Merge "handle IPv6 race condition due to hairpin mode"

author: Jenkins <jenkins@review.openstack.org> 2012-10-10 21:08:18 +0000
committer: Gerrit Code Review <review@openstack.org> 2012-10-10 21:08:18 +0000
commit: 3ace5b1cfb586ecbfd5f3dbe86f25d9064dd6bcd (patch)
tree: 6018cc83757efe33413899d4223e69da9be212d3 /nova
parent: 34560a4c87309cd3574505f130a73ac30b27886e (diff)
parent: 0436cbdb882b532f0d01c41108508c6d4da3544e (diff)
download: nova-3ace5b1cfb586ecbfd5f3dbe86f25d9064dd6bcd.tar.gz
nova-3ace5b1cfb586ecbfd5f3dbe86f25d9064dd6bcd.tar.xz
nova-3ace5b1cfb586ecbfd5f3dbe86f25d9064dd6bcd.zip
1 files changed, 26 insertions, 9 deletions
diff --git a/nova/virt/libvirt/firewall.py b/nova/virt/libvirt/firewall.py
index b3c6106ff..819a8ec0c 100644
--- a/nova/virt/libvirt/firewall.py
+++ b/nova/virt/libvirt/firewall.py
@@ -58,6 +58,23 @@ class NWFilterFirewall(base_firewall.FirewallDriver):
     _conn = property(_get_connection)
 
     @staticmethod
+    def nova_no_nd_reflection_filter():
+        """
+        This filter protects false positives on IPv6 Duplicate Address
+        Detection(DAD).
+        """
+        return '''<filter name='nova-no-nd-reflection' chain='ipv6'>
+                  <!-- no nd reflection -->
+                  <!-- drop if destination mac is v6 mcast mac addr and
+                       we sent it. -->
+
+                  <rule action='drop' direction='in'>
+                      <mac dstmacaddr='33:33:00:00:00:00'
+                           dstmacmask='ff:ff:00:00:00:00' srcmacaddr='$MAC'/>
+                  </rule>
+                  </filter>'''
+
+    @staticmethod
     def nova_dhcp_filter():
         """The standard allow-dhcp-server filter is an <ip> one, so it uses
            ebtables to allow traffic through. Without a corresponding rule in
@@ -122,15 +139,15 @@ class NWFilterFirewall(base_firewall.FirewallDriver):
         if self.static_filters_configured:
             return
 
-        self._define_filter(self._filter_container('nova-base',
-                                                   ['no-mac-spoofing',
-                                                    'no-ip-spoofing',
-                                                    'no-arp-spoofing',
-                                                    'allow-dhcp-server']))
-        self._define_filter(self._filter_container('nova-nodhcp',
-                                                   ['no-mac-spoofing',
-                                                    'no-ip-spoofing',
-                                                    'no-arp-spoofing']))
+        filter_set = ['no-mac-spoofing',
+                      'no-ip-spoofing',
+                      'no-arp-spoofing']
+        if FLAGS.use_ipv6:
+            self._define_filter(self.nova_no_nd_reflection_filter)
+            filter_set.append('nova-no-nd-reflection')
+        self._define_filter(self._filter_container('nova-nodhcp', filter_set))
+        filter_set.append('allow-dhcp-server')
+        self._define_filter(self._filter_container('nova-base', filter_set))
         self._define_filter(self._filter_container('nova-vpn',
                                                    ['allow-dhcp-server']))
         self._define_filter(self.nova_dhcp_filter)
author	Jenkins <jenkins@review.openstack.org>	2012-10-10 21:08:18 +0000
committer	Gerrit Code Review <review@openstack.org>	2012-10-10 21:08:18 +0000
commit	3ace5b1cfb586ecbfd5f3dbe86f25d9064dd6bcd (patch)
tree	6018cc83757efe33413899d4223e69da9be212d3 /nova
parent	34560a4c87309cd3574505f130a73ac30b27886e (diff)
parent	0436cbdb882b532f0d01c41108508c6d4da3544e (diff)
download	nova-3ace5b1cfb586ecbfd5f3dbe86f25d9064dd6bcd.tar.gz nova-3ace5b1cfb586ecbfd5f3dbe86f25d9064dd6bcd.tar.xz nova-3ace5b1cfb586ecbfd5f3dbe86f25d9064dd6bcd.zip