Merge "Split allowed ICMPv6 types into two constants"

2017-06-16 06:14:00 +00:00 · 2017-06-16 06:14:00 +00:00 · 243c742f4e
parent 8829d90204 0cb9b5254f
commit 243c742f4e
4 changed files with 14 additions and 8 deletions
--- a/neutron/agent/firewall.py
+++ b/neutron/agent/firewall.py
@ -34,10 +34,16 @@ DIRECTION_IP_PREFIX = {INGRESS_DIRECTION: 'source_ip_prefix',
 # List of ICMPv6 types that should be permitted (ingress) by default. This list
 # depends on iptables conntrack behavior of recognizing ICMP errors (types 1-4)
 # as related traffic.
-ICMPV6_ALLOWED_TYPES = [n_const.ICMPV6_TYPE_MLD_QUERY,
-                        n_const.ICMPV6_TYPE_RA,
-                        n_const.ICMPV6_TYPE_NS,
-                        n_const.ICMPV6_TYPE_NA]
+ICMPV6_ALLOWED_INGRESS_TYPES = (n_const.ICMPV6_TYPE_MLD_QUERY,
+                                n_const.ICMPV6_TYPE_RA,
+                                n_const.ICMPV6_TYPE_NS,
+                                n_const.ICMPV6_TYPE_NA)
+
+# List of ICMPv6 types that should be permitted (egress) by default.
+ICMPV6_ALLOWED_EGRESS_TYPES = (n_const.ICMPV6_TYPE_MLD_QUERY,
+                               n_const.ICMPV6_TYPE_RS,
+                               n_const.ICMPV6_TYPE_NS,
+                               n_const.ICMPV6_TYPE_NA)


 def port_sec_enabled(port):
--- a/neutron/agent/linux/iptables_firewall.py
+++ b/neutron/agent/linux/iptables_firewall.py
@ -470,7 +470,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
        # Allow multicast listener, neighbor solicitation and
        # neighbor advertisement into the instance
        icmpv6_rules = []
-        for icmp6_type in firewall.ICMPV6_ALLOWED_TYPES:
+        for icmp6_type in firewall.ICMPV6_ALLOWED_INGRESS_TYPES:
            icmpv6_rules += ['-p ipv6-icmp -m icmp6 --icmpv6-type %s '
                             '-j RETURN' % icmp6_type]
        return icmpv6_rules
--- a/neutron/agent/linux/openvswitch_firewall/firewall.py
+++ b/neutron/agent/linux/openvswitch_firewall/firewall.py
@ -565,7 +565,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
        self._initialize_ingress(port)

    def _initialize_egress_ipv6_icmp(self, port):
-        for icmp_type in firewall.ICMPV6_ALLOWED_TYPES:
+        for icmp_type in firewall.ICMPV6_ALLOWED_EGRESS_TYPES:
            self._add_flow(
                table=ovs_consts.BASE_EGRESS_TABLE,
                priority=95,
@ -760,7 +760,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
            )

    def _initialize_ingress_ipv6_icmp(self, port):
-        for icmp_type in firewall.ICMPV6_ALLOWED_TYPES:
+        for icmp_type in firewall.ICMPV6_ALLOWED_INGRESS_TYPES:
            self._add_flow(
                table=ovs_consts.BASE_INGRESS_TABLE,
                priority=100,
--- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py
+++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py
@ -1038,7 +1038,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
                                    comment=ic.SG_TO_VM_SG)
                 ]
        if ethertype == 'IPv6':
-            for icmp6_type in firewall.ICMPV6_ALLOWED_TYPES:
+            for icmp6_type in firewall.ICMPV6_ALLOWED_INGRESS_TYPES:
                calls.append(
                    mock.call.add_rule('ifake_dev',
                                       '-p ipv6-icmp -m icmp6 --icmpv6-type '