Disable IPv6 on bridge devices in linux bridge code

Bridges should not have any IPv6 addresses, either
link-local, or on the tenant's private network due
to the bridge processing Router Advertisements from
Neutron and auto-configuring addresses, since it will
allow access to the hypervisor from a tenant VM.

The bridge only exists for the Neutron security group
code, so we can safely disable IPv6 on it.

Similar to other nova and neutron changes such as
https://review.openstack.org/#/c/313070/

Change-Id: I2ce540b4201cd227c5df53daeb686c4cc49a6e59
Closes-bug: 1302080
This commit is contained in:
Brian Haley 2016-08-05 11:37:34 -04:00
parent 6292a98348
commit c74f92a0e0
2 changed files with 45 additions and 0 deletions

View File

@ -126,6 +126,12 @@ def _ensure_bridge_privileged(bridge, interface, net_attrs, gateway,
processutils.execute('brctl', 'setfd', bridge, 0)
# processutils.execute('brctl setageing %s 10' % bridge)
processutils.execute('brctl', 'stp', bridge, 'off')
disv6 = ('/proc/sys/net/ipv6/conf/%s/disable_ipv6' % bridge)
if os.path.exists(disv6):
processutils.execute('tee',
disv6,
process_input='1',
check_exit_code=[0, 1])
# (danwent) bridge device MAC address can't be set directly.
# instead it inherits the MAC address of the first device on the
# bridge, which will either be the vlan interface, or a

View File

@ -12,6 +12,7 @@
import contextlib
import mock
import os.path
import six
import testtools
@ -84,3 +85,41 @@ class LinuxNetTest(testtools.TestCase):
linux_net._ensure_vlan_privileged(123, 'fake-bridge',
mac_address='fake-mac', mtu=None)
self.assertFalse(mock_set_mtu.called)
@mock.patch.object(processutils, "execute")
@mock.patch.object(linux_net, "device_exists", return_value=True)
def test_ensure_bridge_exists(self, mock_dev_exists, mock_exec):
linux_net.ensure_bridge("br0", None, filtering=False)
self.assertEqual([], mock_exec.mock_calls)
mock_dev_exists.assert_called_once_with("br0")
@mock.patch.object(os.path, "exists", return_value=False)
@mock.patch.object(processutils, "execute")
@mock.patch.object(linux_net, "device_exists", return_value=False)
def test_ensure_bridge_new_ipv4(self, mock_dev_exists, mock_exec,
mock_path_exists):
linux_net.ensure_bridge("br0", None, filtering=False)
calls = [mock.call('brctl', 'addbr', 'br0'),
mock.call('brctl', 'setfd', 'br0', 0),
mock.call('brctl', 'stp', 'br0', "off"),
mock.call('ip', 'link', 'set', 'br0', "up")]
self.assertEqual(calls, mock_exec.mock_calls)
mock_dev_exists.assert_called_once_with("br0")
@mock.patch.object(os.path, "exists", return_value=True)
@mock.patch.object(processutils, "execute")
@mock.patch.object(linux_net, "device_exists", return_value=False)
def test_ensure_bridge_new_ipv6(self, mock_dev_exists, mock_exec,
mock_path_exists):
linux_net.ensure_bridge("br0", None, filtering=False)
calls = [mock.call('brctl', 'addbr', 'br0'),
mock.call('brctl', 'setfd', 'br0', 0),
mock.call('brctl', 'stp', 'br0', "off"),
mock.call('tee', '/proc/sys/net/ipv6/conf/br0/disable_ipv6',
check_exit_code=[0, 1], process_input='1'),
mock.call('ip', 'link', 'set', 'br0', "up")]
self.assertEqual(calls, mock_exec.mock_calls)
mock_dev_exists.assert_called_once_with("br0")