Virtual machines with securitygroups that allow icmpv6 cannot get IPv6 address

[lynn901]

Expected Behavior

can get ipv6

Actual Behavior

cannot get ipv6

Steps to Reproduce the Problem

1. create vm with securitygroup that allow icmpv6 or none rule
2. start vm
3. console in vm

Additional Info

• Kubernetes version:

  Output of kubectl version:

  (paste your output here)

• kube-ovn version:

  v1.10.6

• operation-system/kernel version:

  Output of awk -F '=' '/PRETTY_NAME/ { print $2 }' /etc/os-release: Output of uname -r:

  (paste your output here)

[lynn901]

I read neutron ovs agent code, it will initialize_egress and _initialize_ingress rule as default, can you assign this bug to me @oilbeater

[lynn901]

dhcp协议使用UDP协议工作，统一使用两个IANA分配的端口：67（服务器端），68（客户端）

dhcpv6协议所有的协议报文都是基于 UDP 的（客户端使用UDP 端口号546，服务端使用端口号547），同时ipv6的还会涉及RA和RS的报文，也就是icmp的nd报文 ipv4会涉及ARP报文

kube-ovn在设计安全组功能时为绑定安全的port默认添加了一条全禁的规则

ovn-nbctl acl-add ovn.sg.kubeovn_deny_all to-lport 2003 'outport==@ovn.sg.kubeovn_deny_all && ip' drop ovn-nbctl acl-add ovn.sg.kubeovn_deny_all from-lport 2003 'inport==@ovn.sg.kubeovn_deny_all && ip' drop 需调整kube-ovn默认安全组的acl规则，针对性的放通涉及arp，dhcp，dhcpv6和icmpv6相关的规则

参考neutron的源码，对安全组的功能进行优化

[lynn901]

(BASE_EGRESS） implements ARP spoofing protection, IP spoofing protection, allows traffic related to IP address allocations (DHCP, DHCPv6, SLAAC, NDP) for egress traffic, and allows ARP replies.

1. Rules below allow ICMPv6 traffic for multicast listeners, neighbour solicitation and neighbour advertisement.
2. Following rules implement ARP spoofing protection
3. DHCP and DHCPv6 traffic is allowed to instance but DHCP servers are blocked on instances.
4. Following rules obtain conntrack information for valid IP and MAC address combinations. All other packets are dropped. (RULES_EGRESS) accepts only established or related connections, and implements rules defined by security groups. (BASE_INGRESS) allows basic ingress traffic for obtaining IP address and ARP queries