The first thing I noticed is that the rules you pasted are from the l3-agent, is this related to FWaaS and not the SG code in neutron?
Because the following works for me for SG:
$ openstack security group rule create --ingress --protocol icmp --ethertype IPv6 default
# ip6tables-save | grep icmp -A neutron-openvswi-ib3229831-9 -p ipv6-icmp -j RETURN
That has 'ipv6-icmp' unlike the output you pasted, and it's the L2 agent.
So if this is FWaaS then perhaps they have a bug in how iptables rules are being generated, the base neutron code has some logic to deal with this case specially.
The first thing I noticed is that the rules you pasted are from the l3-agent, is this related to FWaaS and not the SG code in neutron?
Because the following works for me for SG:
$ openstack security group rule create --ingress --protocol icmp --ethertype IPv6 default
# ip6tables-save | grep icmp openvswi- ib3229831- 9 -p ipv6-icmp -j RETURN
-A neutron-
That has 'ipv6-icmp' unlike the output you pasted, and it's the L2 agent.
So if this is FWaaS then perhaps they have a bug in how iptables rules are being generated, the base neutron code has some logic to deal with this case specially.