Drop IPv6 Router Advertisements in OVS firewall

Only neutron routers should be sending RAs, and with the iptables firewall these are dropped, but there was no corresponding rule for the OVS firewall. Change-Id: I045c652ad8cbecf5ed8e98934306476ed7170e90 Partial-bug: #1685237 (cherry picked from commit ce0352aa7b)
2017-05-03 16:34:12 -04:00 · 2017-05-03 16:34:12 -04:00 · 4aded9f16d
parent 38243ce03f
commit 4aded9f16d
1 changed files with 12 additions and 0 deletions
--- a/neutron/agent/linux/openvswitch_firewall/firewall.py
+++ b/neutron/agent/linux/openvswitch_firewall/firewall.py
@ -473,6 +473,18 @@ class OVSFirewallDriver(firewall.FirewallDriver):
                actions='drop'
            )

+        # Drop Router Advertisements from instances
+        self._add_flow(
+            table=ovs_consts.BASE_EGRESS_TABLE,
+            priority=70,
+            in_port=port.ofport,
+            reg_port=port.ofport,
+            dl_type=constants.ETHERTYPE_IPV6,
+            nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
+            icmp_type=lib_const.ICMPV6_TYPE_RA,
+            actions='drop'
+        )
+
        # Drop all remaining not tracked egress connections
        self._add_flow(
            table=ovs_consts.BASE_EGRESS_TABLE,