From: Brian Haley <brian.haley@hp.com>
Date: Thu, 2 Jul 2015 19:56:51 +0000 (-0400)
Subject: Install more-specific ICMPv6 rule in DVR routers
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=8a084805544a4676aeb4a9182032297897e590e0;p=openstack-build%2Fneutron-build.git

Install more-specific ICMPv6 rule in DVR routers

The Openflow rule added in install_dvr_process_ipv6() is dropping
all ICMPv6 traffic, not just the Router Advertisement the comment
mentions. This is causing things like ping6 to fail to VMs on DVR
compute nodes because the reply packets are getting dropped in the
local DVR router before being sent to br-tun.

Change-Id: I14741dd4293e7cfb99cb6bba03cf583ca3ea82ef
Closes-bug: 1471000
---

diff --git a/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/ovs_ofctl/br_dvr_process.py b/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/ovs_ofctl/br_dvr_process.py
index 46db4ec69..6fdb06440 100644
--- a/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/ovs_ofctl/br_dvr_process.py
+++ b/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/ovs_ofctl/br_dvr_process.py
@@ -29,6 +29,8 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from neutron.common import constants
+
 
 class OVSDVRProcessMixin(object):
     """Common logic for br-tun and br-phys' DVR_PROCESS tables.
@@ -58,6 +60,7 @@ class OVSDVRProcessMixin(object):
                       priority=3,
                       dl_vlan=vlan_tag,
                       proto='icmp6',
+                      icmp_type=constants.ICMPV6_TYPE_RA,
                       dl_src=gateway_mac,
                       actions='drop')
 
@@ -65,6 +68,7 @@ class OVSDVRProcessMixin(object):
         self.delete_flows(table=self.dvr_process_table_id,
                           dl_vlan=vlan_tag,
                           proto='icmp6',
+                          icmp_type=constants.ICMPV6_TYPE_RA,
                           dl_src=gateway_mac)
 
     def install_dvr_process(self, vlan_tag, vif_mac, dvr_mac_address):
diff --git a/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/ovs_ofctl/ovs_bridge_test_base.py b/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/ovs_ofctl/ovs_bridge_test_base.py
index fabf698a8..ad9de289f 100644
--- a/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/ovs_ofctl/ovs_bridge_test_base.py
+++ b/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/openflow/ovs_ofctl/ovs_bridge_test_base.py
@@ -16,6 +16,8 @@
 
 import mock
 
+from neutron.common import constants
+
 from neutron.tests.unit.plugins.ml2.drivers.openvswitch.agent \
     import ovs_test_base
 
@@ -112,7 +114,8 @@ class OVSDVRProcessTestMixin(object):
         expected = [
             call.add_flow(table=self.dvr_process_table_id,
                           proto='icmp6', dl_src=gateway_mac, actions='drop',
-                          priority=3, dl_vlan=vlan_tag),
+                          priority=3, dl_vlan=vlan_tag,
+                          icmp_type=constants.ICMPV6_TYPE_RA),
         ]
         self.assertEqual(expected, self.mock.mock_calls)
 
@@ -124,7 +127,8 @@ class OVSDVRProcessTestMixin(object):
         expected = [
             call.delete_flows(table=self.dvr_process_table_id,
                               dl_vlan=vlan_tag, dl_src=gateway_mac,
-                              proto='icmp6'),
+                              proto='icmp6',
+                              icmp_type=constants.ICMPV6_TYPE_RA),
         ]
         self.assertEqual(expected, self.mock.mock_calls)