Bug 1275965 - Horizon can't create rules for ipv6 [NEEDINFO]
Horizon can't create rules for ipv6
Status: ON_DEV
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-django-horizon (Show other bugs)
7.0 (Kilo)
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Radomir Dopieralski
Ido Ovadia
: Reopened, Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-28 04:42 EDT by Edu Alcaniz
Modified: 2018-01-16 09:14 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-29 08:25:46 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
bschmaus: needinfo?


Attachments (Terms of Use)
ethertype is not showing (86.57 KB, image/png)
2015-10-28 04:42 EDT, Edu Alcaniz
no flags Details
only rules ipv4 could be created (42.08 KB, image/png)
2015-10-28 04:43 EDT, Edu Alcaniz
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1567334 None None None 2017-06-12 08:48 EDT
Launchpad 1652619 None None None 2017-06-12 08:50 EDT
OpenStack gerrit 473481 None None None 2017-06-12 10:32 EDT

  None (edit)
Description Edu Alcaniz 2015-10-28 04:42:53 EDT
Created attachment 1087164 [details]
ethertype is not showing

Description of problem:
Horizon can't create rules for ipv6. 

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Go to access and security and manage rule, you can-t see Ipv4 o ipv6 to create the rule. Only create rules ingress for ipv4

2.
3.

Actual results:


Expected results:
Horizon should be able to create rules for ipv6.

Additional info:
Comment 2 Edu Alcaniz 2015-10-28 04:43 EDT
Created attachment 1087166 [details]
only rules ipv4 could be created
Comment 3 Edu Alcaniz 2015-10-28 04:49:49 EDT
I create with command line

neutron security-group-rule-create --direction ingress --ethertype IPv6 --protocol tcp SG_ipv6

neutron security-group-rule-create --direction ingress --ethertype IPv6 --protocol udp SG_ipv6


I can see in neutron

[root@overcloud-controller-1 ~]# neutron security-group-rule-list | grep IPv6
| 168bbe11-48b1-4cf8-9ff2-c537a90cfbb3 | SG_with_ping_ssh       | egress    | IPv6      | any           | any              |
| 18f8b640-19fa-4615-96d0-ce9fcd710591 | opsadmin-sec           | egress    | IPv6      | any           | any              |
| 1a71c4fe-e6fa-4a15-99e8-609f42614d15 | default                | egress    | IPv6      | any           | any              |
| 212e6d11-9752-42a8-bd1a-b9e231f1598c | SG_ipv6                | egress    | IPv6      | any           | any              |
| 2445b420-2932-4278-a279-80973cd295cc | SG_ipv6                | ingress   | IPv6      | udp           | any              |
| 3a6e04e0-cd1e-4f4f-9609-278466a54937 | PoC SecurityGroup      | egress    | IPv6      | any           | any              |
| 3bfce950-67c5-439f-be9c-ae62a296c930 | Encrypted_Only         | egress    | IPv6      | any           | any              |
| 41b47ca5-4f9f-4432-800d-f6f688eb54de | default                | ingress   | IPv6      | any           | default (group)  |
| 5056978c-d180-4dd7-8ee2-97dddf70765e | todo-pasa              | egress    | IPv6      | any           | any              |
| 5b27ba45-65d9-4fee-b94d-47a4fce0bb19 | default                | ingress   | IPv6      | any           | default (group)  |
| 73562502-b39e-4726-a31e-d07dbd0aebba | SG_ipv6                | ingress   | IPv6      | tcp           | any              |
| 84a31773-10b2-4c23-90dd-40b86e5536c2 | default                | ingress   | IPv6      | any           | default (group)  |
| 8535cf28-a0b2-4335-82eb-2f5005542448 | default                | ingress   | IPv6      | any           | default (group)  |
| 958de7e4-2fe7-4bc9-8323-766111063751 | default                | egress    | IPv6      | any           | any              |
| b7fb5314-aa13-4d23-a275-06a7d7d7c8f4 | default                | egress    | IPv6      | any           | any              |
| b87a1f83-0f2e-431a-af37-bb9662939b3a | Encrypted_Only_No_ICMP | egress    | IPv6      | any           | any              |
| f415fbb2-0567-486b-a836-21d1546d870b | default                | egress    | IPv6      | any           | any              |



