Drop IPv6 Router Advertisements in OVS firewall
Only neutron routers should be sending RAs, and with
the iptables firewall these are dropped, but there
was no corresponding rule for the OVS firewall.
Change-Id: I045c652ad8cbecf5ed8e98934306476ed7170e90
Partial-bug: #1685237
(cherry picked from commit ce0352aa7b
)
This commit is contained in:
parent
41fcc4fb5e
commit
a916fc5173
|
@ -479,6 +479,18 @@ class OVSFirewallDriver(firewall.FirewallDriver):
|
|||
actions='drop'
|
||||
)
|
||||
|
||||
# Drop Router Advertisements from instances
|
||||
self._add_flow(
|
||||
table=ovs_consts.BASE_EGRESS_TABLE,
|
||||
priority=70,
|
||||
in_port=port.ofport,
|
||||
reg_port=port.ofport,
|
||||
dl_type=constants.ETHERTYPE_IPV6,
|
||||
nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
|
||||
icmp_type=lib_const.ICMPV6_TYPE_RA,
|
||||
actions='drop'
|
||||
)
|
||||
|
||||
# Drop all remaining not tracked egress connections
|
||||
self._add_flow(
|
||||
table=ovs_consts.BASE_EGRESS_TABLE,
|
||||
|
|
Loading…
Reference in New Issue