1399140 – [RFE] [ODL] [IPv6] Security-Groups support with OVS conntrack

Bug 1399140 - [RFE] [ODL] [IPv6] Security-Groups support with OVS conntrack

Summary: [RFE] [ODL] [IPv6] Security-Groups support with OVS conntrack

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	opendaylight
Sub Component:
Version:	10.0 (Newton)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	ga
Target Release:	12.0 (Pike)
Assignee:	Sridhar Gaddam
QA Contact:	Itzik Brown
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1442136 1468979 1469017
TreeView+	depends on / blocked

Reported:	2016-11-28 11:43 UTC by Sridhar Gaddam
Modified:	2018-10-18 07:20 UTC (History)
CC List:	8 users (show)
Fixed In Version:	opendaylight-6.0.0-1.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:	N/A
Last Closed:	2017-12-13 20:52:28 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1528949	0	high	CLOSED	[Netvirt][ODL] Test Neutron IPv6 tenant networking	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHEA-2017:3462	0	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 12.0 Enhancement Advisory	2018-02-16 01:43:25 UTC

Internal Links: 1528949

Description Sridhar Gaddam 2016-11-28 11:43:53 UTC

Description of problem:

As a tenant, I want to be able to control what IPv6 traffic can flow in and out my VM using standard TCP/IP characteristics, so that I can limit the applications running on it.

Comment 1 Sridhar Gaddam 2016-11-28 11:45:07 UTC

Some of the main patches that implement this functionality in Netvirt are listed below.

NetVirt patches: 
ACL Support for IPv6 IPAM: https://git.opendaylight.org/gerrit/#/c/44148/

Added Port Range and Ipv6 matches: https://git.opendaylight.org/gerrit/#/c/42889/

Bug 6623: Fix NPE in AclServiceUtils: https://git.opendaylight.org/gerrit/#/c/45063/

Fixes the SSH drop from DHCP namespace: https://git.opendaylight.org/gerrit/#/c/44876/
Mask IPv6Prefix in ACL flows: https://git.opendaylight.org/gerrit/#/c/45728/

Fixes default SG remote groups rules: https://git.opendaylight.org/gerrit/#/c/45408/

Bug 6532: Fix ACL IPv6 VM to VM communication on same network: https://git.opendaylight.org/gerrit/#/c/44690/

OVSDB Fixes: 

IPv6 support in Security Groups: https://git.opendaylight.org/gerrit/#/c/32347/

Add IPv6 SecurityGroup tests: https://git.opendaylight.org/gerrit/#/c/33717/

Comment 2 Sridhar Gaddam 2016-11-28 11:49:56 UTC

The implementation is largely complete and needs to be validated.

Important note: nf_conntrack_ipv6 kernel module needs to be loaded for IPv6 Security Groups to work. It was seen that some distributions do not load this module by default.

One pending activity related to this use-case is to make the ACL rules more restrictive in nature (i.e., while allowing an Router Advt/DHCPv6 Server response, we have to allow traffic only from the Neutron Router port/DHCP port etc). This activity is currently under roadmap and will be handled in future patchsets.

Comment 6 Sridhar Gaddam 2017-06-30 15:57:11 UTC

Some additional fixes.

Bug 7952: ACLService to treat Ethertype=IPv6 and Protocol=icmp as a request for ICMPv6 - https://git.opendaylight.org/gerrit/#/c/53137/

Fix ACL IPv6 flows to match on ipv6_src/ipv6_dst for remote SG - https://git.opendaylight.org/gerrit/#/c/53470/

Comment 15 errata-xmlrpc 2017-12-13 20:52:28 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462

Note You need to log in before you can comment on or make changes to this bug.