From a7dc528c1860f6a325a36bb7c633c60b635fc9a6 Mon Sep 17 00:00:00 2001
From: Swaminathan Vasudevan <swaminathan.vasudevan@hp.com>
Date: Mon, 19 Oct 2015 22:02:38 -0700
Subject: [PATCH] Set security group provider rule for icmpv6 RA in DVR

Security group provider rules for RA is set for the VM ports
when a router interface is added or updated after the VM
instance is created.

In the case of DVR Routers the security group provider rule
to allow the RA packets to flow through the VM port input
chain was missing and so the VM was not able to get a
SLAAC/DHCP address when associated with a DVR Router.

This fix will add the security group rule to the VM port input
chain to allow the RA packets to flow into the VM and hence
the VM will obtain an IP address assigned by the Router.

Closes-Bug: #1501969

Change-Id: Ib0b3499d9c880fe1462734b2d4092debf4819509
---
 neutron/db/securitygroups_rpc_base.py               |  5 ++++-
 neutron/tests/unit/agent/test_securitygroups_rpc.py | 11 ++++++++++-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/neutron/db/securitygroups_rpc_base.py b/neutron/db/securitygroups_rpc_base.py
index 156399404..a7a9bb204 100644
--- a/neutron/db/securitygroups_rpc_base.py
+++ b/neutron/db/securitygroups_rpc_base.py
@@ -138,7 +138,10 @@ class SecurityGroupServerRpcMixin(sg_db.SecurityGroupDbMixin):
                     port['network_id'])
             # For IPv6, provider rule need to be updated in case router
             # interface is created or updated after VM port is created.
-            elif port['device_owner'] == n_const.DEVICE_OWNER_ROUTER_INTF:
+            # NOTE (Swami): ROUTER_INTERFACE_OWNERS check is required
+            # since it includes the legacy router interface device owners
+            # and DVR router interface device owners.
+            elif port['device_owner'] in n_const.ROUTER_INTERFACE_OWNERS:
                 if any(netaddr.IPAddress(fixed_ip['ip_address']).version == 6
                        for fixed_ip in port['fixed_ips']):
                     sg_provider_updated_networks.add(
diff --git a/neutron/tests/unit/agent/test_securitygroups_rpc.py b/neutron/tests/unit/agent/test_securitygroups_rpc.py
index 668071c8e..0e3dc3902 100644
--- a/neutron/tests/unit/agent/test_securitygroups_rpc.py
+++ b/neutron/tests/unit/agent/test_securitygroups_rpc.py
@@ -130,7 +130,7 @@ class SGServerRpcCallBackTestCase(test_sg.SecurityGroupDBTestCase):
                     self.fmt, net['network']['id'], **kwargs)
                 res = self.deserialize(self.fmt, res)
                 port_id = res['port']['id']
-                if device_owner == const.DEVICE_OWNER_ROUTER_INTF:
+                if device_owner in const.ROUTER_INTERFACE_OWNERS:
                     data = {'port': {'fixed_ips': []}}
                     req = self.new_update_request('ports', data, port_id)
                     res = self.deserialize(self.fmt,
@@ -146,6 +146,15 @@ class SGServerRpcCallBackTestCase(test_sg.SecurityGroupDBTestCase):
             '2001:0db8::1')
         self.assertTrue(self.notifier.security_groups_provider_updated.called)
 
+    def test_notify_security_group_dvr_ipv6_gateway_port_added(self):
+        self._test_security_group_port(
+            const.DEVICE_OWNER_DVR_INTERFACE,
+            '2001:0db8::1',
+            '2001:0db8::/64',
+            6,
+            '2001:0db8::2')
+        self.assertTrue(self.notifier.security_groups_provider_updated.called)
+
     def test_notify_security_group_ipv6_normal_port_added(self):
         self._test_security_group_port(
             None,
-- 
2.45.2