but not in Horizon.
Comment 4 Edu Alcaniz 2015-10-28 04:52:01 EDT
[root@overcloud-controller-1 ~]# neutron security-group-show SG_ipv6
+----------------------+--------------------------------------------------------------------+
| Field                | Value                                                              |
+----------------------+--------------------------------------------------------------------+
| description          |                                                                    |
| id                   | e27eb9cc-51f4-43ea-a0e2-5182af64e683                               |
| name                 | SG_ipv6                                                            |
| security_group_rules | {                                                                  |
|                      |      "remote_group_id": null,                                      |
|                      |      "direction": "egress",                                        |
|                      |      "remote_ip_prefix": null,                                     |
|                      |      "protocol": null,                                             |
|                      |      "tenant_id": "1c92b0a87c884bedaf4880599fd99116",              |
|                      |      "port_range_max": null,                                       |
|                      |      "security_group_id": "e27eb9cc-51f4-43ea-a0e2-5182af64e683",  |
|                      |      "port_range_min": null,                                       |
|                      |      "ethertype": "IPv6",                                          |
|                      |      "id": "212e6d11-9752-42a8-bd1a-b9e231f1598c"                  |
|                      | }                                                                  |
|                      | {                                                                  |
|                      |      "remote_group_id": null,                                      |
|                      |      "direction": "ingress",                                       |
|                      |      "remote_ip_prefix": null,                                     |
|                      |      "protocol": "udp",                                            |
|                      |      "tenant_id": "18f2f98724064aab9ef0de7bc63c088f",              |
|                      |      "port_range_max": null,                                       |
|                      |      "security_group_id": "e27eb9cc-51f4-43ea-a0e2-5182af64e683",  |
|                      |      "port_range_min": null,                                       |
|                      |      "ethertype": "IPv6",                                          |
|                      |      "id": "2445b420-2932-4278-a279-80973cd295cc"                  |
|                      | }                                                                  |
|                      | {                                                                  |
|                      |      "remote_group_id": null,                                      |
|                      |      "direction": "ingress",                                       |
|                      |      "remote_ip_prefix": null,                                     |
|                      |      "protocol": "tcp",                                            |
|                      |      "tenant_id": "18f2f98724064aab9ef0de7bc63c088f",              |
|                      |      "port_range_max": 22,                                         |
|                      |      "security_group_id": "e27eb9cc-51f4-43ea-a0e2-5182af64e683",  |
|                      |      "port_range_min": 22,                                         |
|                      |      "ethertype": "IPv6",                                          |
|                      |      "id": "509cdcde-93ca-4026-ad0c-f6635652cef9"                  |
|                      | }                                                                  |
|                      | {                                                                  |
|                      |      "remote_group_id": null,                                      |
|                      |      "direction": "ingress",                                       |
|                      |      "remote_ip_prefix": null,                                     |
|                      |      "protocol": "tcp",                                            |
|                      |      "tenant_id": "18f2f98724064aab9ef0de7bc63c088f",              |
|                      |      "port_range_max": null,                                       |
|                      |      "security_group_id": "e27eb9cc-51f4-43ea-a0e2-5182af64e683",  |
|                      |      "port_range_min": null,                                       |
|                      |      "ethertype": "IPv6",                                          |
|                      |      "id": "73562502-b39e-4726-a31e-d07dbd0aebba"                  |
|                      | }                                                                  |
|                      | {                                                                  |
|                      |      "remote_group_id": null,                                      |
|                      |      "direction": "ingress",                                       |
|                      |      "remote_ip_prefix": "0.0.0.0/0",                              |
|                      |      "protocol": null,                                             |
|                      |      "tenant_id": "1c92b0a87c884bedaf4880599fd99116",              |
|                      |      "port_range_max": null,                                       |
|                      |      "security_group_id": "e27eb9cc-51f4-43ea-a0e2-5182af64e683",  |
|                      |      "port_range_min": null,                                       |
|                      |      "ethertype": "IPv4",                                          |
|                      |      "id": "986f796c-f1d9-447d-b2ac-e6a765fe192f"                  |
|                      | }                                                                  |
|                      | {                                                                  |
|                      |      "remote_group_id": null,                                      |
|                      |      "direction": "egress",                                        |
|                      |      "remote_ip_prefix": null,                                     |
|                      |      "protocol": null,                                             |
|                      |      "tenant_id": "1c92b0a87c884bedaf4880599fd99116",              |
|                      |      "port_range_max": null,                                       |
|                      |      "security_group_id": "e27eb9cc-51f4-43ea-a0e2-5182af64e683",  |
|                      |      "port_range_min": null,                                       |
|                      |      "ethertype": "IPv4",                                          |
|                      |      "id": "dd8ad2ad-558a-4d2a-8f77-b22f9fc5d4cd"                  |
|                      | }                                                                  |
|                      | {                                                                  |
|                      |      "remote_group_id": null,                                      |
|                      |      "direction": "ingress",                                       |
|                      |      "remote_ip_prefix": null,                                     |
|                      |      "protocol": "icmp",                                           |
|                      |      "tenant_id": "18f2f98724064aab9ef0de7bc63c088f",              |
|                      |      "port_range_max": null,                                       |
|                      |      "security_group_id": "e27eb9cc-51f4-43ea-a0e2-5182af64e683",  |
|                      |      "port_range_min": null,                                       |
|                      |      "ethertype": "IPv6",                                          |
|                      |      "id": "e54779a3-711c-410e-b770-f8f290a490cc"                  |
|                      | }                                                                  |
| tenant_id            | 1c92b0a87c884bedaf4880599fd99116                                   |
+----------------------+--------------------------------------------------------------------+
Comment 5 Matthias Runge 2015-10-28 19:50:36 EDT
Did you try to use a remote IP prefix like 	::/0  ?

