summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJenkins <jenkins@review.openstack.org>2017-06-16 06:14:00 +0000
committerGerrit Code Review <review@openstack.org>2017-06-16 06:14:01 +0000
commit243c742f4e316195c18706fb939392f933330675 (patch)
tree5517c953af93fdb3bcf7d4886a835c808b9464d5
parent8829d90204ecfb0f63b8efa4e1c2e769365f2b54 (diff)
parent0cb9b5254f412e9ec0d3f2cb6fd07e038c3a5097 (diff)
Merge "Split allowed ICMPv6 types into two constants"
-rw-r--r--neutron/agent/firewall.py14
-rw-r--r--neutron/agent/linux/iptables_firewall.py2
-rw-r--r--neutron/agent/linux/openvswitch_firewall/firewall.py4
-rw-r--r--neutron/tests/unit/agent/linux/test_iptables_firewall.py2
4 files changed, 14 insertions, 8 deletions
diff --git a/neutron/agent/firewall.py b/neutron/agent/firewall.py
index 6c2912b..1f3e189 100644
--- a/neutron/agent/firewall.py
+++ b/neutron/agent/firewall.py
@@ -34,10 +34,16 @@ DIRECTION_IP_PREFIX = {INGRESS_DIRECTION: 'source_ip_prefix',
34# List of ICMPv6 types that should be permitted (ingress) by default. This list 34# List of ICMPv6 types that should be permitted (ingress) by default. This list
35# depends on iptables conntrack behavior of recognizing ICMP errors (types 1-4) 35# depends on iptables conntrack behavior of recognizing ICMP errors (types 1-4)
36# as related traffic. 36# as related traffic.
37ICMPV6_ALLOWED_TYPES = [n_const.ICMPV6_TYPE_MLD_QUERY, 37ICMPV6_ALLOWED_INGRESS_TYPES = (n_const.ICMPV6_TYPE_MLD_QUERY,
38 n_const.ICMPV6_TYPE_RA, 38 n_const.ICMPV6_TYPE_RA,
39 n_const.ICMPV6_TYPE_NS, 39 n_const.ICMPV6_TYPE_NS,
40 n_const.ICMPV6_TYPE_NA] 40 n_const.ICMPV6_TYPE_NA)
41
42# List of ICMPv6 types that should be permitted (egress) by default.
43ICMPV6_ALLOWED_EGRESS_TYPES = (n_const.ICMPV6_TYPE_MLD_QUERY,
44 n_const.ICMPV6_TYPE_RS,
45 n_const.ICMPV6_TYPE_NS,
46 n_const.ICMPV6_TYPE_NA)
41 47
42 48
43def port_sec_enabled(port): 49def port_sec_enabled(port):
diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py
index 31d8f1a..807c023 100644
--- a/neutron/agent/linux/iptables_firewall.py
+++ b/neutron/agent/linux/iptables_firewall.py
@@ -470,7 +470,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
470 # Allow multicast listener, neighbor solicitation and 470 # Allow multicast listener, neighbor solicitation and
471 # neighbor advertisement into the instance 471 # neighbor advertisement into the instance
472 icmpv6_rules = [] 472 icmpv6_rules = []
473 for icmp6_type in firewall.ICMPV6_ALLOWED_TYPES: 473 for icmp6_type in firewall.ICMPV6_ALLOWED_INGRESS_TYPES:
474 icmpv6_rules += ['-p ipv6-icmp -m icmp6 --icmpv6-type %s ' 474 icmpv6_rules += ['-p ipv6-icmp -m icmp6 --icmpv6-type %s '
475 '-j RETURN' % icmp6_type] 475 '-j RETURN' % icmp6_type]
476 return icmpv6_rules 476 return icmpv6_rules
diff --git a/neutron/agent/linux/openvswitch_firewall/firewall.py b/neutron/agent/linux/openvswitch_firewall/firewall.py
index 838481f..18be61f 100644
--- a/neutron/agent/linux/openvswitch_firewall/firewall.py
+++ b/neutron/agent/linux/openvswitch_firewall/firewall.py
@@ -565,7 +565,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
565 self._initialize_ingress(port) 565 self._initialize_ingress(port)
566 566
567 def _initialize_egress_ipv6_icmp(self, port): 567 def _initialize_egress_ipv6_icmp(self, port):
568 for icmp_type in firewall.ICMPV6_ALLOWED_TYPES: 568 for icmp_type in firewall.ICMPV6_ALLOWED_EGRESS_TYPES:
569 self._add_flow( 569 self._add_flow(
570 table=ovs_consts.BASE_EGRESS_TABLE, 570 table=ovs_consts.BASE_EGRESS_TABLE,
571 priority=95, 571 priority=95,
@@ -760,7 +760,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
760 ) 760 )
761 761
762 def _initialize_ingress_ipv6_icmp(self, port): 762 def _initialize_ingress_ipv6_icmp(self, port):
763 for icmp_type in firewall.ICMPV6_ALLOWED_TYPES: 763 for icmp_type in firewall.ICMPV6_ALLOWED_INGRESS_TYPES:
764 self._add_flow( 764 self._add_flow(
765 table=ovs_consts.BASE_INGRESS_TABLE, 765 table=ovs_consts.BASE_INGRESS_TABLE,
766 priority=100, 766 priority=100,
diff --git a/neutron/tests/unit/agent/linux/test_iptables_firewall.py b/neutron/tests/unit/agent/linux/test_iptables_firewall.py
index baa50e9..9ee4be8 100644
--- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py
+++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py
@@ -1038,7 +1038,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
1038 comment=ic.SG_TO_VM_SG) 1038 comment=ic.SG_TO_VM_SG)
1039 ] 1039 ]
1040 if ethertype == 'IPv6': 1040 if ethertype == 'IPv6':
1041 for icmp6_type in firewall.ICMPV6_ALLOWED_TYPES: 1041 for icmp6_type in firewall.ICMPV6_ALLOWED_INGRESS_TYPES:
1042 calls.append( 1042 calls.append(
1043 mock.call.add_rule('ifake_dev', 1043 mock.call.add_rule('ifake_dev',
1044 '-p ipv6-icmp -m icmp6 --icmpv6-type ' 1044 '-p ipv6-icmp -m icmp6 --icmpv6-type '