Comment 19 for bug 1262759

Reviewed: https://review.openstack.org/72252
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b7b0c7dbcd3e6754bc09b2fd75d888c41ae4aadb
Submitter: Jenkins
Branch: master

commit b7b0c7dbcd3e6754bc09b2fd75d888c41ae4aadb
Author: Xuhan Peng <email address hidden>
Date: Sun Feb 9 22:02:33 2014 -0500

    Permit ICMPv6 RAs only from known routers

    Currently ingress ICMPv6 RAs are permitted from any IPs by
    default to allow VMs to accept ICMPv6 RA from provider network.
    In this way, VM can accept RAs from attacker VM and configure
    a network prefix specified by the attacher VM.

    Remove permitting ICMPv6 RAs from any IPs and add security rule
    to only permit ICMPv6 RA from:

    1. If the port's subnet is configured with ipv6_ra_mode value
    (i.e.value is slaac, dhcpv6-stateful, or dhcpv6-stateless), RA
    is sending from dnsmasq controlled by OpenStack. In this case,
    allow RA from the link local address of gateway port (if the
    gateway port is created).

    2. If the subnet's gateway port is not managed by OpenStack, allow
    the ICMPv6 RA sent from the subnet gateway IP if it's a link local
    address. The administrator needs to configure the gateway IP as
    link local address in this case to make the RA rule work.

    Change-Id: I1d5c7aaa8e4cf057204eb746c0faab2c70409a94
    Closes-Bug: 1262759