neutron/doc
Slawek Kaplonski 9ab5159d2d [OVS FW] Allow egress ICMPv6 only for know addresses
Before that patch it was possible to send ICMPv6 packets like e.g.
    neutron_lib.constants.ICMPV6_TYPE_MLD_QUERY,
    neutron_lib.constants.ICMPV6_TYPE_RS,
    neutron_lib.constants.ICMPV6_TYPE_NS,
    neutron_lib.constants.ICMPV6_TYPE_NA

And that could cause some security issues as instance could advertise
that it owns IPv6 address which really don't belong to it.

Now rules in table=71 which allows that traffic are "per mac/ipaddress"
and are allowed only for fixed ips allocated to port and port's
allowed_address_pairs.

Conflicts:
    neutron/agent/linux/openvswitch_firewall/firewall.py
    neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py

Closes-Bug: #1902917
Change-Id: I4749fdc6a6cabd253b971bf4010ff76f5593c59c
(cherry picked from commit 4b5bcff64c)
2021-02-27 20:15:42 +00:00
..
source [OVS FW] Allow egress ICMPv6 only for know addresses 2021-02-27 20:15:42 +00:00
Makefile Merge from launchpad quantum/diablo branch: 2011-09-23 20:17:44 -07:00
requirements.txt Use constraints for docs tox target and cap hacking 2019-12-19 15:18:12 +01:00