Merge pull request #22 from markmcclain/ipv6_addresses

add special IPv6 rules for NVP port security
2013-05-15 08:31:02 -07:00 · 2013-05-15 08:31:02 -07:00 · 343f1de079
commit 343f1de079
parent 626da1ad82 f97554c0ca
2 changed files with 38 additions and 3 deletions
--- a/akanda/quantum/plugins/decorators.py
+++ b/akanda/quantum/plugins/decorators.py
@ -1,8 +1,8 @@
 import functools
+import netaddr
 import logging
 import random

-import netaddr
 from quantum.api.v2 import attributes
 from quantum.common.config import cfg
 from quantum.common import exceptions as q_exc
@ -127,6 +127,29 @@ def check_subnet_cidr_meets_policy(context, subnet):
        raise q_exc.AdminRequired(reason=reason)


+def get_special_ipv6_addrs(ips, mac_address):
+    current_ips = set(ips)
+    special_ips = set([_generate_ipv6_address('fe80::/64', mac_address)])
+
+    akanda_ipv6_cidr = netaddr.IPNetwork(cfg.CONF.akanda_ipv6_tenant_range)
+
+    for ip in current_ips:
+        if '/' not in ip and netaddr.IPAddress(ip) in akanda_ipv6_cidr:
+            # Calculate the cidr here because the caller does not have access
+            # to request context, subnet or port_id.
+            special_ips.add(
+                '%s/%s' % (
+                    netaddr.IPAddress(
+                        netaddr.IPNetwork(
+                            '%s/%d' % (ip, cfg.CONF.akanda_ipv6_prefix_length)
+                        ).first
+                    ),
+                    cfg.CONF.akanda_ipv6_prefix_length
+                )
+            )
+    return special_ips - current_ips
+
+
 def _add_subnet_to_router(context, subnet):
    LOG.debug('_add_subnet_to_router')
    if context.is_admin:
--- a/akanda/quantum/plugins/nvp_quantum_plugin.py
+++ b/akanda/quantum/plugins/nvp_quantum_plugin.py
@ -35,7 +35,7 @@ LOG = logging.getLogger("QuantumPlugin")
 akanda.monkey_patch_ipv6_generator()


-def egress_multicast_hotfix(f):
+def akanda_nvp_ipv6_port_security_wrapper(f):
    @functools.wraps(f)
    def wrapper(lport_obj, mac_address, fixed_ips, port_security_enabled,
                security_profiles, queue_id):
@ -47,10 +47,22 @@ def egress_multicast_hotfix(f):
        if port_security_enabled:
            # hotfix to enable egress mulitcast
            lport_obj['allow_egress_multicast'] = True
+
+            # add link-local and subnet cidr for IPv6 temp addresses
+            special_ipv6_addrs = akanda.get_special_ipv6_addrs(
+                (p['ip_address'] for p in lport_obj['allowed_address_pairs']),
+                mac_address
+            )
+
+            lport_obj['allowed_address_pairs'].extend(
+                {'mac_address': mac_address, 'ip_address': addr}
+                for addr in special_ipv6_addrs
+            )
+
    return wrapper


-nvp.nvplib._configure_extensions = egress_multicast_hotfix(
+nvp.nvplib._configure_extensions = akanda_nvp_ipv6_port_security_wrapper(
    nvp.nvplib._configure_extensions
 )