Bug 1399140
Summary: | [RFE] [ODL] [IPv6] Security-Groups support with OVS conntrack | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Sridhar Gaddam <sgaddam> |
Component: | opendaylight | Assignee: | Sridhar Gaddam <sgaddam> |
Status: | CLOSED ERRATA | QA Contact: | Itzik Brown <itbrown> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 10.0 (Newton) | CC: | lpeer, lruzicka, mkolesni, nlevinki, nyechiel, sgaddam, tvignaud, wznoinsk |
Target Milestone: | ga | Keywords: | AutomationBlocker, FutureFeature, TechPreview, Triaged |
Target Release: | 12.0 (Pike) | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | opendaylight-6.0.0-1.el7ost | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: |
N/A
|
|
Last Closed: | 2017-12-13 20:52:28 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1442136, 1468979, 1469017 |
Description
Sridhar Gaddam
2016-11-28 11:43:53 UTC
Some of the main patches that implement this functionality in Netvirt are listed below. NetVirt patches: ACL Support for IPv6 IPAM: https://git.opendaylight.org/gerrit/#/c/44148/ Added Port Range and Ipv6 matches: https://git.opendaylight.org/gerrit/#/c/42889/ Bug 6623: Fix NPE in AclServiceUtils: https://git.opendaylight.org/gerrit/#/c/45063/ Fixes the SSH drop from DHCP namespace: https://git.opendaylight.org/gerrit/#/c/44876/ Mask IPv6Prefix in ACL flows: https://git.opendaylight.org/gerrit/#/c/45728/ Fixes default SG remote groups rules: https://git.opendaylight.org/gerrit/#/c/45408/ Bug 6532: Fix ACL IPv6 VM to VM communication on same network: https://git.opendaylight.org/gerrit/#/c/44690/ OVSDB Fixes: IPv6 support in Security Groups: https://git.opendaylight.org/gerrit/#/c/32347/ Add IPv6 SecurityGroup tests: https://git.opendaylight.org/gerrit/#/c/33717/ The implementation is largely complete and needs to be validated. Important note: nf_conntrack_ipv6 kernel module needs to be loaded for IPv6 Security Groups to work. It was seen that some distributions do not load this module by default. One pending activity related to this use-case is to make the ACL rules more restrictive in nature (i.e., while allowing an Router Advt/DHCPv6 Server response, we have to allow traffic only from the Neutron Router port/DHCP port etc). This activity is currently under roadmap and will be handled in future patchsets. Some additional fixes. Bug 7952: ACLService to treat Ethertype=IPv6 and Protocol=icmp as a request for ICMPv6 - https://git.opendaylight.org/gerrit/#/c/53137/ Fix ACL IPv6 flows to match on ipv6_src/ipv6_dst for remote SG - https://git.opendaylight.org/gerrit/#/c/53470/ Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:3462 |