Merge "Drop IPv6 Router Advertisements in OVS firewall"

2017-06-14 21:42:36 +00:00 · 2017-06-14 21:42:36 +00:00 · 0ec5c033c2
parent 74b126dc44 ce0352aa7b
commit 0ec5c033c2
1 changed files with 12 additions and 0 deletions
--- a/neutron/agent/linux/openvswitch_firewall/firewall.py
+++ b/neutron/agent/linux/openvswitch_firewall/firewall.py
@ -659,6 +659,18 @@ class OVSFirewallDriver(firewall.FirewallDriver):
                actions='drop'
            )

+        # Drop Router Advertisements from instances
+        self._add_flow(
+            table=ovs_consts.BASE_EGRESS_TABLE,
+            priority=70,
+            in_port=port.ofport,
+            reg_port=port.ofport,
+            dl_type=constants.ETHERTYPE_IPV6,
+            nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
+            icmp_type=lib_const.ICMPV6_TYPE_RA,
+            actions='drop'
+        )
+
        # Drop all remaining not tracked egress connections
        self._add_flow(
            table=ovs_consts.BASE_EGRESS_TABLE,