Bug 1365874
Summary: | [RFE] [ODL] [RHEL 7.3] IPv4 security-groups support with OVS conntrack | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Nir Yechiel <nyechiel> |
Component: | opendaylight | Assignee: | Aswin Suryanarayanan <asuryana> |
Status: | CLOSED ERRATA | QA Contact: | Itzik Brown <itbrown> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 10.0 (Newton) | CC: | itbrown, jjoyce, jschluet, lpeer, lruzicka, mkolesni, mlopes, nyechiel, oblaut, sclewis |
Target Milestone: | z2 | Keywords: | FutureFeature, TechPreview, Triaged, ZStream |
Target Release: | 10.0 (Newton) | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | opendaylight-5.2.0-2.el7ost | Doc Type: | Enhancement |
Doc Text: |
Red Hat OpenDaylight now supports tenant-configurable security groups for IPv4 traffic. In the default setting, each tenant uses a security group that allows communication among instances associated with that group. Consequently, all egress traffic within the security group is allowed, while the ingress traffic from the outside is dropped.
|
Story Points: | --- |
Clone Of: | Environment: |
N/A
|
|
Last Closed: | 2017-02-27 15:12:26 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Nir Yechiel
2016-08-10 11:52:35 UTC
Upstream gerrit: https://git.opendaylight.org/gerrit/#/c/40766/ 1)IETF yang added in MDSAL project https://git.opendaylight.org/gerrit/#/c/39423/ 2)Added support for fixed Security group. a) Added DHCP and Arp rules b) Added default connection tracking rules. https://git.opendaylight.org/gerrit/#/c/40766/ 3)AclService Custom Security Group a)TCP, UDP ,ICMP and Other protocl support added b)ietf acl to flow converter added. https://git.opendaylight.org/gerrit/#/c/41651/ 4)Added Port Range and Ipv6 matches a)Added port range match using nicira extension. b)Added IPV6 source and destination matches https://git.opendaylight.org/gerrit/#/c/42889/ 5)ACL ingress/egress service bindings (integration with genius) a)ACL ingress/egress service binding implementation is done but currently the call to bind/unbind services are commented. This should be uncommented once ACL related flow programming is complete. b) Service priorities have been updated for L3VPN and ELAN. + Added table miss entries for both ingress and egress ACL tables during node up. https://git.opendaylight.org/gerrit/#/c/41325/ 6)Neutron VPNListener changes a)added Security Rule listener to handle coversion from security rule to acl model https://git.opendaylight.org/gerrit/#/c/40860/ 7)Support for interface update and acl update a)handled interface update (security group added/deleted, port security flag enable/disable) b)handled acl update (security rule is added/deleted from security group) https://git.opendaylight.org/gerrit/#/c/41835/ 8)Support ace(security rule) add/remove in egress/ingress service https://git.opendaylight.org/gerrit/#/c/41945/ 9)Changes to support RemoteSecurityGroup a)handled remote security group for interface add/delete, interface update (SG add/delete and AllowedAddressPair add/delete) and SG update (SR add/delete) https://git.opendaylight.org/gerrit/#/c/43051/ 10)Security Group: Allowed address pair changes a)Updated Neutron port listener to pass Neutron port's MAC + Fixed Ips as allowed address pairs to Acl Service b)Moved all SG utility methods to NeutronvpnUtils https://git.opendaylight.org/gerrit/#/c/42614/ 11)ACL: Updated to cache interface/interface state details a)Updated to cache only required interface/interface state details in AclInterface object b)AclInterface object used now as reference in all listeners for programming ACL flows instead of Interface/Interface State object from config/operational DS c)Resolved NullPointerException observed while ACL flows were deleted - Updated AclDataUtil to use UUID of SG everywhere instead of SG name https://git.opendaylight.org/gerrit/#/c/42967/ 12)Code optimization for cluster environment a)handle to execute code only from one of the cluster node. b)handle local cache updation in all the cluster nodes. https://git.opendaylight.org/gerrit/#/c/44042 Boron SR1 won't be available on time for RHOSP 10 GA - this will be shipped as an update in a point release, post RHOSP 10 GA. Verified: opendaylight-5.2.0-4.el7ost.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2017-0326.html |