Bug 1399140 - [RFE] [ODL] [IPv6] Security-Groups support with OVS conntrack
Summary: [RFE] [ODL] [IPv6] Security-Groups support with OVS conntrack
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: opendaylight
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Unspecified
Target Milestone: ga
: 12.0 (Pike)
Assignee: Sridhar Gaddam
QA Contact: Itzik Brown
Depends On:
Blocks: 1442136 1468979 1469017
TreeView+ depends on / blocked
Reported: 2016-11-28 11:43 UTC by Sridhar Gaddam
Modified: 2018-10-18 07:20 UTC (History)
8 users (show)

Fixed In Version: opendaylight-6.0.0-1.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-12-13 20:52:28 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1528949 0 high CLOSED [Netvirt][ODL] Test Neutron IPv6 tenant networking 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHEA-2017:3462 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 12.0 Enhancement Advisory 2018-02-16 01:43:25 UTC

Internal Links: 1528949

Description Sridhar Gaddam 2016-11-28 11:43:53 UTC
Description of problem:

As a tenant, I want to be able to control what IPv6 traffic can flow in and out my VM using standard TCP/IP characteristics, so that I can limit the applications running on it.

Comment 1 Sridhar Gaddam 2016-11-28 11:45:07 UTC
Some of the main patches that implement this functionality in Netvirt are listed below.

NetVirt patches: 
ACL Support for IPv6 IPAM: https://git.opendaylight.org/gerrit/#/c/44148/

Added Port Range and Ipv6 matches: https://git.opendaylight.org/gerrit/#/c/42889/

Bug 6623: Fix NPE in AclServiceUtils: https://git.opendaylight.org/gerrit/#/c/45063/

Fixes the SSH drop from DHCP namespace: https://git.opendaylight.org/gerrit/#/c/44876/
Mask IPv6Prefix in ACL flows: https://git.opendaylight.org/gerrit/#/c/45728/

Fixes default SG remote groups rules: https://git.opendaylight.org/gerrit/#/c/45408/

Bug 6532: Fix ACL IPv6 VM to VM communication on same network: https://git.opendaylight.org/gerrit/#/c/44690/

OVSDB Fixes: 

IPv6 support in Security Groups: https://git.opendaylight.org/gerrit/#/c/32347/

Add IPv6 SecurityGroup tests: https://git.opendaylight.org/gerrit/#/c/33717/

Comment 2 Sridhar Gaddam 2016-11-28 11:49:56 UTC
The implementation is largely complete and needs to be validated.

Important note: nf_conntrack_ipv6 kernel module needs to be loaded for IPv6 Security Groups to work. It was seen that some distributions do not load this module by default.

One pending activity related to this use-case is to make the ACL rules more restrictive in nature (i.e., while allowing an Router Advt/DHCPv6 Server response, we have to allow traffic only from the Neutron Router port/DHCP port etc). This activity is currently under roadmap and will be handled in future patchsets.

Comment 6 Sridhar Gaddam 2017-06-30 15:57:11 UTC
Some additional fixes.

Bug 7952: ACLService to treat Ethertype=IPv6 and Protocol=icmp as a request for ICMPv6 - https://git.opendaylight.org/gerrit/#/c/53137/

Fix ACL IPv6 flows to match on ipv6_src/ipv6_dst for remote SG - https://git.opendaylight.org/gerrit/#/c/53470/

Comment 15 errata-xmlrpc 2017-12-13 20:52:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.