From a1b3e6dd1a5336009c274083c2a25c2285d379e6 Mon Sep 17 00:00:00 2001
From: Mark McClain <mark@mcclain.xyz>
Date: Tue, 12 Jan 2016 16:48:50 -0500
Subject: [PATCH] allow DHCP from router interfaces

This fix adds the router interfaces as allowed source addresses for
DHCP. This supports the Astara appliance case where DHCP is running
within the same appliance providing routing.

Change-Id: Ic4db49dc39a524b6c1557b9423496a1eb5d87843
Closes-Bug:1531967
---
 astara_neutron/plugins/ml2_neutron_plugin.py  | 27 +++++++++++++++++++
 ..._dhcp_router_traffic-bae5fc460078dd9a.yaml |  3 +++
 2 files changed, 30 insertions(+)
 create mode 100644 releasenotes/notes/allow_dhcp_router_traffic-bae5fc460078dd9a.yaml

diff --git a/astara_neutron/plugins/ml2_neutron_plugin.py b/astara_neutron/plugins/ml2_neutron_plugin.py
index 3c38b89..a5fc64b 100644
--- a/astara_neutron/plugins/ml2_neutron_plugin.py
+++ b/astara_neutron/plugins/ml2_neutron_plugin.py
@@ -19,6 +19,7 @@ import re
 import netaddr
 from neutron.common import constants as neutron_constants
 from neutron.db import l3_db
+from neutron.db import models_v2
 from neutron.plugins.ml2 import plugin
 from neutron.services.l3_router import l3_router_plugin
 
@@ -84,6 +85,32 @@ class Ml2Plugin(floatingip.ExplicitFloatingIPAllocationMixin,
             ]
         return res
 
+    def _select_dhcp_ips_for_network_ids(self, context, network_ids):
+        ips = super(Ml2Plugin, self)._select_dhcp_ips_for_network_ids(
+            context,
+            network_ids
+        )
+
+        # allow DHCP replies from router interfaces since they're combined in
+        # Astara appliances. Minimal impact if another appliance is used.
+        query = context.session.query(models_v2.Port.mac_address,
+                                      models_v2.Port.network_id,
+                                      models_v2.IPAllocation.ip_address)
+        query = query.join(models_v2.IPAllocation)
+        query = query.filter(models_v2.Port.network_id.in_(network_ids))
+        owner = neutron_constants.DEVICE_OWNER_ROUTER_INTF
+        query = query.filter(models_v2.Port.device_owner == owner)
+
+        for mac_address, network_id, ip in query:
+            if (netaddr.IPAddress(ip).version == 6
+                and not netaddr.IPAddress(ip).is_link_local()):
+
+                ip = str(netaddr.EUI(mac_address).ipv6_link_local())
+            if ip not in ips[network_id]:
+                ips[network_id].append(ip)
+
+        return ips
+
     # TODO(markmcclain) add upstream ability to remove port-security
     # workaround it for now by filtering out Akanda ports
     def get_ports_from_devices(self, context, devices):
diff --git a/releasenotes/notes/allow_dhcp_router_traffic-bae5fc460078dd9a.yaml b/releasenotes/notes/allow_dhcp_router_traffic-bae5fc460078dd9a.yaml
new file mode 100644
index 0000000..f3d799a
--- /dev/null
+++ b/releasenotes/notes/allow_dhcp_router_traffic-bae5fc460078dd9a.yaml
@@ -0,0 +1,3 @@
+---
+fixes:
+  - Bug `266586 <https://bugs.launchpad.net/astara/+bug/266586>`_ \- Always allow DHCP traffic through security groups from router to tenant VMs on the same subnet