allow DHCP from router interfaces

This fix adds the router interfaces as allowed source addresses for
DHCP. This supports the Astara appliance case where DHCP is running
within the same appliance providing routing.

Change-Id: Ic4db49dc39a524b6c1557b9423496a1eb5d87843
Closes-Bug:1531967

astara_neutron/plugins/ml2_neutron_plugin.py

@@ -19,6 +19,7 @@ import re
 import netaddr
 from neutron.common import constants as neutron_constants
 from neutron.db import l3_db
+from neutron.db import models_v2
 from neutron.plugins.ml2 import plugin
 from neutron.services.l3_router import l3_router_plugin
 
@@ -84,6 +85,32 @@ class Ml2Plugin(floatingip.ExplicitFloatingIPAllocationMixin,
             ]
         return res
 
+    def _select_dhcp_ips_for_network_ids(self, context, network_ids):
+        ips = super(Ml2Plugin, self)._select_dhcp_ips_for_network_ids(
+            context,
+            network_ids
+        )
+
+        # allow DHCP replies from router interfaces since they're combined in
+        # Astara appliances. Minimal impact if another appliance is used.
+        query = context.session.query(models_v2.Port.mac_address,
+                                      models_v2.Port.network_id,
+                                      models_v2.IPAllocation.ip_address)
+        query = query.join(models_v2.IPAllocation)
+        query = query.filter(models_v2.Port.network_id.in_(network_ids))
+        owner = neutron_constants.DEVICE_OWNER_ROUTER_INTF
+        query = query.filter(models_v2.Port.device_owner == owner)
+
+        for mac_address, network_id, ip in query:
+            if (netaddr.IPAddress(ip).version == 6
+                and not netaddr.IPAddress(ip).is_link_local()):
+
+                ip = str(netaddr.EUI(mac_address).ipv6_link_local())
+            if ip not in ips[network_id]:
+                ips[network_id].append(ip)
+
+        return ips
+
     # TODO(markmcclain) add upstream ability to remove port-security
     # workaround it for now by filtering out Akanda ports
     def get_ports_from_devices(self, context, devices):

releasenotes/notes/allow_dhcp_router_traffic-bae5fc460078dd9a.yaml

@@ -0,0 +1,3 @@
+---
+fixes:
+  - Bug `266586 <https://bugs.launchpad.net/astara/+bug/266586>`_ \- Always allow DHCP traffic through security groups from router to tenant VMs on the same subnet