Pass in certain ICMPv6 types by default
This allows instances to do SLAAC configuration, without requiring explicit security group rules to do so. Closes-Bug: #1242933 Change-Id: I517c66a470296141c0024a64e39b6d40b0c0d581
This commit is contained in:
parent
4cba28846c
commit
552037a5cf
@ -243,6 +243,15 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
|
|||||||
#Note(nati) Drop dhcp packet from VM
|
#Note(nati) Drop dhcp packet from VM
|
||||||
return ['-p udp -m udp --sport 67 --dport 68 -j DROP']
|
return ['-p udp -m udp --sport 67 --dport 68 -j DROP']
|
||||||
|
|
||||||
|
def _accept_inbound_icmpv6(self):
|
||||||
|
# Allow router advertisements, multicast listener
|
||||||
|
# and neighbor advertisement into the instance
|
||||||
|
icmpv6_rules = []
|
||||||
|
for icmp6_type in constants.ICMPV6_ALLOWED_TYPES:
|
||||||
|
icmpv6_rules += ['-p icmpv6 --icmpv6-type %s -j RETURN' %
|
||||||
|
icmp6_type]
|
||||||
|
return icmpv6_rules
|
||||||
|
|
||||||
def _add_rule_by_security_group(self, port, direction):
|
def _add_rule_by_security_group(self, port, direction):
|
||||||
chain_name = self._port_chain_name(port, direction)
|
chain_name = self._port_chain_name(port, direction)
|
||||||
# select rules for current direction
|
# select rules for current direction
|
||||||
@ -259,6 +268,8 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
|
|||||||
ipv4_iptables_rule,
|
ipv4_iptables_rule,
|
||||||
ipv6_iptables_rule)
|
ipv6_iptables_rule)
|
||||||
ipv4_iptables_rule += self._drop_dhcp_rule()
|
ipv4_iptables_rule += self._drop_dhcp_rule()
|
||||||
|
if direction == INGRESS_DIRECTION:
|
||||||
|
ipv6_iptables_rule += self._accept_inbound_icmpv6()
|
||||||
ipv4_iptables_rule += self._convert_sgr_to_iptables_rules(
|
ipv4_iptables_rule += self._convert_sgr_to_iptables_rules(
|
||||||
ipv4_sg_rules)
|
ipv4_sg_rules)
|
||||||
ipv6_iptables_rule += self._convert_sgr_to_iptables_rules(
|
ipv6_iptables_rule += self._convert_sgr_to_iptables_rules(
|
||||||
|
@ -92,3 +92,12 @@ PROTO_NUM_TCP = 6
|
|||||||
PROTO_NUM_ICMP = 1
|
PROTO_NUM_ICMP = 1
|
||||||
PROTO_NUM_ICMP_V6 = 58
|
PROTO_NUM_ICMP_V6 = 58
|
||||||
PROTO_NUM_UDP = 17
|
PROTO_NUM_UDP = 17
|
||||||
|
|
||||||
|
# List of ICMPv6 types that should be allowed by default:
|
||||||
|
# Multicast Listener Query (130),
|
||||||
|
# Multicast Listener Report (131),
|
||||||
|
# Multicast Listener Done (132),
|
||||||
|
# Router Advertisement (134),
|
||||||
|
# Neighbor Solicitation (135),
|
||||||
|
# Neighbor Advertisement (136)
|
||||||
|
ICMPV6_ALLOWED_TYPES = [130, 131, 132, 134, 135, 136]
|
||||||
|
@ -23,6 +23,7 @@ from oslo.config import cfg
|
|||||||
|
|
||||||
from neutron.agent.common import config as a_cfg
|
from neutron.agent.common import config as a_cfg
|
||||||
from neutron.agent.linux.iptables_firewall import IptablesFirewallDriver
|
from neutron.agent.linux.iptables_firewall import IptablesFirewallDriver
|
||||||
|
from neutron.common import constants
|
||||||
from neutron.tests import base
|
from neutron.tests import base
|
||||||
from neutron.tests.unit import test_api_v2
|
from neutron.tests.unit import test_api_v2
|
||||||
|
|
||||||
@ -747,11 +748,18 @@ class IptablesFirewallTestCase(base.BaseTestCase):
|
|||||||
'-m physdev --physdev-out tapfake_dev '
|
'-m physdev --physdev-out tapfake_dev '
|
||||||
'--physdev-is-bridged '
|
'--physdev-is-bridged '
|
||||||
'-j $ifake_dev'),
|
'-j $ifake_dev'),
|
||||||
call.add_rule(
|
]
|
||||||
'ifake_dev', '-m state --state INVALID -j DROP'),
|
if ethertype == 'IPv6':
|
||||||
call.add_rule(
|
for icmp6_type in constants.ICMPV6_ALLOWED_TYPES:
|
||||||
'ifake_dev',
|
calls.append(
|
||||||
'-m state --state RELATED,ESTABLISHED -j RETURN')]
|
call.add_rule('ifake_dev',
|
||||||
|
'-p icmpv6 --icmpv6-type %s -j RETURN' %
|
||||||
|
icmp6_type))
|
||||||
|
calls += [call.add_rule('ifake_dev',
|
||||||
|
'-m state --state INVALID -j DROP'),
|
||||||
|
call.add_rule(
|
||||||
|
'ifake_dev',
|
||||||
|
