[NETVIRT-302] Make IPv6 ACL rules more restrictive in nature Created: 28/Nov/16 Updated: 03/May/18 Resolved: 19/Apr/18 |
|
| Status: | Resolved |
| Project: | netvirt |
| Component/s: | General |
| Affects Version/s: | Carbon |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Low |
| Reporter: | Sridhar Gaddam | Assignee: | Kiran Vasudeva |
| Resolution: | Won't Do | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Operating System: All |
||
| External issue ID: | 7252 |
| Description |
|
Currently IPv6 (and also applicable to some IPv4 ACL rules) ACL rules allow ingress DHCPv6/RA traffic as necessary. However, it does not restrict the rule to allow traffic "only" from the Neutron router interface or DHCP agent port. This bug is to bring in parity between OpenStack and ODL implementation. |
| Comments |
| Comment by Sam Hague [ 03/Apr/17 ] |
|
Aswin, Sridhar, is this bug still valid? |
| Comment by Aswin Suryanarayanan [ 04/Apr/17 ] |
|
This is still valid, the rules does not check whether the traffic is originating from neutron DHCP server |
| Comment by Sam Hague [ 05/Apr/18 ] |
|
Aswin, is this still valid? |
| Comment by Aswin Suryanarayanan [ 06/Apr/18 ] |
|
Sam rshashidhar Is there a plan to fix this. I remember correctly this postponed when there was an attempt to achieve neutron parity on fixed rules. |
| Comment by Shashidhar R [ 09/Apr/18 ] |
|
We do not have any immediate plan to fix this issue.
|
| Comment by Kiran Vasudeva [ 19/Apr/18 ] |
|
Aswin, Sridhar, As we discussed over E-mail, since the Openstack has removed the restrictions for Neutron router interface/Dhcp Agent as per https://review.openstack.org/#/c/456745/1, request you to confirm if we can close this defect OR needs any fix.
|
| Comment by Aswin Suryanarayanan [ 19/Apr/18 ] |
|
When tested with latest Openstack version, the DHCP allow rule ingress is in parity with Openstack. Kiran thanks for checking it. |