From a916fc5173569c5f7720d07fe3e1424bccbfb017 Mon Sep 17 00:00:00 2001
From: Brian Haley <bhaley@redhat.com>
Date: Wed, 3 May 2017 16:34:12 -0400
Subject: [PATCH] Drop IPv6 Router Advertisements in OVS firewall

Only neutron routers should be sending RAs, and with
the iptables firewall these are dropped, but there
was no corresponding rule for the OVS firewall.

Change-Id: I045c652ad8cbecf5ed8e98934306476ed7170e90
Partial-bug: #1685237
(cherry picked from commit ce0352aa7b1609078e8f109b5b4c368d9a1baa89)
---
 neutron/agent/linux/openvswitch_firewall/firewall.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/neutron/agent/linux/openvswitch_firewall/firewall.py b/neutron/agent/linux/openvswitch_firewall/firewall.py
index 9111c30dce2..d1dfa10b138 100644
--- a/neutron/agent/linux/openvswitch_firewall/firewall.py
+++ b/neutron/agent/linux/openvswitch_firewall/firewall.py
@@ -479,6 +479,18 @@ class OVSFirewallDriver(firewall.FirewallDriver):
                 actions='drop'
             )
 
+        # Drop Router Advertisements from instances
+        self._add_flow(
+            table=ovs_consts.BASE_EGRESS_TABLE,
+            priority=70,
+            in_port=port.ofport,
+            reg_port=port.ofport,
+            dl_type=constants.ETHERTYPE_IPV6,
+            nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
+            icmp_type=lib_const.ICMPV6_TYPE_RA,
+            actions='drop'
+        )
+
         # Drop all remaining not tracked egress connections
         self._add_flow(
             table=ovs_consts.BASE_EGRESS_TABLE,