACK/FIN) but do not have an entry in conntrack.")
|
||||
ALLOW_ASSOC = ('Direct packets associated with a known session to the RETURN '
|
||||
'chain.')
|
||||
IPV6_RA_ALLOW = 'Allow IPv6 ICMP traffic to allow RA packets.'
|
||||
PORT_SEC_ACCEPT = 'Accept all packets when port security is disabled.'
|
||||
IPV6_RA_DROP = 'Drop IPv6 Router Advts from VM Instance.'
|
||||
IPV6_ICMP_ALLOW = 'Allow IPv6 ICMP traffic.'
|
||||
|
@ -311,11 +311,15 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
|
||||
mac_ipv6_pairs.append((mac, ip_address))
|
||||
|
||||
def _spoofing_rule(self, port, ipv4_rules, ipv6_rules):
|
||||
#Note(nati) allow dhcp or RA packet
|
||||
# Allow dhcp client packets
|
||||
ipv4_rules += [comment_rule('-p udp -m udp --sport 68 --dport 67 '
|
||||
'-j RETURN', comment=ic.DHCP_CLIENT)]
|
||||
# Drop Router Advts from the port.
|
||||
ipv6_rules += [comment_rule('-p icmpv6 --icmpv6-type %s '
|
||||
'-j DROP' % constants.ICMPV6_TYPE_RA,
|
||||
comment=ic.IPV6_RA_DROP)]
|
||||
ipv6_rules += [comment_rule('-p icmpv6 -j RETURN',
|
||||
comment=ic.IPV6_RA_ALLOW)]
|
||||
comment=ic.IPV6_ICMP_ALLOW)]
|
||||
ipv6_rules += [comment_rule('-p udp -m udp --sport 546 --dport 547 '
|
||||
'-j RETURN', comment=None)]
|
||||
mac_ipv4_pairs = []
|
||||
|
@ -892,7 +892,11 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
|
||||
if ethertype == 'IPv6':
|
||||
filter_inst = self.v6filter_inst
|
||||
|
||||
dhcp_rule = [mock.call.add_rule('ofake_dev',
|
||||
dhcp_rule = [mock.call.add_rule('ofake_dev', '-p icmpv6 '
|
||||
'--icmpv6-type %s -j DROP'
|
||||
% constants.ICMPV6_TYPE_RA,
|
||||
comment=None),
|
||||
mock.call.add_rule('ofake_dev',
|
||||
'-p icmpv6 -j RETURN',
|
||||
comment=None),
|
||||
mock.call.add_rule('ofake_dev', '-p udp -m udp '
|
||||
|
@ -2345,6 +2345,7 @@ IPTABLES_FILTER_V6_1 = """# Generated by iptables_manager
|
||||
%(physdev_is_bridged)s -j %(bn)s-o_port1
|
||||
[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \
|
||||
%(physdev_is_bridged)s -j %(bn)s-o_port1
|
||||
[0:0] -A %(bn)s-o_port1 -p icmpv6 --icmpv6-type 134 -j DROP
|
||||
[0:0] -A %(bn)s-o_port1 -p icmpv6 -j RETURN
|
||||
[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 546 --dport 547 -j RETURN
|
||||
[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 547 --dport 546 -j DROP
|
||||
@ -2397,6 +2398,7 @@ IPTABLES_FILTER_V6_2 = """# Generated by iptables_manager
|
||||
%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
|
||||
[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
|
||||
%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s
|
||||
[0:0] -A %(bn)s-o_%(port1)s -p icmpv6 --icmpv6-type 134 -j DROP
|
||||
[0:0] -A %(bn)s-o_%(port1)s -p icmpv6 -j RETURN
|
||||
[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 546 --dport 547 -j RETURN
|
||||
[0:0] -A %(bn)s-o_%(port1)s -p udp -m udp --sport 547 --dport 546 -j DROP
|
||||
@ -2421,6 +2423,7 @@ IPTABLES_FILTER_V6_2 = """# Generated by iptables_manager
|
||||
%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
|
||||
[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
|
||||
%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s
|
||||
[0:0] -A %(bn)s-o_%(port2)s -p icmpv6 --icmpv6-type 134 -j DROP
|
||||
[0:0] -A %(bn)s-o_%(port2)s -p icmpv6 -j RETURN
|
||||
[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 546 --dport 547 -j RETURN
|
||||
[0:0] -A %(bn)s-o_%(port2)s -p udp -m udp --sport 547 --dport 546 -j DROP
|
||||
|
Loading…
Reference in New Issue
Block a user