The qbr bridge should not have any IPv6 addresses, either
link-local, or on the tenant's private network due to the
bridge processing Router Advertisements from Neutron and
auto-configuring addresses, since it will allow access to
the hypervisor from a tenant VM.
The bridge only exists to allow the Neutron security group
code to work with OVS, so we can safely disable IPv6 on it.
Reviewed: https:/ /review. openstack. org/198054 /git.openstack. org/cgit/ openstack/ nova/commit/ ?id=5ab1b1b1c45 6b8b43edbd1bddd 74b96b56ab80e6
Committed: https:/
Submitter: Jenkins
Branch: master
commit 5ab1b1b1c456b8b 43edbd1bddd74b9 6b56ab80e6
Author: Adam Kacmarsky <email address hidden>
Date: Thu Jul 2 10:13:16 2015 -0600
Disable IPv6 on bridge devices
The qbr bridge should not have any IPv6 addresses, either configuring addresses, since it will allow access to
link-local, or on the tenant's private network due to the
bridge processing Router Advertisements from Neutron and
auto-
the hypervisor from a tenant VM.
The bridge only exists to allow the Neutron security group
code to work with OVS, so we can safely disable IPv6 on it.
Closes-bug: 1470931
Partial-bug: 1302080
Change-Id: Ideecab1c21b240 bcca71973ed74b0 374afb20e5e