Split allowed ICMPv6 types into two constants

There was only a single list of allowed ICMPv6 types, but the defaults allowed for ingress and egress are different when it comes to Router Advertisements and Router Solicitations. Change-Id: I737f07065cf2fb0b574a7f0f49e084488bf23ac0 Closes-bug: #1685237
2017-06-08 23:35:17 -04:00 · 2017-06-08 23:35:17 -04:00 · 0cb9b5254f
parent ce0352aa7b
commit 0cb9b5254f
4 changed files with 14 additions and 8 deletions
--- a/neutron/agent/firewall.py
+++ b/neutron/agent/firewall.py
@ -33,10 +33,16 @@ DIRECTION_IP_PREFIX = {INGRESS_DIRECTION: 'source_ip_prefix',
 # List of ICMPv6 types that should be permitted (ingress) by default. This list
 # depends on iptables conntrack behavior of recognizing ICMP errors (types 1-4)
 # as related traffic.
-ICMPV6_ALLOWED_TYPES = [n_const.ICMPV6_TYPE_MLD_QUERY,
-                        n_const.ICMPV6_TYPE_RA,
-                        n_const.ICMPV6_TYPE_NS,
-                        n_const.ICMPV6_TYPE_NA]
+ICMPV6_ALLOWED_INGRESS_TYPES = (n_const.ICMPV6_TYPE_MLD_QUERY,
+                                n_const.ICMPV6_TYPE_RA,
+                                n_const.ICMPV6_TYPE_NS,
+                                n_const.ICMPV6_TYPE_NA)
+
+# List of ICMPv6 types that should be permitted (egress) by default.
+ICMPV6_ALLOWED_EGRESS_TYPES = (n_const.ICMPV6_TYPE_MLD_QUERY,
+                               n_const.ICMPV6_TYPE_RS,
+                               n_const.ICMPV6_TYPE_NS,
+                               n_const.ICMPV6_TYPE_NA)


 def port_sec_enabled(port):
--- a/neutron/agent/linux/iptables_firewall.py
+++ b/neutron/agent/linux/iptables_firewall.py
@ -478,7 +478,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
        # Allow multicast listener, neighbor solicitation and
        # neighbor advertisement into the instance
        icmpv6_rules = []
-        for icmp6_type in firewall.ICMPV6_ALLOWED_TYPES:
+        for icmp6_type in firewall.ICMPV6_ALLOWED_INGRESS_TYPES:
            icmpv6_rules += ['-p ipv6-icmp -m icmp6 --icmpv6-type %s '
                             '-j RETURN' % icmp6_type]
        return icmpv6_rules
--- a/neutron/agent/linux/openvswitch_firewall/firewall.py
+++ b/neutron/agent/linux/openvswitch_firewall/firewall.py
@ -566,7 +566,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
        self._initialize_ingress(port)

    def _initialize_egress_ipv6_icmp(self, port):
-        for icmp_type in firewall.ICMPV6_ALLOWED_TYPES:
+        for icmp_type in firewall.ICMPV6_ALLOWED_EGRESS_TYPES:
            self._add_flow(
                table=ovs_consts.BASE_EGRESS_TABLE,
                priority=95,
@ -761,7 +761,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
            )

    def _initialize_ingress_ipv6_icmp(self, port):
-        for icmp_type in firewall.ICMPV6_ALLOWED_TYPES:
+        for icmp_type in firewall.ICMPV6_ALLOWED_INGRESS_TYPES:
            self._add_flow(
                table=ovs_consts.BASE_INGRESS_TABLE,
                priority=100,
--- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py
+++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py
@ -1038,7 +1038,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
                                    comment=ic.SG_TO_VM_SG)
                 ]
        if ethertype == 'IPv6':
-            for icmp6_type in firewall.ICMPV6_ALLOWED_TYPES:
+            for icmp6_type in firewall.ICMPV6_ALLOWED_INGRESS_TYPES:
                calls.append(
                    mock.call.add_rule('ifake_dev',
                                       '-p ipv6-icmp -m icmp6 --icmpv6-type '