[NETVIRT-523] ACLService should treat Ethertype=IPv6 and Protocol=icmp as a request for ICMPv6 - OpenDaylight JIRA

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Resolution: Done
Affects Version/s: Carbon
Fix Version/s: None
Component/s: General
Labels:
None
Environment:

Operating System: All
Platform: All

External issue ID:
7952

Description

In Neutron, "Protocol=icmp" is allowed to be configured with "Ethertype=IPv6" for backward compatibility reasons.
When such a rule is configured, Neutron IPTables Firewall Driver (i.e., reference implementation) treats this as a request for ICMPv6 [1] and configures a rule accordingly.

Currently, to validate some IPv6 scenario tests, tempest uses ping6 to check the IPv6 connectivity between VMs spawned on a network.
Before validating ping6, tempest configures a Security Group rule with ethertype='IPv6' and protocol='icmp'.
Since ACLService is not doing something similar to IPTables Firewall Driver, the IPv6 tempest scenario tests are failing.

[1] Snippet from iptables_firewall.py
def _split_sgr_by_ethertype(self, security_group_rules):
ipv4_sg_rules = []
ipv6_sg_rules = []
for rule in security_group_rules:
if rule.get('ethertype') == constants.IPv4:
ipv4_sg_rules.append(rule)
elif rule.get('ethertype') == constants.IPv6:
if rule.get('protocol') == 'icmp':
rule['protocol'] = 'ipv6-icmp'
ipv6_sg_rules.append(rule)
return ipv4_sg_rules, ipv6_sg_rules

Ref: https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py#L379

Attachments

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Sridhar Gaddam

Reporter:: Sridhar Gaddam

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 10/Mar/17 12:31 PM

Updated:: 03/Apr/17 9:23 PM

Resolved:: 03/Apr/17 9:23 PM