allow DHCP from router interfaces
This fix adds the router interfaces as allowed source addresses for DHCP. This supports the Astara appliance case where DHCP is running within the same appliance providing routing. Change-Id: Ic4db49dc39a524b6c1557b9423496a1eb5d87843 Closes-Bug:1531967
This commit is contained in:
parent
ee4938d92c
commit
a1b3e6dd1a
|
@ -19,6 +19,7 @@ import re
|
|||
import netaddr
|
||||
from neutron.common import constants as neutron_constants
|
||||
from neutron.db import l3_db
|
||||
from neutron.db import models_v2
|
||||
from neutron.plugins.ml2 import plugin
|
||||
from neutron.services.l3_router import l3_router_plugin
|
||||
|
||||
|
@ -84,6 +85,32 @@ class Ml2Plugin(floatingip.ExplicitFloatingIPAllocationMixin,
|
|||
]
|
||||
return res
|
||||
|
||||
def _select_dhcp_ips_for_network_ids(self, context, network_ids):
|
||||
ips = super(Ml2Plugin, self)._select_dhcp_ips_for_network_ids(
|
||||
context,
|
||||
network_ids
|
||||
)
|
||||
|
||||
# allow DHCP replies from router interfaces since they're combined in
|
||||
# Astara appliances. Minimal impact if another appliance is used.
|
||||
query = context.session.query(models_v2.Port.mac_address,
|
||||
models_v2.Port.network_id,
|
||||
models_v2.IPAllocation.ip_address)
|
||||
query = query.join(models_v2.IPAllocation)
|
||||
query = query.filter(models_v2.Port.network_id.in_(network_ids))
|
||||
owner = neutron_constants.DEVICE_OWNER_ROUTER_INTF
|
||||
query = query.filter(models_v2.Port.device_owner == owner)
|
||||
|
||||
for mac_address, network_id, ip in query:
|
||||
if (netaddr.IPAddress(ip).version == 6
|
||||
and not netaddr.IPAddress(ip).is_link_local()):
|
||||
|
||||
ip = str(netaddr.EUI(mac_address).ipv6_link_local())
|
||||
if ip not in ips[network_id]:
|
||||
ips[network_id].append(ip)
|
||||
|
||||
return ips
|
||||
|
||||
# TODO(markmcclain) add upstream ability to remove port-security
|
||||
# workaround it for now by filtering out Akanda ports
|
||||
def get_ports_from_devices(self, context, devices):
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
fixes:
|
||||
- Bug `266586 <https://bugs.launchpad.net/astara/+bug/266586>`_ \- Always allow DHCP traffic through security groups from router to tenant VMs on the same subnet
|
Loading…
Reference in New Issue