Bug 1399140

Summary: [RFE] [ODL] [IPv6] Security-Groups support with OVS conntrack
Product: Red Hat OpenStack Reporter: Sridhar Gaddam <sgaddam>
Component: opendaylightAssignee: Sridhar Gaddam <sgaddam>
Status: CLOSED ERRATA QA Contact: Itzik Brown <itbrown>
Severity: medium Docs Contact:
Priority: medium    
Version: 10.0 (Newton)CC: lpeer, lruzicka, mkolesni, nlevinki, nyechiel, sgaddam, tvignaud, wznoinsk
Target Milestone: gaKeywords: AutomationBlocker, FutureFeature, TechPreview, Triaged
Target Release: 12.0 (Pike)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: opendaylight-6.0.0-1.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
N/A
Last Closed: 2017-12-13 20:52:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1442136, 1468979, 1469017    

Description Sridhar Gaddam 2016-11-28 11:43:53 UTC 
Description of problem:

As a tenant, I want to be able to control what IPv6 traffic can flow in and out my VM using standard TCP/IP characteristics, so that I can limit the applications running on it.
Comment 1 Sridhar Gaddam 2016-11-28 11:45:07 UTC 
Some of the main patches that implement this functionality in Netvirt are listed below.

NetVirt patches: 
ACL Support for IPv6 IPAM: https://git.opendaylight.org/gerrit/#/c/44148/

Added Port Range and Ipv6 matches: https://git.opendaylight.org/gerrit/#/c/42889/

Bug 6623: Fix NPE in AclServiceUtils: https://git.opendaylight.org/gerrit/#/c/45063/

Fixes the SSH drop from DHCP namespace: https://git.opendaylight.org/gerrit/#/c/44876/
Mask IPv6Prefix in ACL flows: https://git.opendaylight.org/gerrit/#/c/45728/

Fixes default SG remote groups rules: https://git.opendaylight.org/gerrit/#/c/45408/

Bug 6532: Fix ACL IPv6 VM to VM communication on same network: https://git.opendaylight.org/gerrit/#/c/44690/

OVSDB Fixes: 

IPv6 support in Security Groups: https://git.opendaylight.org/gerrit/#/c/32347/

Add IPv6 SecurityGroup tests: https://git.opendaylight.org/gerrit/#/c/33717/
Comment 2 Sridhar Gaddam 2016-11-28 11:49:56 UTC 
The implementation is largely complete and needs to be validated.

Important note: nf_conntrack_ipv6 kernel module needs to be loaded for IPv6 Security Groups to work. It was seen that some distributions do not load this module by default.

One pending activity related to this use-case is to make the ACL rules more restrictive in nature (i.e., while allowing an Router Advt/DHCPv6 Server response, we have to allow traffic only from the Neutron Router port/DHCP port etc). This activity is currently under roadmap and will be handled in future patchsets.
Comment 6 Sridhar Gaddam 2017-06-30 15:57:11 UTC 
Some additional fixes.

Bug 7952: ACLService to treat Ethertype=IPv6 and Protocol=icmp as a request for ICMPv6 - https://git.opendaylight.org/gerrit/#/c/53137/

Fix ACL IPv6 flows to match on ipv6_src/ipv6_dst for remote SG - https://git.opendaylight.org/gerrit/#/c/53470/
Comment 15 errata-xmlrpc 2017-12-13 20:52:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462