Description of problem: As a tenant, I want to be able to control what traffic can flow in and out my VM using standard TCP/IP characteristics, so that I can limit the applications running on it.
Upstream gerrit: https://git.opendaylight.org/gerrit/#/c/40766/
1)IETF yang added in MDSAL project https://git.opendaylight.org/gerrit/#/c/39423/ 2)Added support for fixed Security group. a) Added DHCP and Arp rules b) Added default connection tracking rules. https://git.opendaylight.org/gerrit/#/c/40766/ 3)AclService Custom Security Group a)TCP, UDP ,ICMP and Other protocl support added b)ietf acl to flow converter added. https://git.opendaylight.org/gerrit/#/c/41651/ 4)Added Port Range and Ipv6 matches a)Added port range match using nicira extension. b)Added IPV6 source and destination matches https://git.opendaylight.org/gerrit/#/c/42889/ 5)ACL ingress/egress service bindings (integration with genius) a)ACL ingress/egress service binding implementation is done but currently the call to bind/unbind services are commented. This should be uncommented once ACL related flow programming is complete. b) Service priorities have been updated for L3VPN and ELAN. + Added table miss entries for both ingress and egress ACL tables during node up. https://git.opendaylight.org/gerrit/#/c/41325/ 6)Neutron VPNListener changes a)added Security Rule listener to handle coversion from security rule to acl model https://git.opendaylight.org/gerrit/#/c/40860/ 7)Support for interface update and acl update a)handled interface update (security group added/deleted, port security flag enable/disable) b)handled acl update (security rule is added/deleted from security group) https://git.opendaylight.org/gerrit/#/c/41835/ 8)Support ace(security rule) add/remove in egress/ingress service https://git.opendaylight.org/gerrit/#/c/41945/ 9)Changes to support RemoteSecurityGroup a)handled remote security group for interface add/delete, interface update (SG add/delete and AllowedAddressPair add/delete) and SG update (SR add/delete) https://git.opendaylight.org/gerrit/#/c/43051/ 10)Security Group: Allowed address pair changes a)Updated Neutron port listener to pass Neutron port's MAC + Fixed Ips as allowed address pairs to Acl Service b)Moved all SG utility methods to NeutronvpnUtils https://git.opendaylight.org/gerrit/#/c/42614/ 11)ACL: Updated to cache interface/interface state details a)Updated to cache only required interface/interface state details in AclInterface object b)AclInterface object used now as reference in all listeners for programming ACL flows instead of Interface/Interface State object from config/operational DS c)Resolved NullPointerException observed while ACL flows were deleted - Updated AclDataUtil to use UUID of SG everywhere instead of SG name https://git.opendaylight.org/gerrit/#/c/42967/ 12)Code optimization for cluster environment a)handle to execute code only from one of the cluster node. b)handle local cache updation in all the cluster nodes. https://git.opendaylight.org/gerrit/#/c/44042
Boron SR1 won't be available on time for RHOSP 10 GA - this will be shipped as an update in a point release, post RHOSP 10 GA.
Verified: opendaylight-5.2.0-4.el7ost.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2017-0326.html