Bug 1275965
| Summary: | Horizon can't create rules for ipv6 | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Edu Alcaniz <ealcaniz> | ||||||
| Component: | python-django-horizon | Assignee: | Nate Johnston <njohnston> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Beth White <beth.white> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 7.0 (Kilo) | CC: | amuller, athomas, beth.white, bhaley, bschmaus, chrisw, ealcaniz, jrist, jschluet, jthomas, mrunge, njohnston, rdopiera, srevivo, tvignaud, yeylon | ||||||
| Target Milestone: | z10 | Keywords: | Triaged, ZStream | ||||||
| Target Release: | 13.0 (Queens) | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | python-django-horizon-13.0.2-5.el7ost | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | |||||||||
| : | 1758361 1758362 (view as bug list) | Environment: | |||||||
| Last Closed: | 2020-03-10 11:25:01 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1758361, 1758362 | ||||||||
| Attachments: |
|
||||||||
Created attachment 1087166 [details]
only rules ipv4 could be created
I create with command line neutron security-group-rule-create --direction ingress --ethertype IPv6 --protocol tcp SG_ipv6 neutron security-group-rule-create --direction ingress --ethertype IPv6 --protocol udp SG_ipv6 I can see in neutron [root@overcloud-controller-1 ~]# neutron security-group-rule-list | grep IPv6 | 168bbe11-48b1-4cf8-9ff2-c537a90cfbb3 | SG_with_ping_ssh | egress | IPv6 | any | any | | 18f8b640-19fa-4615-96d0-ce9fcd710591 | opsadmin-sec | egress | IPv6 | any | any | | 1a71c4fe-e6fa-4a15-99e8-609f42614d15 | default | egress | IPv6 | any | any | | 212e6d11-9752-42a8-bd1a-b9e231f1598c | SG_ipv6 | egress | IPv6 | any | any | | 2445b420-2932-4278-a279-80973cd295cc | SG_ipv6 | ingress | IPv6 | udp | any | | 3a6e04e0-cd1e-4f4f-9609-278466a54937 | PoC SecurityGroup | egress | IPv6 | any | any | | 3bfce950-67c5-439f-be9c-ae62a296c930 | Encrypted_Only | egress | IPv6 | any | any | | 41b47ca5-4f9f-4432-800d-f6f688eb54de | default | ingress | IPv6 | any | default (group) | | 5056978c-d180-4dd7-8ee2-97dddf70765e | todo-pasa | egress | IPv6 | any | any | | 5b27ba45-65d9-4fee-b94d-47a4fce0bb19 | default | ingress | IPv6 | any | default (group) | | 73562502-b39e-4726-a31e-d07dbd0aebba | SG_ipv6 | ingress | IPv6 | tcp | any | | 84a31773-10b2-4c23-90dd-40b86e5536c2 | default | ingress | IPv6 | any | default (group) | | 8535cf28-a0b2-4335-82eb-2f5005542448 | default | ingress | IPv6 | any | default (group) | | 958de7e4-2fe7-4bc9-8323-766111063751 | default | egress | IPv6 | any | any | | b7fb5314-aa13-4d23-a275-06a7d7d7c8f4 | default | egress | IPv6 | any | any | | b87a1f83-0f2e-431a-af37-bb9662939b3a | Encrypted_Only_No_ICMP | egress | IPv6 | any | any | | f415fbb2-0567-486b-a836-21d1546d870b | default | egress | IPv6 | any | any | but not in Horizon. [root@overcloud-controller-1 ~]# neutron security-group-show SG_ipv6
+----------------------+--------------------------------------------------------------------+
| Field | Value |
+----------------------+--------------------------------------------------------------------+
| description | |
| id | e27eb9cc-51f4-43ea-a0e2-5182af64e683 |
| name | SG_ipv6 |
| security_group_rules | { |
| | "remote_group_id": null, |
| | "direction": "egress", |
| | "remote_ip_prefix": null, |
| | "protocol": null, |
| | "tenant_id": "1c92b0a87c884bedaf4880599fd99116", |
| | "port_range_max": null, |
| | "security_group_id": "e27eb9cc-51f4-43ea-a0e2-5182af64e683", |
| | "port_range_min": null, |
| | "ethertype": "IPv6", |
| | "id": "212e6d11-9752-42a8-bd1a-b9e231f1598c" |
| | } |
| | { |
| | "remote_group_id": null, |
| | "direction": "ingress", |
| | "remote_ip_prefix": null, |
| | "protocol": "udp", |
| | "tenant_id": "18f2f98724064aab9ef0de7bc63c088f", |
| | "port_range_max": null, |
| | "security_group_id": "e27eb9cc-51f4-43ea-a0e2-5182af64e683", |
| | "port_range_min": null, |
| | "ethertype": "IPv6", |
| | "id": "2445b420-2932-4278-a279-80973cd295cc" |
| | } |
| | { |
| | "remote_group_id": null, |
| | "direction": "ingress", |
| | "remote_ip_prefix": null, |
| | "protocol": "tcp", |
| | "tenant_id": "18f2f98724064aab9ef0de7bc63c088f", |
| | "port_range_max": 22, |
| | "security_group_id": "e27eb9cc-51f4-43ea-a0e2-5182af64e683", |
| | "port_range_min": 22, |
| | "ethertype": "IPv6", |
| | "id": "509cdcde-93ca-4026-ad0c-f6635652cef9" |
| | } |
| | { |
| | "remote_group_id": null, |
| | "direction": "ingress", |
| | "remote_ip_prefix": null, |
| | "protocol": "tcp", |
| | "tenant_id": "18f2f98724064aab9ef0de7bc63c088f", |
| | "port_range_max": null, |
| | "security_group_id": "e27eb9cc-51f4-43ea-a0e2-5182af64e683", |
| | "port_range_min": null, |
| | "ethertype": "IPv6", |
| | "id": "73562502-b39e-4726-a31e-d07dbd0aebba" |
