Set security group provider rule for icmpv6 RA in DVR

Security group provider rules for RA is set for the VM ports
when a router interface is added or updated after the VM
instance is created.

In the case of DVR Routers the security group provider rule
to allow the RA packets to flow through the VM port input
chain was missing and so the VM was not able to get a
SLAAC/DHCP address when associated with a DVR Router.

This fix will add the security group rule to the VM port input
chain to allow the RA packets to flow into the VM and hence
the VM will obtain an IP address assigned by the Router.

Closes-Bug: #1501969

Change-Id: Ib0b3499d9c880fe1462734b2d4092debf4819509

diff --git a/neutron/db/securitygroups_rpc_base.py b/neutron/db/securitygroups_rpc_base.py
index 15639940431b16ea87906093613a04ed6195c8fd..a7a9bb204bcca5fcdf2d54beb6ea4944f74bd000 100644 (file)
--- a/neutron/db/securitygroups_rpc_base.py
+++ b/neutron/db/securitygroups_rpc_base.py
@@ -138,7 +138,10 @@ class SecurityGroupServerRpcMixin(sg_db.SecurityGroupDbMixin):
                     port['network_id'])
             # For IPv6, provider rule need to be updated in case router
             # interface is created or updated after VM port is created.
-            elif port['device_owner'] == n_const.DEVICE_OWNER_ROUTER_INTF:
+            # NOTE (Swami): ROUTER_INTERFACE_OWNERS check is required
+            # since it includes the legacy router interface device owners
+            # and DVR router interface device owners.
+            elif port['device_owner'] in n_const.ROUTER_INTERFACE_OWNERS:
                 if any(netaddr.IPAddress(fixed_ip['ip_address']).version == 6
                        for fixed_ip in port['fixed_ips']):
                     sg_provider_updated_networks.add(

diff --git a/neutron/tests/unit/agent/test_securitygroups_rpc.py b/neutron/tests/unit/agent/test_securitygroups_rpc.py
index 668071c8e35e578c1c8e0f631c99469f4bfc2e16..0e3dc3902af8a31c24a39732485e38cbff7c0126 100644 (file)
--- a/neutron/tests/unit/agent/test_securitygroups_rpc.py
+++ b/neutron/tests/unit/agent/test_securitygroups_rpc.py
@@ -130,7 +130,7 @@ class SGServerRpcCallBackTestCase(test_sg.SecurityGroupDBTestCase):
                     self.fmt, net['network']['id'], **kwargs)
                 res = self.deserialize(self.fmt, res)
                 port_id = res['port']['id']
-                if device_owner == const.DEVICE_OWNER_ROUTER_INTF:
+                if device_owner in const.ROUTER_INTERFACE_OWNERS:
                     data = {'port': {'fixed_ips': []}}
                     req = self.new_update_request('ports', data, port_id)
                     res = self.deserialize(self.fmt,
@@ -146,6 +146,15 @@ class SGServerRpcCallBackTestCase(test_sg.SecurityGroupDBTestCase):
             '2001:0db8::1')
         self.assertTrue(self.notifier.security_groups_provider_updated.called)
 
+    def test_notify_security_group_dvr_ipv6_gateway_port_added(self):
+        self._test_security_group_port(
+            const.DEVICE_OWNER_DVR_INTERFACE,
+            '2001:0db8::1',
+            '2001:0db8::/64',
+            6,
+            '2001:0db8::2')
+        self.assertTrue(self.notifier.security_groups_provider_updated.called)
+
     def test_notify_security_group_ipv6_normal_port_added(self):
         self._test_security_group_port(
             None,