Comment 1 for bug 1799904

The first thing I noticed is that the rules you pasted are from the l3-agent, is this related to FWaaS and not the SG code in neutron?

Because the following works for me for SG:

$ openstack security group rule create --ingress --protocol icmp --ethertype IPv6 default

# ip6tables-save | grep icmp
-A neutron-openvswi-ib3229831-9 -p ipv6-icmp -j RETURN

That has 'ipv6-icmp' unlike the output you pasted, and it's the L2 agent.

So if this is FWaaS then perhaps they have a bug in how iptables rules are being generated, the base neutron code has some logic to deal with this case specially.