When I did that, eth type IPv6 was added to the table automatically.
Comment 6 Edu Alcaniz 2015-10-29 04:50:39 EDT
write it works how do you say it. thanks
Comment 7 Matthias Runge 2015-10-29 08:25:46 EDT
(In reply to Edu Alcaniz from comment #6)
> write it works how do you say it. thanks

Based of the feedback 'it works', I'm closing this bug.
Comment 17 Benjamin Schmaus 2017-01-11 08:22:39 EST
Have we made any head way on testing and verification on why we see the behaviours we see?
Comment 24 Radomir Dopieralski 2017-06-12 10:21:40 EDT
You can make Horizon create rules with ip_protocol=icmpv6 by adding this to your local_settings file:

SECURITY_GROUP_RULES = {
    'all_tcp': {
        'name': _('All TCP'),
        'ip_protocol': 'tcp',
        'from_port': '1',
        'to_port': '65535',
    },
    'all_udp': {
        'name': _('All UDP'),
        'ip_protocol': 'udp',
        'from_port': '1',
        'to_port': '65535',
    },
    'all_icmp': {
        'name': _('All ICMP'),
        'ip_protocol': 'icmp',
        'from_port': '-1',
        'to_port': '-1',
    },
    'all_icmpv6': {
        'name': _('All ICMPV6'),
        'ip_protocol': 'icmpv6',
        'from_port': '-1',
        'to_port': '-1',
    },
}

And then selecting the new "All ICMPV6" option when creating the rule.
Comment 25 Radomir Dopieralski 2017-06-12 10:33:00 EDT
I'm posting a patch upstream that makes that change in the default settings.
Comment 26 Radomir Dopieralski 2017-06-12 10:35:35 EDT
Please note that users have always been able to create ICMPV6 rules by selecting "Other protocol" and specifying the "IP protocol" field value as "58".
Comment 27 Benjamin Schmaus 2017-10-19 08:35:24 EDT
Radomir - This has been in development for a bit.  Have we made progress and will this be implemented?   If so which release?
Comment 28 Radomir Dopieralski 2017-10-19 08:56:30 EDT
Hi Benjamin, I submitted a patch for this upstream (you can see it linked to this bug as https://review.openstack.org/#/c/473481/) but people from Neutron say that they would rather prefer to fix this on their side, so the Horizon patch is on hold. You can still create ICMPV6 rules as described in comment 26, and you can make it easier by modifying the configuration as per comment 24.

Note You need to log in before you can comment on or make changes to this bug.