9ab5159d2d
Before that patch it was possible to send ICMPv6 packets like e.g.
neutron_lib.constants.ICMPV6_TYPE_MLD_QUERY,
neutron_lib.constants.ICMPV6_TYPE_RS,
neutron_lib.constants.ICMPV6_TYPE_NS,
neutron_lib.constants.ICMPV6_TYPE_NA
And that could cause some security issues as instance could advertise
that it owns IPv6 address which really don't belong to it.
Now rules in table=71 which allows that traffic are "per mac/ipaddress"
and are allowed only for fixed ips allocated to port and port's
allowed_address_pairs.
Conflicts:
neutron/agent/linux/openvswitch_firewall/firewall.py
neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py
Closes-Bug: #1902917
Change-Id: I4749fdc6a6cabd253b971bf4010ff76f5593c59c
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| dashboards | ||
| internals | ||
| policies | ||
| stadium | ||
| testing | ||
| alembic_migrations.rst | ||
| client_command_extensions.rst | ||
| contribute.rst | ||
| development_environment.rst | ||
| effective_neutron.rst | ||
| index.rst | ||
| modules.rst | ||
| neutron_api.rst | ||