openstack/astara-neutron
Code Issues Proposed changes

add special IPv6 rules for NVP port security

Browse Source 
This change adds link-local and the subnet cidr to allow temp IPv6
addresses to work properly when port security is enabled.
This commit is contained in:
Mark McClain 2013-05-15 11:14:11 -04:00
parent 77f7cb0888
commit f97554c0ca
2 changed files with 38 additions and 3 deletions

25
akanda/quantum/plugins/decorators.py

@ -1,8 +1,8 @@
import functools import functools
import netaddr
import logging import logging
import random import random
import netaddr
from quantum.api.v2 import attributes from quantum.api.v2 import attributes
from quantum.common.config import cfg from quantum.common.config import cfg
from quantum.common import exceptions as q_exc from quantum.common import exceptions as q_exc
@ -127,6 +127,29 @@ def check_subnet_cidr_meets_policy(context, subnet):
raise q_exc.AdminRequired(reason=reason) raise q_exc.AdminRequired(reason=reason)
def get_special_ipv6_addrs(ips, mac_address):
current_ips = set(ips)
special_ips = set([_generate_ipv6_address('fe80::/64', mac_address)])
akanda_ipv6_cidr = netaddr.IPNetwork(cfg.CONF.akanda_ipv6_tenant_range)
for ip in current_ips:
if '/' not in ip and netaddr.IPAddress(ip) in akanda_ipv6_cidr:
# Calculate the cidr here because the caller does not have access
# to request context, subnet or port_id.
special_ips.add(
'%s/%s' % (
netaddr.IPAddress(
netaddr.IPNetwork(
'%s/%d' % (ip, cfg.CONF.akanda_ipv6_prefix_length)
).first
),
cfg.CONF.akanda_ipv6_prefix_length
)
)
return special_ips - current_ips
def _add_subnet_to_router(context, subnet): def _add_subnet_to_router(context, subnet):
LOG.debug('_add_subnet_to_router') LOG.debug('_add_subnet_to_router')
if context.is_admin: if context.is_admin:

16
akanda/quantum/plugins/nvp_quantum_plugin.py

@ -35,7 +35,7 @@ LOG = logging.getLogger("QuantumPlugin")
akanda.monkey_patch_ipv6_generator() akanda.monkey_patch_ipv6_generator()
def egress_multicast_hotfix(f): def akanda_nvp_ipv6_port_security_wrapper(f):
@functools.wraps(f) @functools.wraps(f)
def wrapper(lport_obj, mac_address, fixed_ips, port_security_enabled, def wrapper(lport_obj, mac_address, fixed_ips, port_security_enabled,
security_profiles, queue_id): security_profiles, queue_id):
@ -47,10 +47,22 @@ def egress_multicast_hotfix(f):
if port_security_enabled: if port_security_enabled:
# hotfix to enable egress mulitcast # hotfix to enable egress mulitcast
lport_obj['allow_egress_multicast'] = True lport_obj['allow_egress_multicast'] = True
# add link-local and subnet cidr for IPv6 temp addresses
special_ipv6_addrs = akanda.get_special_ipv6_addrs(
(p['ip_address'] for p in lport_obj['allowed_address_pairs']),
mac_address
)
lport_obj['allowed_address_pairs'].extend(
{'mac_address': mac_address, 'ip_address': addr}
for addr in special_ipv6_addrs
)
return wrapper return wrapper
nvp.nvplib._configure_extensions = egress_multicast_hotfix( nvp.nvplib._configure_extensions = akanda_nvp_ipv6_port_security_wrapper(
nvp.nvplib._configure_extensions nvp.nvplib._configure_extensions
) )