Security Groups does not allow RA packets in by default

Most probably I'm wrong here, because I'm quite new to neutron.
But, shouldn't this kind of policy be handled in the security policies manually? (The same way you open ICMP to VMs in IPv4).

Hi Miguel,

There are rules that Neutron creates for each port that allows DHCP traffic on the v4 side, so that an instance can configure v4 networking, without requiring a tenant to create a security group rule to pass in DHCP traffic. It "just works" and there should be parity on the v6 side to allow the same thing to happen.

The difference between v4 ICMP and v6 ICMP is that in the v6 side, there are more advanced operations, like RA's, that must be allowed through for an instance to configure SLAAC.

Proposed fix:

https://review.openstack.org/#/c/53028/

I made this comment in the review, but I'll copy here in case others only look at the bug:

I still don't think this change is correct as it will allow all Icmpv6 traffic through, when only a subset should be allowed. I think the following should be allowed on the input side: RA, NS, and NA, and they should be inserted with a '-j RETURN'.

I'm still trying to track down the issue myself and will post any info I can find about it here.

Fix proposed to branch: master
Review: https://review.openstack.org/58186

Reviewed: https://review.openstack.org/53028
Committed: http://github.com/openstack/neutron/commit/cecd7591533e2c046aedba3b8e5d14a5b2fa7fe9
Submitter: Jenkins
Branch: master

commit cecd7591533e2c046aedba3b8e5d14a5b2fa7fe9
Author: Sean M. Collins <email address hidden>
Date: Fri Oct 18 14:33:23 2013 -0400

    Pass in certain ICMPv6 types by default

    This allows instances to do SLAAC configuration, without requiring
    explicit security group rules to do so.

    Closes-Bug: #1242933

    Change-Id: I517c66a470296141c0024a64e39b6d40b0c0d581