| | } |
| | { |
| | "remote_group_id": null, |
| | "direction": "ingress", |
| | "remote_ip_prefix": "0.0.0.0/0", |
| | "protocol": null, |
| | "tenant_id": "1c92b0a87c884bedaf4880599fd99116", |
| | "port_range_max": null, |
| | "security_group_id": "e27eb9cc-51f4-43ea-a0e2-5182af64e683", |
| | "port_range_min": null, |
| | "ethertype": "IPv4", |
| | "id": "986f796c-f1d9-447d-b2ac-e6a765fe192f" |
| | } |
| | { |
| | "remote_group_id": null, |
| | "direction": "egress", |
| | "remote_ip_prefix": null, |
| | "protocol": null, |
| | "tenant_id": "1c92b0a87c884bedaf4880599fd99116", |
| | "port_range_max": null, |
| | "security_group_id": "e27eb9cc-51f4-43ea-a0e2-5182af64e683", |
| | "port_range_min": null, |
| | "ethertype": "IPv4", |
| | "id": "dd8ad2ad-558a-4d2a-8f77-b22f9fc5d4cd" |
| | } |
| | { |
| | "remote_group_id": null, |
| | "direction": "ingress", |
| | "remote_ip_prefix": null, |
| | "protocol": "icmp", |
| | "tenant_id": "18f2f98724064aab9ef0de7bc63c088f", |
| | "port_range_max": null, |
| | "security_group_id": "e27eb9cc-51f4-43ea-a0e2-5182af64e683", |
| | "port_range_min": null, |
| | "ethertype": "IPv6", |
| | "id": "e54779a3-711c-410e-b770-f8f290a490cc" |
| | } |
| tenant_id | 1c92b0a87c884bedaf4880599fd99116 |
+----------------------+--------------------------------------------------------------------+
Did you try to use a remote IP prefix like ::/0 ? When I did that, eth type IPv6 was added to the table automatically. write it works how do you say it. thanks (In reply to Edu Alcaniz from comment #6) > write it works how do you say it. thanks Based of the feedback 'it works', I'm closing this bug. Have we made any head way on testing and verification on why we see the behaviours we see? You can make Horizon create rules with ip_protocol=icmpv6 by adding this to your local_settings file:
SECURITY_GROUP_RULES = {
'all_tcp': {
'name': _('All TCP'),
'ip_protocol': 'tcp',
'from_port': '1',
'to_port': '65535',
},
'all_udp': {
'name': _('All UDP'),
'ip_protocol': 'udp',
'from_port': '1',
'to_port': '65535',
},
'all_icmp': {
'name': _('All ICMP'),
'ip_protocol': 'icmp',
'from_port': '-1',
'to_port': '-1',
},
'all_icmpv6': {
'name': _('All ICMPV6'),
'ip_protocol': 'icmpv6',
'from_port': '-1',
'to_port': '-1',
},
}
And then selecting the new "All ICMPV6" option when creating the rule.
I'm posting a patch upstream that makes that change in the default settings. Please note that users have always been able to create ICMPV6 rules by selecting "Other protocol" and specifying the "IP protocol" field value as "58". Radomir - This has been in development for a bit. Have we made progress and will this be implemented? If so which release? Hi Benjamin, I submitted a patch for this upstream (you can see it linked to this bug as https://review.openstack.org/#/c/473481/) but people from Neutron say that they would rather prefer to fix this on their side, so the Horizon patch is on hold. You can still create ICMPV6 rules as described in comment 26, and you can make it easier by modifying the configuration as per comment 24. Added neutron bug https://bugs.launchpad.net/neutron/+bug/1582500 as it is tracking the changes to the server code required to fix this on the neutron side. The related patches have stalled for some time, so will need to be revived. Brian, am I correct that https://review.opendev.org/#/c/427670/ is the main part of the fix? Is that and https://review.opendev.org/#/c/660206/ the outstanding items for this? The neutron, neutron-tempest-plugin and temptest changes have merged upstream, and the additional tempest change was abandoned. That just leave the horizon change, which I did add a comment to but have not received a response. Horizon change is still under very active discussion. I think we are close to a fix. Upstream master merged; backport cherry picks created. This patchset was cherry picked to branch stable/stein as commit https://review.opendev.org/#/q/4debec8524c81b85fd44d054c1b99c2109c6e17f This patchset was cherry picked to branch stable/rocky as commit https://review.opendev.org/#/q/7a5ed4b688c7f69ce63ef600611947e08e14bcd0 This patchset was cherry picked to branch stable/queens as commit https://review.opendev.org/#/q/9f8be703ed135ec2ae46a7a39d04b48e8d245ca3 Once these are done will do downstream backports as far back as Newton. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0763 |
Created attachment 1087164 [details] ethertype is not showing Description of problem: Horizon can't create rules for ipv6. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Go to access and security and manage rule, you can-t see Ipv4 o ipv6 to create the rule. Only create rules ingress for ipv4 2. 3. Actual results: Expected results: Horizon should be able to create rules for ipv6. Additional info: