From 0cb9b5254f412e9ec0d3f2cb6fd07e038c3a5097 Mon Sep 17 00:00:00 2001 From: Brian Haley Date: Thu, 8 Jun 2017 23:35:17 -0400 Subject: [PATCH] Split allowed ICMPv6 types into two constants There was only a single list of allowed ICMPv6 types, but the defaults allowed for ingress and egress are different when it comes to Router Advertisements and Router Solicitations. Change-Id: I737f07065cf2fb0b574a7f0f49e084488bf23ac0 Closes-bug: #1685237 --- neutron/agent/firewall.py | 14 ++++++++++---- neutron/agent/linux/iptables_firewall.py | 2 +- .../agent/linux/openvswitch_firewall/firewall.py | 4 ++-- .../unit/agent/linux/test_iptables_firewall.py | 2 +- 4 files changed, 14 insertions(+), 8 deletions(-) diff --git a/neutron/agent/firewall.py b/neutron/agent/firewall.py index 1c194558bfa..c510ec8f609 100644 --- a/neutron/agent/firewall.py +++ b/neutron/agent/firewall.py @@ -33,10 +33,16 @@ DIRECTION_IP_PREFIX = {INGRESS_DIRECTION: 'source_ip_prefix', # List of ICMPv6 types that should be permitted (ingress) by default. This list # depends on iptables conntrack behavior of recognizing ICMP errors (types 1-4) # as related traffic. -ICMPV6_ALLOWED_TYPES = [n_const.ICMPV6_TYPE_MLD_QUERY, - n_const.ICMPV6_TYPE_RA, - n_const.ICMPV6_TYPE_NS, - n_const.ICMPV6_TYPE_NA] +ICMPV6_ALLOWED_INGRESS_TYPES = (n_const.ICMPV6_TYPE_MLD_QUERY, + n_const.ICMPV6_TYPE_RA, + n_const.ICMPV6_TYPE_NS, + n_const.ICMPV6_TYPE_NA) + +# List of ICMPv6 types that should be permitted (egress) by default. +ICMPV6_ALLOWED_EGRESS_TYPES = (n_const.ICMPV6_TYPE_MLD_QUERY, + n_const.ICMPV6_TYPE_RS, + n_const.ICMPV6_TYPE_NS, + n_const.ICMPV6_TYPE_NA) def port_sec_enabled(port): diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py index 5c5522e51c1..4e19233e29f 100644 --- a/neutron/agent/linux/iptables_firewall.py +++ b/neutron/agent/linux/iptables_firewall.py @@ -478,7 +478,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver): # Allow multicast listener, neighbor solicitation and # neighbor advertisement into the instance icmpv6_rules = [] - for icmp6_type in firewall.ICMPV6_ALLOWED_TYPES: + for icmp6_type in firewall.ICMPV6_ALLOWED_INGRESS_TYPES: icmpv6_rules += ['-p ipv6-icmp -m icmp6 --icmpv6-type %s ' '-j RETURN' % icmp6_type] return icmpv6_rules diff --git a/neutron/agent/linux/openvswitch_firewall/firewall.py b/neutron/agent/linux/openvswitch_firewall/firewall.py index 0a0a64bf352..cad877d2ab3 100644 --- a/neutron/agent/linux/openvswitch_firewall/firewall.py +++ b/neutron/agent/linux/openvswitch_firewall/firewall.py @@ -566,7 +566,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): self._initialize_ingress(port) def _initialize_egress_ipv6_icmp(self, port): - for icmp_type in firewall.ICMPV6_ALLOWED_TYPES: + for icmp_type in firewall.ICMPV6_ALLOWED_EGRESS_TYPES: self._add_flow( table=ovs_consts.BASE_EGRESS_TABLE, priority=95, @@ -761,7 +761,7 @@ class OVSFirewallDriver(firewall.FirewallDriver): ) def _initialize_ingress_ipv6_icmp(self, port): - for icmp_type in firewall.ICMPV6_ALLOWED_TYPES: + for icmp_type in firewall.ICMPV6_ALLOWED_INGRESS_TYPES: self._add_flow( table=ovs_consts.BASE_INGRESS_TABLE, priority=100, diff --git a/neutron/tests/unit/agent/linux/test_iptables_firewall.py b/neutron/tests/unit/agent/linux/test_iptables_firewall.py index baa50e964d4..9ee4be81d88 100644 --- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py +++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py @@ -1038,7 +1038,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): comment=ic.SG_TO_VM_SG) ] if ethertype == 'IPv6': - for icmp6_type in firewall.ICMPV6_ALLOWED_TYPES: + for icmp6_type in firewall.ICMPV6_ALLOWED_INGRESS_TYPES: calls.append( mock.call.add_rule('ifake_dev', '-p ipv6-icmp -m icmp6 --icmpv6-type '