Fix implicit ICMPv6 Security Group Rules
The implicit security group rules only included a rule to allow ICMPv6 ingress traffic. Furthermore, the security group rules used reflexive connection tracking, which causes issues when integrated with Open vSwitch rules (the router advertisement messages would result in connection tracking returning an "invalid" state). This patch adds bidirectional ICMPv6 to the implicit rules, without the reflexive behavior, which will allow the SLAAC process to succeed. Change-Id: I19bfb63acaa76ce41200c4e71bc3b5c73f995748
This commit is contained in:
parent
5924611b07
commit
4cc0539615
|
@ -486,7 +486,7 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
|
|||
conn_track='normal')
|
||||
self.aim.create(aim_ctx, dhcp6_ingress_rule, overwrite=True)
|
||||
|
||||
# Need this rule for the SLAAC traffic to go through
|
||||
# Need ICMPv6 rules for the SLAAC traffic to go through
|
||||
dname = aim_utils.sanitize_display_name(
|
||||
'DefaultSecurityGroupIcmp6IngressRule')
|
||||
icmp6_ingress_rule = aim_resource.SecurityGroupRule(
|
||||
|
@ -498,9 +498,25 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
|
|||
direction='ingress',
|
||||
ethertype='ipv6',
|
||||
ip_protocol='icmpv6',
|
||||
conn_track='normal',
|
||||
remote_ips=['::/0'])
|
||||
self.aim.create(aim_ctx, icmp6_ingress_rule, overwrite=True)
|
||||
|
||||
dname = aim_utils.sanitize_display_name(
|
||||
'DefaultSecurityGroupIcmp6EgressRule')
|
||||
icmp6_egress_rule = aim_resource.SecurityGroupRule(
|
||||
tenant_name=COMMON_TENANT_NAME,
|
||||
security_group_name=sg_name,
|
||||
security_group_subject_name='default',
|
||||
name='icmp6_egress',
|
||||
display_name=dname,
|
||||
direction='egress',
|
||||
ethertype='ipv6',
|
||||
ip_protocol='icmpv6',
|
||||
conn_track='normal',
|
||||
remote_ips=['::/0'])
|
||||
self.aim.create(aim_ctx, icmp6_egress_rule, overwrite=True)
|
||||
|
||||
def _setup_keystone_notification_listeners(self):
|
||||
targets = [oslo_messaging.Target(
|
||||
exchange=self.keystone_notification_exchange,
|
||||
|
|
|
@ -1225,7 +1225,24 @@ class TestAimMapping(ApicAimTestCase):
|
|||
self.assertEqual(['::/0'], sg_rule.remote_ips)
|
||||
self.assertEqual('unspecified', sg_rule.from_port)
|
||||
self.assertEqual('unspecified', sg_rule.to_port)
|
||||
self.assertEqual('reflexive', sg_rule.conn_track)
|
||||
self.assertEqual('normal', sg_rule.conn_track)
|
||||
|
||||
# Check ICMP6 egress SecurityGroupRule.
|
||||
sg_rule = self._get_sg_rule(
|
||||
'icmp6_egress', 'default', sg_aname, 'common')
|
||||
self.assertEqual('common', sg_rule.tenant_name)
|
||||
self.assertEqual(sg_aname, sg_rule.security_group_name)
|
||||
self.assertEqual('default', sg_rule.security_group_subject_name)
|
||||
self.assertEqual('icmp6_egress', sg_rule.name)
|
||||
self.assertEqual(
|
||||
'DefaultSecurityGroupIcmp6EgressRule', sg_rule.display_name)
|
||||
self.assertEqual('egress', sg_rule.direction)
|
||||
self.assertEqual('ipv6', sg_rule.ethertype)
|
||||
self.assertEqual('icmpv6', sg_rule.ip_protocol)
|
||||
self.assertEqual(['::/0'], sg_rule.remote_ips)
|
||||
self.assertEqual('unspecified', sg_rule.from_port)
|
||||
self.assertEqual('unspecified', sg_rule.to_port)
|
||||
self.assertEqual('normal', sg_rule.conn_track)
|
||||
|
||||
def test_network_lifecycle(self):
|
||||
# Test create.
|
||||
|
|
Loading…
Reference in New Issue