Merge "allow DHCP from router interfaces"

This commit is contained in:
Jenkins 2016-01-18 23:44:42 +00:00 committed by Gerrit Code Review
commit 24fd3ad45f
2 changed files with 30 additions and 0 deletions

View File

@ -19,6 +19,7 @@ import re
import netaddr
from neutron.common import constants as neutron_constants
from neutron.db import l3_db
from neutron.db import models_v2
from neutron.plugins.ml2 import plugin
from neutron.services.l3_router import l3_router_plugin
@ -84,6 +85,32 @@ class Ml2Plugin(floatingip.ExplicitFloatingIPAllocationMixin,
]
return res
def _select_dhcp_ips_for_network_ids(self, context, network_ids):
ips = super(Ml2Plugin, self)._select_dhcp_ips_for_network_ids(
context,
network_ids
)
# allow DHCP replies from router interfaces since they're combined in
# Astara appliances. Minimal impact if another appliance is used.
query = context.session.query(models_v2.Port.mac_address,
models_v2.Port.network_id,
models_v2.IPAllocation.ip_address)
query = query.join(models_v2.IPAllocation)
query = query.filter(models_v2.Port.network_id.in_(network_ids))
owner = neutron_constants.DEVICE_OWNER_ROUTER_INTF
query = query.filter(models_v2.Port.device_owner == owner)
for mac_address, network_id, ip in query:
if (netaddr.IPAddress(ip).version == 6
and not netaddr.IPAddress(ip).is_link_local()):
ip = str(netaddr.EUI(mac_address).ipv6_link_local())
if ip not in ips[network_id]:
ips[network_id].append(ip)
return ips
# TODO(markmcclain) add upstream ability to remove port-security
# workaround it for now by filtering out Akanda ports
def get_ports_from_devices(self, context, devices):

View File

@ -0,0 +1,3 @@
---
fixes:
- Bug `266586 <https://bugs.launchpad.net/astara/+bug/266586>`_ \- Always allow DHCP traffic through security groups from router to tenant VMs on the same subnet