Merge "Split allowed ICMPv6 types into two constants"
This commit is contained in:
commit
243c742f4e
|
@ -34,10 +34,16 @@ DIRECTION_IP_PREFIX = {INGRESS_DIRECTION: 'source_ip_prefix',
|
|||
# List of ICMPv6 types that should be permitted (ingress) by default. This list
|
||||
# depends on iptables conntrack behavior of recognizing ICMP errors (types 1-4)
|
||||
# as related traffic.
|
||||
ICMPV6_ALLOWED_TYPES = [n_const.ICMPV6_TYPE_MLD_QUERY,
|
||||
n_const.ICMPV6_TYPE_RA,
|
||||
n_const.ICMPV6_TYPE_NS,
|
||||
n_const.ICMPV6_TYPE_NA]
|
||||
ICMPV6_ALLOWED_INGRESS_TYPES = (n_const.ICMPV6_TYPE_MLD_QUERY,
|
||||
n_const.ICMPV6_TYPE_RA,
|
||||
n_const.ICMPV6_TYPE_NS,
|
||||
n_const.ICMPV6_TYPE_NA)
|
||||
|
||||
# List of ICMPv6 types that should be permitted (egress) by default.
|
||||
ICMPV6_ALLOWED_EGRESS_TYPES = (n_const.ICMPV6_TYPE_MLD_QUERY,
|
||||
n_const.ICMPV6_TYPE_RS,
|
||||
n_const.ICMPV6_TYPE_NS,
|
||||
n_const.ICMPV6_TYPE_NA)
|
||||
|
||||
|
||||
def port_sec_enabled(port):
|
||||
|
|
|
@ -470,7 +470,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
|
|||
# Allow multicast listener, neighbor solicitation and
|
||||
# neighbor advertisement into the instance
|
||||
icmpv6_rules = []
|
||||
for icmp6_type in firewall.ICMPV6_ALLOWED_TYPES:
|
||||
for icmp6_type in firewall.ICMPV6_ALLOWED_INGRESS_TYPES:
|
||||
icmpv6_rules += ['-p ipv6-icmp -m icmp6 --icmpv6-type %s '
|
||||
'-j RETURN' % icmp6_type]
|
||||
return icmpv6_rules
|
||||
|
|
|
@ -565,7 +565,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||
self._initialize_ingress(port)
|
||||
|
||||
def _initialize_egress_ipv6_icmp(self, port):
|
||||
for icmp_type in firewall.ICMPV6_ALLOWED_TYPES:
|
||||
for icmp_type in firewall.ICMPV6_ALLOWED_EGRESS_TYPES:
|
||||
self._add_flow(
|
||||
table=ovs_consts.BASE_EGRESS_TABLE,
|
||||
priority=95,
|
||||
|
@ -760,7 +760,7 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||
)
|
||||
|
||||
def _initialize_ingress_ipv6_icmp(self, port):
|
||||
for icmp_type in firewall.ICMPV6_ALLOWED_TYPES:
|
||||
for icmp_type in firewall.ICMPV6_ALLOWED_INGRESS_TYPES:
|
||||
self._add_flow(
|
||||
table=ovs_consts.BASE_INGRESS_TABLE,
|
||||
priority=100,
|
||||
|
|
|
@ -1038,7 +1038,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
|
|||
comment=ic.SG_TO_VM_SG)
|
||||
]
|
||||
if ethertype == 'IPv6':
|
||||
for icmp6_type in firewall.ICMPV6_ALLOWED_TYPES:
|
||||
for icmp6_type in firewall.ICMPV6_ALLOWED_INGRESS_TYPES:
|
||||
calls.append(
|
||||
mock.call.add_rule('ifake_dev',
|
||||
'-p ipv6-icmp -m icmp6 --icmpv6-type '
|
||||
|
|
Loading…
Reference in New Issue