From ce0352aa7b1609078e8f109b5b4c368d9a1baa89 Mon Sep 17 00:00:00 2001
From: Brian Haley <bhaley@redhat.com>
Date: Wed, 3 May 2017 16:34:12 -0400
Subject: [PATCH] Drop IPv6 Router Advertisements in OVS firewall

Only neutron routers should be sending RAs, and with
the iptables firewall these are dropped, but there
was no corresponding rule for the OVS firewall.

Change-Id: I045c652ad8cbecf5ed8e98934306476ed7170e90
Partial-bug: #1685237
---
 neutron/agent/linux/openvswitch_firewall/firewall.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/neutron/agent/linux/openvswitch_firewall/firewall.py b/neutron/agent/linux/openvswitch_firewall/firewall.py
index 26553691ecb..0a0a64bf352 100644
--- a/neutron/agent/linux/openvswitch_firewall/firewall.py
+++ b/neutron/agent/linux/openvswitch_firewall/firewall.py
@@ -660,6 +660,18 @@ class OVSFirewallDriver(firewall.FirewallDriver):
                 actions='drop'
             )
 
+        # Drop Router Advertisements from instances
+        self._add_flow(
+            table=ovs_consts.BASE_EGRESS_TABLE,
+            priority=70,
+            in_port=port.ofport,
+            reg_port=port.ofport,
+            dl_type=constants.ETHERTYPE_IPV6,
+            nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
+            icmp_type=lib_const.ICMPV6_TYPE_RA,
+            actions='drop'
+        )
+
         # Drop all remaining not tracked egress connections
         self._add_flow(
             table=ovs_consts.BASE_EGRESS_TABLE,