Allow DHCPv6 solicit from VM

DHCPv6 solicit UDP package is currently dropped because there is no security group rule to allow it like IPv4. This fix allows UDP DHCPv6 solicit from client port 546 to server port 547. This fix also drops DHCP reply from VM. Change-Id: I4941d401576e2c8bad37859d2cba227afde9e764 Closes-Bug: 1316515
2014-05-06 18:05:00 +08:00 · 2014-05-06 18:05:00 +08:00 · b74c5a0fa1
parent ae3e92fe0c
commit b74c5a0fa1
3 changed files with 25 additions and 9 deletions
--- a/neutron/agent/linux/iptables_firewall.py
+++ b/neutron/agent/linux/iptables_firewall.py
@ -214,6 +214,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
        #Note(nati) allow dhcp or RA packet
        ipv4_rules += ['-p udp -m udp --sport 68 --dport 67 -j RETURN']
        ipv6_rules += ['-p icmpv6 -j RETURN']
+        ipv6_rules += ['-p udp -m udp --sport 546 --dport 547 -j RETURN']
        mac_ipv4_pairs = []
        mac_ipv6_pairs = []

@ -236,9 +237,10 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
        self._setup_spoof_filter_chain(port, self.iptables.ipv6['filter'],
                                       mac_ipv6_pairs, ipv6_rules)

-    def _drop_dhcp_rule(self):
+    def _drop_dhcp_rule(self, ipv4_rules, ipv6_rules):
        #Note(nati) Drop dhcp packet from VM
-        return ['-p udp -m udp --sport 67 --dport 68 -j DROP']
+        ipv4_rules += ['-p udp -m udp --sport 67 --dport 68 -j DROP']
+        ipv6_rules += ['-p udp -m udp --sport 547 --dport 546 -j DROP']

    def _accept_inbound_icmpv6(self):
        # Allow multicast listener, neighbor solicitation and
@ -264,7 +266,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
            self._spoofing_rule(port,
                                ipv4_iptables_rule,
                                ipv6_iptables_rule)
-            ipv4_iptables_rule += self._drop_dhcp_rule()
+            self._drop_dhcp_rule(ipv4_iptables_rule, ipv6_iptables_rule)
        if direction == INGRESS_DIRECTION:
            ipv6_iptables_rule += self._accept_inbound_icmpv6()
        ipv4_iptables_rule += self._convert_sgr_to_iptables_rules(
--- a/neutron/tests/unit/test_iptables_firewall.py
+++ b/neutron/tests/unit/test_iptables_firewall.py
@ -801,14 +801,18 @@ class IptablesFirewallTestCase(base.BaseTestCase):
        ethertype = rule['ethertype']
        prefix = FAKE_IP[ethertype]
        filter_inst = self.v4filter_inst
-        dhcp_rule = mock.call.add_rule(
+        dhcp_rule = [mock.call.add_rule(
            'ofake_dev',
-            '-p udp -m udp --sport 68 --dport 67 -j RETURN')
+            '-p udp -m udp --sport 68 --dport 67 -j RETURN')]

        if ethertype == 'IPv6':
            filter_inst = self.v6filter_inst
-            dhcp_rule = mock.call.add_rule('ofake_dev', '-p icmpv6 -j RETURN')

+            dhcp_rule = [mock.call.add_rule('ofake_dev',
+                                            '-p icmpv6 -j RETURN'),
+                         mock.call.add_rule('ofake_dev', '-p udp -m udp '
+                                            '--sport 546 --dport 547 '
+                                            '-j RETURN')]
        sg = [rule]
        port['security_group_rules'] = sg
        self.firewall.prepare_port_filter(port)
@ -860,13 +864,17 @@ class IptablesFirewallTestCase(base.BaseTestCase):
                      'sfake_dev',
                      '-m mac --mac-source ff:ff:ff:ff:ff:ff -s %s -j RETURN'
                      % prefix),
-                  mock.call.add_rule('sfake_dev', '-j DROP'),
-                  dhcp_rule,
-                  mock.call.add_rule('ofake_dev', '-j $sfake_dev')]
+                  mock.call.add_rule('sfake_dev', '-j DROP')]
+        calls += dhcp_rule
+        calls.append(mock.call.add_rule('ofake_dev', '-j $sfake_dev'))
        if ethertype == 'IPv4':
            calls.append(mock.call.add_rule(
                'ofake_dev',
                '-p udp -m udp --sport 67 --dport 68 -j DROP'))
+        if ethertype == 'IPv6':
+            calls.append(mock.call.add_rule(
+                'ofake_dev',
+                '-p udp -m udp --sport 547 --dport 546 -j DROP'))

        calls += [mock.call.add_rule(
                  'ofake_dev', '-m state --state INVALID -j DROP'),
--- a/neutron/tests/unit/test_security_groups_rpc.py
+++ b/neutron/tests/unit/test_security_groups_rpc.py
@ -1593,6 +1593,8 @@ IPTABLES_FILTER_V6_1 = """# Generated by iptables_manager
 [0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \
 %(physdev_is_bridged)s -j %(bn)s-o_port1
 [0:0] -A %(bn)s-o_port1 -p icmpv6 -j RETURN
+[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 546 --dport 547 -j RETURN
+[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 547 --dport 546 -j DROP
 [0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback
@ -1643,6 +1645,8 @@ IPTABLES_FILTER_V6_2 = """# Generated by iptables_manager
 [0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \
 %(physdev_is_bridged)s -j %(bn)s-o_port1
 [0:0] -A %(bn)s-o_port1 -p icmpv6 -j RETURN
+[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 546 --dport 547 -j RETURN
+[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 547 --dport 546 -j DROP
 [0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback
@ -1665,6 +1669,8 @@ IPTABLES_FILTER_V6_2 = """# Generated by iptables_manager
 [0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port2 \
 %(physdev_is_bridged)s -j %(bn)s-o_port2
 [0:0] -A %(bn)s-o_port2 -p icmpv6 -j RETURN
+[0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 546 --dport 547 -j RETURN
+[0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 547 --dport 546 -j DROP
 [0:0] -A %(bn)s-o_port2 -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-o_port2 -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-o_port2 -j %(bn)s-sg-fallback