Also add the ICMP IPV6 ingress rule into the default SG

We need this rule for the SLAAC traffic to go through. Change-Id: Iaead2f8d797c80c4560f4dc7b2f2f5d8397cf201
2018-04-10 16:13:31 -07:00 · 2018-04-10 16:13:31 -07:00 · 3d45bd3836
parent 378a966d38
commit 3d45bd3836
2 changed files with 32 additions and 0 deletions
--- a/gbpservice/neutron/plugins/ml2plus/drivers/apic_aim/mechanism_driver.py
+++ b/gbpservice/neutron/plugins/ml2plus/drivers/apic_aim/mechanism_driver.py
@ -375,6 +375,21 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
            conn_track='normal')
        self.aim.create(aim_ctx, dhcp6_ingress_rule, overwrite=True)

+        # Need this rule for the SLAAC traffic to go through
+        dname = aim_utils.sanitize_display_name(
+            'DefaultSecurityGroupIcmp6IngressRule')
+        icmp6_ingress_rule = aim_resource.SecurityGroupRule(
+            tenant_name=COMMON_TENANT_NAME,
+            security_group_name=sg_name,
+            security_group_subject_name='default',
+            name='icmp6_ingress',
+            display_name=dname,
+            direction='ingress',
+            ethertype='ipv6',
+            ip_protocol='icmpv6',
+            remote_ips=['::/0'])
+        self.aim.create(aim_ctx, icmp6_ingress_rule, overwrite=True)
+
    def _setup_keystone_notification_listeners(self):
        targets = [oslo_messaging.Target(
                    exchange=self.keystone_notification_exchange,
--- a/gbpservice/neutron/tests/unit/plugins/ml2plus/test_apic_aim.py
+++ b/gbpservice/neutron/tests/unit/plugins/ml2plus/test_apic_aim.py
@ -1046,6 +1046,23 @@ class TestAimMapping(ApicAimTestCase):
        self.assertEqual('546', sg_rule.to_port)
        self.assertEqual('normal', sg_rule.conn_track)

+        # Check ICMP6 ingress SecurityGroupRule.
+        sg_rule = self._get_sg_rule(
+            'icmp6_ingress', 'default', sg_aname, 'common')
+        self.assertEqual('common', sg_rule.tenant_name)
+        self.assertEqual(sg_aname, sg_rule.security_group_name)
+        self.assertEqual('default', sg_rule.security_group_subject_name)
+        self.assertEqual('icmp6_ingress', sg_rule.name)
+        self.assertEqual(
+            'DefaultSecurityGroupIcmp6IngressRule', sg_rule.display_name)
+        self.assertEqual('ingress', sg_rule.direction)
+        self.assertEqual('ipv6', sg_rule.ethertype)
+        self.assertEqual('icmpv6', sg_rule.ip_protocol)
+        self.assertEqual(['::/0'], sg_rule.remote_ips)
+        self.assertEqual('unspecified', sg_rule.from_port)
+        self.assertEqual('unspecified', sg_rule.to_port)
+        self.assertEqual('reflexive', sg_rule.conn_track)
+
    def test_network_lifecycle(self):
        # Test create.
        net = self._make_network(self.fmt, 'net1', True)['network']