Fix implicit ICMPv6 Security Group Rules

The implicit security group rules only included a rule to allow
ICMPv6 ingress traffic. Furthermore, the security group rules
used reflexive connection tracking, which causes issues when
integrated with Open vSwitch rules (the router advertisement
messages would result in connection tracking returning an
"invalid" state). This patch adds bidirectional ICMPv6 to the
implicit rules, without the reflexive behavior, which will
allow the SLAAC process to succeed.

Change-Id: I19bfb63acaa76ce41200c4e71bc3b5c73f995748

gbpservice/neutron/plugins/ml2plus/drivers/apic_aim/mechanism_driver.py

@@ -486,7 +486,7 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
             conn_track='normal')
         self.aim.create(aim_ctx, dhcp6_ingress_rule, overwrite=True)
 
-        # Need this rule for the SLAAC traffic to go through
+        # Need ICMPv6 rules for the SLAAC traffic to go through
         dname = aim_utils.sanitize_display_name(
             'DefaultSecurityGroupIcmp6IngressRule')
         icmp6_ingress_rule = aim_resource.SecurityGroupRule(
@@ -498,9 +498,25 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
             direction='ingress',
             ethertype='ipv6',
             ip_protocol='icmpv6',
+            conn_track='normal',
             remote_ips=['::/0'])
         self.aim.create(aim_ctx, icmp6_ingress_rule, overwrite=True)
 
+        dname = aim_utils.sanitize_display_name(
+            'DefaultSecurityGroupIcmp6EgressRule')
+        icmp6_egress_rule = aim_resource.SecurityGroupRule(
+            tenant_name=COMMON_TENANT_NAME,
+            security_group_name=sg_name,
+            security_group_subject_name='default',
+            name='icmp6_egress',
+            display_name=dname,
+            direction='egress',
+            ethertype='ipv6',
+            ip_protocol='icmpv6',
+            conn_track='normal',
+            remote_ips=['::/0'])
+        self.aim.create(aim_ctx, icmp6_egress_rule, overwrite=True)
+
     def _setup_keystone_notification_listeners(self):
         targets = [oslo_messaging.Target(
                     exchange=self.keystone_notification_exchange,

gbpservice/neutron/tests/unit/plugins/ml2plus/test_apic_aim.py

@@ -1225,7 +1225,24 @@ class TestAimMapping(ApicAimTestCase):
         self.assertEqual(['::/0'], sg_rule.remote_ips)
         self.assertEqual('unspecified', sg_rule.from_port)
         self.assertEqual('unspecified', sg_rule.to_port)
-        self.assertEqual('reflexive', sg_rule.conn_track)
+        self.assertEqual('normal', sg_rule.conn_track)
+
+        # Check ICMP6 egress SecurityGroupRule.
+        sg_rule = self._get_sg_rule(
+            'icmp6_egress', 'default', sg_aname, 'common')
+        self.assertEqual('common', sg_rule.tenant_name)
+        self.assertEqual(sg_aname, sg_rule.security_group_name)
+        self.assertEqual('default', sg_rule.security_group_subject_name)
+        self.assertEqual('icmp6_egress', sg_rule.name)
+        self.assertEqual(
+            'DefaultSecurityGroupIcmp6EgressRule', sg_rule.display_name)
+        self.assertEqual('egress', sg_rule.direction)
+        self.assertEqual('ipv6', sg_rule.ethertype)
+        self.assertEqual('icmpv6', sg_rule.ip_protocol)
+        self.assertEqual(['::/0'], sg_rule.remote_ips)
+        self.assertEqual('unspecified', sg_rule.from_port)
+        self.assertEqual('unspecified', sg_rule.to_port)
+        self.assertEqual('normal', sg_rule.conn_track)
 
     def test_network_lifecycle(self):
         # Test create.