Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1399140 - [RFE] [ODL] [IPv6] Security-Groups support with OVS conntrack
[RFE] [ODL] [IPv6] Security-Groups support with OVS conntrack
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: opendaylight (Show other bugs)
10.0 (Newton)
Unspecified Unspecified
medium Severity medium
: ga
: 12.0 (Pike)
Assigned To: Sridhar Gaddam
Itzik Brown
: AutomationBlocker, FutureFeature, TechPreview, Triaged
Depends On:
Blocks: 1442136 1468979 1469017
  Show dependency treegraph
 
Reported: 2016-11-28 06:43 EST by Sridhar Gaddam
Modified: 2018-10-18 03:20 EDT (History)
8 users (show)

See Also:
Fixed In Version: opendaylight-6.0.0-1.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
N/A
Last Closed: 2017-12-13 15:52:28 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:3462 normal SHIPPED_LIVE Red Hat OpenStack Platform 12.0 Enhancement Advisory 2018-02-15 20:43:25 EST

  None (edit)
Description Sridhar Gaddam 2016-11-28 06:43:53 EST 
Description of problem:

As a tenant, I want to be able to control what IPv6 traffic can flow in and out my VM using standard TCP/IP characteristics, so that I can limit the applications running on it.
Comment 1 Sridhar Gaddam 2016-11-28 06:45:07 EST 
Some of the main patches that implement this functionality in Netvirt are listed below.

NetVirt patches: 
ACL Support for IPv6 IPAM: https://git.opendaylight.org/gerrit/#/c/44148/

Added Port Range and Ipv6 matches: https://git.opendaylight.org/gerrit/#/c/42889/

Bug 6623: Fix NPE in AclServiceUtils: https://git.opendaylight.org/gerrit/#/c/45063/

Fixes the SSH drop from DHCP namespace: https://git.opendaylight.org/gerrit/#/c/44876/
Mask IPv6Prefix in ACL flows: https://git.opendaylight.org/gerrit/#/c/45728/

Fixes default SG remote groups rules: https://git.opendaylight.org/gerrit/#/c/45408/

Bug 6532: Fix ACL IPv6 VM to VM communication on same network: https://git.opendaylight.org/gerrit/#/c/44690/

OVSDB Fixes: 

IPv6 support in Security Groups: https://git.opendaylight.org/gerrit/#/c/32347/

Add IPv6 SecurityGroup tests: https://git.opendaylight.org/gerrit/#/c/33717/
Comment 2 Sridhar Gaddam 2016-11-28 06:49:56 EST 
The implementation is largely complete and needs to be validated.

Important note: nf_conntrack_ipv6 kernel module needs to be loaded for IPv6 Security Groups to work. It was seen that some distributions do not load this module by default.

One pending activity related to this use-case is to make the ACL rules more restrictive in nature (i.e., while allowing an Router Advt/DHCPv6 Server response, we have to allow traffic only from the Neutron Router port/DHCP port etc). This activity is currently under roadmap and will be handled in future patchsets.
Comment 6 Sridhar Gaddam 2017-06-30 11:57:11 EDT 
Some additional fixes.

Bug 7952: ACLService to treat Ethertype=IPv6 and Protocol=icmp as a request for ICMPv6 - https://git.opendaylight.org/gerrit/#/c/53137/

Fix ACL IPv6 flows to match on ipv6_src/ipv6_dst for remote SG - https://git.opendaylight.org/gerrit/#/c/53470/
Comment 15 errata-xmlrpc 2017-12-13 15:52:28 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.