Merge "Drop IPv6 Router Advertisements in OVS firewall" into stable/newton

2017-07-07 20:44:09 +00:00 · 2017-07-07 20:44:09 +00:00 · 54d9f3bba6
parent e7fa36431f a916fc5173
commit 54d9f3bba6
1 changed files with 12 additions and 0 deletions
--- a/neutron/agent/linux/openvswitch_firewall/firewall.py
+++ b/neutron/agent/linux/openvswitch_firewall/firewall.py
@ -479,6 +479,18 @@ class OVSFirewallDriver(firewall.FirewallDriver):
                actions='drop'
            )

+        # Drop Router Advertisements from instances
+        self._add_flow(
+            table=ovs_consts.BASE_EGRESS_TABLE,
+            priority=70,
+            in_port=port.ofport,
+            reg_port=port.ofport,
+            dl_type=constants.ETHERTYPE_IPV6,
+            nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
+            icmp_type=lib_const.ICMPV6_TYPE_RA,
+            actions='drop'
+        )
+
        # Drop all remaining not tracked egress connections
        self._add_flow(
            table=ovs_consts.BASE_EGRESS_TABLE,