[NETVIRT-523] ACLService should treat Ethertype=IPv6 and Protocol=icmp as a request for ICMPv6 Created: 10/Mar/17  Updated: 03/Apr/17  Resolved: 03/Apr/17

Status: Resolved
Project: netvirt
Component/s: General
Affects Version/s: Carbon
Fix Version/s: None

Type: Bug
Reporter: Sridhar Gaddam Assignee: Sridhar Gaddam
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All

External issue ID: 7952

 Description   

In Neutron, "Protocol=icmp" is allowed to be configured with "Ethertype=IPv6" for backward compatibility reasons.
When such a rule is configured, Neutron IPTables Firewall Driver (i.e., reference implementation) treats this as a request for ICMPv6 [1] and configures a rule accordingly.

Currently, to validate some IPv6 scenario tests, tempest uses ping6 to check the IPv6 connectivity between VMs spawned on a network.
Before validating ping6, tempest configures a Security Group rule with ethertype='IPv6' and protocol='icmp'.
Since ACLService is not doing something similar to IPTables Firewall Driver, the IPv6 tempest scenario tests are failing.

[1] Snippet from iptables_firewall.py
def _split_sgr_by_ethertype(self, security_group_rules):
ipv4_sg_rules = []
ipv6_sg_rules = []
for rule in security_group_rules:
if rule.get('ethertype') == constants.IPv4:
ipv4_sg_rules.append(rule)
elif rule.get('ethertype') == constants.IPv6:
if rule.get('protocol') == 'icmp':
rule['protocol'] = 'ipv6-icmp'
ipv6_sg_rules.append(rule)
return ipv4_sg_rules, ipv6_sg_rules

Ref: https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py#L379

 Comments   
Comment by Sridhar Gaddam [ 10/Mar/17 ]

Patch: https://git.opendaylight.org/gerrit/#/c/53137/1

Generated at Wed Feb 07 20:21:46 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.