diff --git a/nova/virt/libvirt/firewall.py b/nova/virt/libvirt/firewall.py
index b3c6106ffb9..819a8ec0cce 100644
--- a/nova/virt/libvirt/firewall.py
+++ b/nova/virt/libvirt/firewall.py
@@ -57,6 +57,23 @@ def _get_connection(self):
return self._libvirt_get_connection()
_conn = property(_get_connection)
+ @staticmethod
+ def nova_no_nd_reflection_filter():
+ """
+ This filter protects false positives on IPv6 Duplicate Address
+ Detection(DAD).
+ """
+ return '''
+
+
+
+
+
+
+ '''
+
@staticmethod
def nova_dhcp_filter():
"""The standard allow-dhcp-server filter is an one, so it uses
@@ -122,15 +139,15 @@ def _ensure_static_filters(self):
if self.static_filters_configured:
return
- self._define_filter(self._filter_container('nova-base',
- ['no-mac-spoofing',
- 'no-ip-spoofing',
- 'no-arp-spoofing',
- 'allow-dhcp-server']))
- self._define_filter(self._filter_container('nova-nodhcp',
- ['no-mac-spoofing',
- 'no-ip-spoofing',
- 'no-arp-spoofing']))
+ filter_set = ['no-mac-spoofing',
+ 'no-ip-spoofing',
+ 'no-arp-spoofing']
+ if FLAGS.use_ipv6:
+ self._define_filter(self.nova_no_nd_reflection_filter)
+ filter_set.append('nova-no-nd-reflection')
+ self._define_filter(self._filter_container('nova-nodhcp', filter_set))
+ filter_set.append('allow-dhcp-server')
+ self._define_filter(self._filter_container('nova-base', filter_set))
self._define_filter(self._filter_container('nova-vpn',
['allow-dhcp-server']))
self._define_filter(self.nova_dhcp_filter)