#Note(nati) allow dhcp or RA packet
ipv4_rules += ['-p udp -m udp --sport 68 --dport 67 -j RETURN']
ipv6_rules += ['-p icmpv6 -j RETURN']
+ ipv6_rules += ['-p udp -m udp --sport 546 --dport 547 -j RETURN']
mac_ipv4_pairs = []
mac_ipv6_pairs = []
self._setup_spoof_filter_chain(port, self.iptables.ipv6['filter'],
mac_ipv6_pairs, ipv6_rules)
- def _drop_dhcp_rule(self):
+ def _drop_dhcp_rule(self, ipv4_rules, ipv6_rules):
#Note(nati) Drop dhcp packet from VM
- return ['-p udp -m udp --sport 67 --dport 68 -j DROP']
+ ipv4_rules += ['-p udp -m udp --sport 67 --dport 68 -j DROP']
+ ipv6_rules += ['-p udp -m udp --sport 547 --dport 546 -j DROP']
def _accept_inbound_icmpv6(self):
# Allow multicast listener, neighbor solicitation and
self._spoofing_rule(port,
ipv4_iptables_rule,
ipv6_iptables_rule)
- ipv4_iptables_rule += self._drop_dhcp_rule()
+ self._drop_dhcp_rule(ipv4_iptables_rule, ipv6_iptables_rule)
if direction == INGRESS_DIRECTION:
ipv6_iptables_rule += self._accept_inbound_icmpv6()
ipv4_iptables_rule += self._convert_sgr_to_iptables_rules(
ethertype = rule['ethertype']
prefix = FAKE_IP[ethertype]
filter_inst = self.v4filter_inst
- dhcp_rule = mock.call.add_rule(
+ dhcp_rule = [mock.call.add_rule(
'ofake_dev',
- '-p udp -m udp --sport 68 --dport 67 -j RETURN')
+ '-p udp -m udp --sport 68 --dport 67 -j RETURN')]
if ethertype == 'IPv6':
filter_inst = self.v6filter_inst
- dhcp_rule = mock.call.add_rule('ofake_dev', '-p icmpv6 -j RETURN')
+ dhcp_rule = [mock.call.add_rule('ofake_dev',
+ '-p icmpv6 -j RETURN'),
+ mock.call.add_rule('ofake_dev', '-p udp -m udp '
+ '--sport 546 --dport 547 '
+ '-j RETURN')]
sg = [rule]
port['security_group_rules'] = sg
self.firewall.prepare_port_filter(port)
'sfake_dev',
'-m mac --mac-source ff:ff:ff:ff:ff:ff -s %s -j RETURN'
% prefix),
- mock.call.add_rule('sfake_dev', '-j DROP'),
- dhcp_rule,
- mock.call.add_rule('ofake_dev', '-j $sfake_dev')]
+ mock.call.add_rule('sfake_dev', '-j DROP')]
+ calls += dhcp_rule
+ calls.append(mock.call.add_rule('ofake_dev', '-j $sfake_dev'))
if ethertype == 'IPv4':
calls.append(mock.call.add_rule(
'ofake_dev',
'-p udp -m udp --sport 67 --dport 68 -j DROP'))
+ if ethertype == 'IPv6':
+ calls.append(mock.call.add_rule(
+ 'ofake_dev',
+ '-p udp -m udp --sport 547 --dport 546 -j DROP'))
calls += [mock.call.add_rule(
'ofake_dev', '-m state --state INVALID -j DROP'),
[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-o_port1
[0:0] -A %(bn)s-o_port1 -p icmpv6 -j RETURN
+[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 546 --dport 547 -j RETURN
+[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 547 --dport 546 -j DROP
[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
[0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback
[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-o_port1
[0:0] -A %(bn)s-o_port1 -p icmpv6 -j RETURN
+[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 546 --dport 547 -j RETURN
+[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 547 --dport 546 -j DROP
[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP
[0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback
[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port2 \
%(physdev_is_bridged)s -j %(bn)s-o_port2
[0:0] -A %(bn)s-o_port2 -p icmpv6 -j RETURN
+[0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 546 --dport 547 -j RETURN
+[0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 547 --dport 546 -j DROP
[0:0] -A %(bn)s-o_port2 -m state --state INVALID -j DROP
[0:0] -A %(bn)s-o_port2 -m state --state RELATED,ESTABLISHED -j RETURN
[0:0] -A %(bn)s-o_port2 -j %(bn)s-sg-fallback
Code Review / openstack-build / neutron-build.git / commitdiff