'-m state --state RELATED,ESTABLISHED -j RETURN')]
|
||||||
|
|
||||||
if ingress_expected_call:
|
if ingress_expected_call:
|
||||||
calls.append(ingress_expected_call)
|
calls.append(ingress_expected_call)
|
||||||
|
@ -1092,6 +1092,12 @@ IPTABLES_FILTER_V6_1 = """# Generated by iptables_manager
|
|||||||
%(physdev_is_bridged)s -j %(bn)s-sg-chain
|
%(physdev_is_bridged)s -j %(bn)s-sg-chain
|
||||||
[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \
|
[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \
|
||||||
%(physdev_is_bridged)s -j %(bn)s-i_port1
|
%(physdev_is_bridged)s -j %(bn)s-i_port1
|
||||||
|
[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 130 -j RETURN
|
||||||
|
[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 131 -j RETURN
|
||||||
|
[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 132 -j RETURN
|
||||||
|
[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 134 -j RETURN
|
||||||
|
[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 135 -j RETURN
|
||||||
|
[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 136 -j RETURN
|
||||||
[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
|
[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
|
||||||
[0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN
|
[0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||||
[0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback
|
[0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback
|
||||||
@ -1137,6 +1143,12 @@ IPTABLES_FILTER_V6_2 = """# Generated by iptables_manager
|
|||||||
%(physdev_is_bridged)s -j %(bn)s-sg-chain
|
%(physdev_is_bridged)s -j %(bn)s-sg-chain
|
||||||
[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \
|
[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \
|
||||||
%(physdev_is_bridged)s -j %(bn)s-i_port1
|
%(physdev_is_bridged)s -j %(bn)s-i_port1
|
||||||
|
[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 130 -j RETURN
|
||||||
|
[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 131 -j RETURN
|
||||||
|
[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 132 -j RETURN
|
||||||
|
[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 134 -j RETURN
|
||||||
|
[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 135 -j RETURN
|
||||||
|
[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 136 -j RETURN
|
||||||
[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
|
[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
|
||||||
[0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN
|
[0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||||
[0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback
|
[0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback
|
||||||
@ -1154,6 +1166,12 @@ IPTABLES_FILTER_V6_2 = """# Generated by iptables_manager
|
|||||||
%(physdev_is_bridged)s -j %(bn)s-sg-chain
|
%(physdev_is_bridged)s -j %(bn)s-sg-chain
|
||||||
[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port2 \
|
[0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port2 \
|
||||||
%(physdev_is_bridged)s -j %(bn)s-i_port2
|
%(physdev_is_bridged)s -j %(bn)s-i_port2
|
||||||
|
[0:0] -A %(bn)s-i_port2 -p icmpv6 --icmpv6-type 130 -j RETURN
|
||||||
|
[0:0] -A %(bn)s-i_port2 -p icmpv6 --icmpv6-type 131 -j RETURN
|
||||||
|
[0:0] -A %(bn)s-i_port2 -p icmpv6 --icmpv6-type 132 -j RETURN
|
||||||
|
[0:0] -A %(bn)s-i_port2 -p icmpv6 --icmpv6-type 134 -j RETURN
|
||||||
|
[0:0] -A %(bn)s-i_port2 -p icmpv6 --icmpv6-type 135 -j RETURN
|
||||||
|
[0:0] -A %(bn)s-i_port2 -p icmpv6 --icmpv6-type 136 -j RETURN
|
||||||
[0:0] -A %(bn)s-i_port2 -m state --state INVALID -j DROP
|
[0:0] -A %(bn)s-i_port2 -m state --state INVALID -j DROP
|
||||||
[0:0] -A %(bn)s-i_port2 -m state --state RELATED,ESTABLISHED -j RETURN
|
[0:0] -A %(bn)s-i_port2 -m state --state RELATED,ESTABLISHED -j RETURN
|
||||||
[0:0] -A %(bn)s-i_port2 -j %(bn)s-sg-fallback
|
[0:0] -A %(bn)s-i_port2 -j %(bn)s-sg-fallback
|
||||||
|
Loading…
Reference in New Issue
Block a user