Feature #4159

[PATCH] Security Groups do not support IPv6

Added by Roy Keene over 5 years ago. Updated about 4 years ago.

Status:ClosedStart date:11/13/2015
Priority:HighDue date:
Assignee:-% Done:

0%

Category:Drivers - Network
Target version:Release 5.4
Resolution:fixed Pull request:

Description

Security groups lack IPv6 support. Mostly this is a matter of duplicating the calls "iptables" with "ip6tables" except for the ICMP protocol which does not exist in IPv6 (ICMPv6 is a separate protocol).

Attached is a patch that implements IPv6 support for Security Groups, but does not expose this via Sunstone.

It has undergone basic testing and seems to function with IPv6 addresses -- I have not verified that there were no regressions for IPv4 however (I don't expect there to be) -- I am not sure if OpenNebula has those tests in its regression testing suite.

opennebula-4.12.1-securitygroup6.diff Magnifier - IPv6 Security Group Patch (35 KB) Roy Keene, 11/13/2015 09:24 PM

opennebula-4.12.1-securitygroup6.diff Magnifier - IPv6 Security Group Patch, second attempt (35.2 KB) Roy Keene, 11/14/2015 02:39 AM

opennebula-4.12.1-securitygroup6.diff Magnifier - IPv6 Security Group Patch, third attempt (35.8 KB) Roy Keene, 11/14/2015 03:22 AM

opennebula-4.12.1-securitygroup6.diff Magnifier (37.2 KB) Roy Keene, 12/21/2015 04:53 PM

opennebula-5.2.1-securitygroup6.diff Magnifier (31.7 KB) Roy Keene, 03/13/2017 03:41 PM

Associated revisions

Revision 20eae687
Added by Ruben S. Montero over 4 years ago

F #4159: Make use of IPAddr class for uniform IP Management. Some
formatting. Homogenous intialization of ip-spoofing rules for ipv6 and
ipv4 (use always an ipset)

Revision 1566a04b
Added by Ruben S. Montero over 4 years ago

F #4159: Do not create uneeded ipset's in network sg rules

Revision 599e32a4
Added by Roy Keene over 4 years ago

F #4159 Ported securitygroup6 patch

(cherry picked from commit 43605bedbf55d5c3b121aa3c5ff14b2a5bed49e1)

Revision fe84d376
Added by Ruben S. Montero over 4 years ago

F #4159: Make use of IPAddr class for uniform IP Management. Some formatting. Homogenous intialization of ip-spoofing rules for ipv6 and ipv4 (use always an ipset)

Revision a31f7118
Added by Ruben S. Montero over 4 years ago

F #4159: Do not create uneeded ipset's in network sg rules

Revision 6b0814ef
Added by Javi Fontan about 4 years ago

F #4159: allow ipv6 135, 136 udp ports

Patch by Roy Keene <> from:

https://dev.opennebula.org/issues/4159#note-12

History

#1 Updated by Roy Keene over 5 years ago

There was an issue with "FILTER_IP_SPOOFING" and IPv6, updated patch to deal with it

#2 Updated by Roy Keene over 5 years ago

Added support for multiple IPv6 addresses per interface (GLOBAL, ULA, LINK) with anti-spoofing.

#3 Updated by Ruben S. Montero over 5 years ago

  • Target version set to Release 5.0

Great Roy THANKS!!!!!! Planing this...

#4 Updated by Roy Keene over 5 years ago

Updated patch that:
  • Enables IPv6 Neighbor Discovery Protocol (ARP equivalent) implicitly on all interfaces (even if they have no IPv6 address)
  • Renames protocol in OpenNebula from ICMP6 to ICMPV6 to be more consistent with type (ICMPV6_TYPE) and also call ip6tables with -p icmpv6 intead of -p icmp6 (erroneous)
  • Include antispoofing fix from #4257

It has not yet been tested, but these changes are a result of testing the previous patch. I'll make a note of the success after testing, or supply an updated patch.

#5 Updated by Ruben S. Montero over 5 years ago

  • Tracker changed from Bug to Feature

#6 Updated by Ruben S. Montero over 5 years ago

  • Category changed from Core & System to Drivers - Network

#7 Updated by Jaime Melis about 5 years ago

  • Target version changed from Release 5.0 to Release 5.2

Hi... we are sorry, but we haven't been able to include this in 5.0. As we already told you we were very interested in this feature, but we would need to merge this, integrate it with our testing environment and expose these atributes in Sunstone. Give that we are running late on 5.0 we would rather postpone it one release.

Really sorry :(

#8 Updated by Jaime Melis about 5 years ago

  • Tracker changed from Feature to Backlog

Hi... we are sorry, but we haven't been able to include this in 5.0. As we already told you we were very interested in this feature, but we would need to merge this, integrate it with our testing environment and expose these atributes in Sunstone. Give that we are running late on 5.0 we would rather postpone it one release.

Really sorry :(

#9 Updated by Ruben S. Montero almost 5 years ago

  • Tracker changed from Backlog to Feature
  • Priority changed from Normal to High
  • Target version changed from Release 5.2 to Release 5.4

#10 Updated by Roy Keene over 4 years ago

Added pull request for this: https://github.com/OpenNebula/one/pull/147

#11 Updated by Ruben S. Montero over 4 years ago

Now merged in master. Needs:

  • Documentation
  • Update Sunstone with ICMPv6 types
  • Integration tests

#12 Updated by Roy Keene over 4 years ago

There was an issue with the default network discovery rules for IPv6, each side needs to be able to send and receive ICMPv6 types 135 and 136 (neighbor solicitation request/reply) for the IPv6 equivalent of ARP (NDP) to work. This requires the following two extra rules from my first patch:

commands.add :ip6tables, "-A #{chain_in} -p icmpv6 --icmpv6-type 136 -j ACCEPT" 
commands.add :ip6tables, "-A #{chain_out} -p icmpv6 --icmpv6-type 135 -j ACCEPT"

Attached is the updated patch for more context

#13 Updated by Ruben S. Montero about 4 years ago

  • Status changed from Pending to Closed
  • Resolution set to fixed

Also available in: Atom PDF