Comment 11 for bug 1372882

Reviewed: https://review.openstack.org/140046
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=9274c590a78444e9157afd4d41bff566b26c9323
Submitter: Jenkins
Branch: master

commit 9274c590a78444e9157afd4d41bff566b26c9323
Author: sridhargaddam <email address hidden>
Date: Mon Dec 8 16:11:38 2014 +0000

    Neutron to Drop Router Advts from VM ports

    As part of Spoofing filter chain Neutron drops all the outbound
    traffic where MAC/IP does not match the IP address assigned
    to the VM ports (inc' allowed_address_pairs). Along with this,
    we also drop traffic associated to dhcp[v6] server (i.e., do
    not allow a VM to run dhcp[v6] server). Currently we do not
    have any rules to drop Router Advts from VM ports. This can create
    issues in the network as other devices in the network may not have
    any protection for this kind of stuff.

    Even if we allow RAs from the VM ports, because of the Anti-Spoofing
    rules that are applied, a VM cannot act as a IPv6 router (i.e., it
    cannot forward IPv6 traffic). So there is no point in allowing Router
    Advts from VMs assuming that it would be useful in Service VM use-cases.
    In order to properly implement IPv6 router as a Service VM, one needs
    to use the port_security_extension [1] which allows us to disable
    security group rules/anti-spoofing filters on the VM ports.

    [1]https://review.openstack.org/#/c/99873/22/specs/kilo/ml2-ovs-portsecurity.rst

    This patch disables Router Advts from VM ports.

    Closes-Bug: #1372882
    Change-Id: I8db5d6dbe60bf04f4e3754a886c6aa8a97a16bab