review.fuel-infra Code Review - openstack-build/neutron-build.git/commit

author	sridhargaddam <sridhar.gaddam@enovance.com>
	Mon, 8 Dec 2014 16:11:38 +0000 (16:11 +0000)
committer	sridhargaddam <sridhar.gaddam@enovance.com>
	Fri, 24 Apr 2015 03:42:07 +0000 (03:42 +0000)
commit	9274c590a78444e9157afd4d41bff566b26c9323
tree	1f5409b11e13c5cedc0aae733ac3ac9ec72eb32e	tree \| snapshot
parent	4363bc38c44d60abefe59ed2edea036e326cbce5	commit \| diff

Neutron to Drop Router Advts from VM ports

As part of Spoofing filter chain Neutron drops all the outbound
traffic where MAC/IP does not match the IP address assigned
to the VM ports (inc' allowed_address_pairs). Along with this,
we also drop traffic associated to dhcp[v6] server (i.e., do
not allow a VM to run dhcp[v6] server). Currently we do not
have any rules to drop Router Advts from VM ports. This can create
issues in the network as other devices in the network may not have
any protection for this kind of stuff.

Even if we allow RAs from the VM ports, because of the Anti-Spoofing
rules that are applied, a VM cannot act as a IPv6 router (i.e., it
cannot forward IPv6 traffic). So there is no point in allowing Router
Advts from VMs assuming that it would be useful in Service VM use-cases.
In order to properly implement IPv6 router as a Service VM, one needs
to use the port_security_extension [1] which allows us to disable
security group rules/anti-spoofing filters on the VM ports.

[1]https://review.openstack.org/#/c/99873/22/specs/kilo/ml2-ovs-portsecurity.rst

This patch disables Router Advts from VM ports.

Closes-Bug: #1372882
Change-Id: I8db5d6dbe60bf04f4e3754a886c6aa8a97a16bab

neutron/agent/linux/iptables_comments.py		diff \| blob \| history
neutron/agent/linux/iptables_firewall.py		diff \| blob \| history
neutron/tests/unit/agent/linux/test_iptables_firewall.py		diff \| blob \| history
neutron/tests/unit/agent/test_securitygroups_rpc.py		diff \| blob \| history