Install more-specific ICMPv6 rule in DVR routers

The Openflow rule added in install_dvr_process_ipv6() is dropping
all ICMPv6 traffic, not just the Router Advertisement the comment
mentions. This is causing things like ping6 to fail to VMs on DVR
compute nodes because the reply packets are getting dropped in the
local DVR router before being sent to br-tun.

Change-Id: I14741dd4293e7cfb99cb6bba03cf583ca3ea82ef
Closes-bug: 1471000

diff --git a/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/ovs_ofctl/br_dvr_process.py b/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/ovs_ofctl/br_dvr_process.py
index 46db4ec697bebc6ebb3320c2e5a8fcb48afff30c..6fdb06440e06cde7560d08850aed1ad0cb548c9e 100644 (file)
--- a/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/ovs_ofctl/br_dvr_process.py
+++ b/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/ovs_ofctl/br_dvr_process.py
@@ -29,6 +29,8 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from neutron.common import constants
+
 
 class OVSDVRProcessMixin(object):
     """Common logic for br-tun and br-phys' DVR_PROCESS tables.
@@ -58,6 +60,7 @@ class OVSDVRProcessMixin(object):
                       priority=3,
                       dl_vlan=vlan_tag,
                       proto='icmp6',
+                      icmp_type=constants.ICMPV6_TYPE_RA,
                       dl_src=gateway_mac,
                       actions='drop')
 
@@ -65,6 +68,7 @@ class OVSDVRProcessMixin(object):
         self.delete_flows(table=self.dvr_process_table_id,
                           dl_vlan=vlan_tag,
                           proto='icmp6',
+                          icmp_type=constants.ICMPV6_TYPE_RA,
                           dl_src=gateway_mac)
 
     def install_dvr_process(self, vlan_tag, vif_mac, dvr_mac_address):

diff --git a/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/ovs_ofctl/ovs_bridge_test_base.py b/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/ovs_ofctl/ovs_bridge_test_base.py
index fabf698a818d1735af38d67c31981eab2234c745..ad9de289fc3041828c7ce124e7a52ada74d4897d 100644 (file)
--- a/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/ovs_ofctl/ovs_bridge_test_base.py
+++ b/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/ovs_ofctl/ovs_bridge_test_base.py
@@ -16,6 +16,8 @@
 
 import mock
 
+from neutron.common import constants
+
 from neutron.tests.unit.plugins.ml2.drivers.openvswitch.agent \
     import ovs_test_base
 
@@ -112,7 +114,8 @@ class OVSDVRProcessTestMixin(object):
         expected = [
             call.add_flow(table=self.dvr_process_table_id,
                           proto='icmp6', dl_src=gateway_mac, actions='drop',
-                          priority=3, dl_vlan=vlan_tag),
+                          priority=3, dl_vlan=vlan_tag,
+                          icmp_type=constants.ICMPV6_TYPE_RA),
         ]
         self.assertEqual(expected, self.mock.mock_calls)
 
@@ -124,7 +127,8 @@ class OVSDVRProcessTestMixin(object):
         expected = [
             call.delete_flows(table=self.dvr_process_table_id,
                               dl_vlan=vlan_tag, dl_src=gateway_mac,
-                              proto='icmp6'),
+                              proto='icmp6',
+                              icmp_type=constants.ICMPV6_TYPE_RA),
         ]
         self.assertEqual(expected, self.mock.mock_calls)