Pass in certain ICMPv6 types by default

This allows instances to do SLAAC configuration, without requiring
explicit security group rules to do so.

Closes-Bug: #1242933

Change-Id: I517c66a470296141c0024a64e39b6d40b0c0d581

neutron/agent/linux/iptables_firewall.py

@@ -243,6 +243,15 @@ def _drop_dhcp_rule(self):
         #Note(nati) Drop dhcp packet from VM
         return ['-p udp -m udp --sport 67 --dport 68 -j DROP']
 
+    def _accept_inbound_icmpv6(self):
+        # Allow router advertisements, multicast listener
+        # and neighbor advertisement into the instance
+        icmpv6_rules = []
+        for icmp6_type in constants.ICMPV6_ALLOWED_TYPES:
+            icmpv6_rules += ['-p icmpv6 --icmpv6-type %s -j RETURN' %
+                             icmp6_type]
+        return icmpv6_rules
+
     def _add_rule_by_security_group(self, port, direction):
         chain_name = self._port_chain_name(port, direction)
         # select rules for current direction
@@ -259,6 +268,8 @@ def _add_rule_by_security_group(self, port, direction):
                                 ipv4_iptables_rule,
                                 ipv6_iptables_rule)
             ipv4_iptables_rule += self._drop_dhcp_rule()
+        if direction == INGRESS_DIRECTION:
+            ipv6_iptables_rule += self._accept_inbound_icmpv6()
         ipv4_iptables_rule += self._convert_sgr_to_iptables_rules(
             ipv4_sg_rules)
         ipv6_iptables_rule += self._convert_sgr_to_iptables_rules(

neutron/common/constants.py

@@ -92,3 +92,12 @@
 PROTO_NUM_ICMP = 1
 PROTO_NUM_ICMP_V6 = 58
 PROTO_NUM_UDP = 17
+
+# List of ICMPv6 types that should be allowed by default:
+# Multicast Listener Query (130),
+# Multicast Listener Report (131),
+# Multicast Listener Done (132),
+# Router Advertisement (134),
+# Neighbor Solicitation (135),
+# Neighbor Advertisement (136)
+ICMPV6_ALLOWED_TYPES = [130, 131, 132, 134, 135, 136]

neutron/tests/unit/test_iptables_firewall.py

@@ -23,6 +23,7 @@
 
 from neutron.agent.common import config as a_cfg
 from neutron.agent.linux.iptables_firewall import IptablesFirewallDriver
+from neutron.common import constants
 from neutron.tests import base
 from neutron.tests.unit import test_api_v2
 
@@ -747,11 +748,18 @@ def _test_prepare_port_filter(self,
                                '-m physdev --physdev-out tapfake_dev '
                                '--physdev-is-bridged '
                                '-j $ifake_dev'),
-                 call.add_rule(
-                     'ifake_dev', '-m state --state INVALID -j DROP'),
-                 call.add_rule(
-                     'ifake_dev',
-                     '-m state --state RELATED,ESTABLISHED -j RETURN')]
+                 ]
+        if ethertype == 'IPv6':
+            for icmp6_type in constants.ICMPV6_ALLOWED_TYPES:
+                calls.append(
+                    call.add_rule('ifake_dev',
+                                  '-p icmpv6 --icmpv6-type %s -j RETURN' %
+                                  icmp6_type))
+        calls += [call.add_rule('ifake_dev',
+                                '-m state --state INVALID -j DROP'),
+                  call.add_rule(
+                      'ifake_dev',
+                      '-m state --state RELATED,ESTABLISHED -j RETURN')]
 
         if ingress_expected_call:
             calls.append(ingress_expected_call)

neutron/tests/unit/test_security_groups_rpc.py

@@ -1092,6 +1092,12 @@ def test_security_groups_member_not_updated(self):
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
 [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \
 %(physdev_is_bridged)s -j %(bn)s-i_port1
+[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 130 -j RETURN
+[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 131 -j RETURN
+[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 132 -j RETURN
+[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 134 -j RETURN
+[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 135 -j RETURN
+[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 136 -j RETURN
 [0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback
@@ -1137,6 +1143,12 @@ def test_security_groups_member_not_updated(self):
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
 [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \
 %(physdev_is_bridged)s -j %(bn)s-i_port1
+[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 130 -j RETURN
+[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 131 -j RETURN
+[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 132 -j RETURN
+[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 134 -j RETURN
+[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 135 -j RETURN
+[0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 136 -j RETURN
 [0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback
@@ -1154,6 +1166,12 @@ def test_security_groups_member_not_updated(self):
 %(physdev_is_bridged)s -j %(bn)s-sg-chain
 [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port2 \
 %(physdev_is_bridged)s -j %(bn)s-i_port2
+[0:0] -A %(bn)s-i_port2 -p icmpv6 --icmpv6-type 130 -j RETURN
+[0:0] -A %(bn)s-i_port2 -p icmpv6 --icmpv6-type 131 -j RETURN
+[0:0] -A %(bn)s-i_port2 -p icmpv6 --icmpv6-type 132 -j RETURN
+[0:0] -A %(bn)s-i_port2 -p icmpv6 --icmpv6-type 134 -j RETURN
+[0:0] -A %(bn)s-i_port2 -p icmpv6 --icmpv6-type 135 -j RETURN
+[0:0] -A %(bn)s-i_port2 -p icmpv6 --icmpv6-type 136 -j RETURN
 [0:0] -A %(bn)s-i_port2 -m state --state INVALID -j DROP
 [0:0] -A %(bn)s-i_port2 -m state --state RELATED,ESTABLISHED -j RETURN
 [0:0] -A %(bn)s-i_port2 -j %(bn)s-sg-fallback