[openstack-dev] [Neutron][IPv6][Security Group] BP: Support ICMP type filter by security group

Xuhan Peng pengxuhan at gmail.com
Mon Mar 3 13:39:42 UTC 2014

I created a new blueprint [1] which is triggered by the requirement to
allow IPv6 Router Advertisement security group rule on compute node in my
on-going code review [2].

Currently, only security group rule direction, protocol, ethertype and port
range are supported by neutron security group rule data structure. To allow
Router Advertisement coming from network node or provider network to VM on
compute node, we need to specify ICMP type to only allow RA from known
hosts (network node dnsmasq binded IP or known provider gateway).

To implement this and make the implementation extensible, maybe we can add
an additional table name "SecurityGroupRuleData" with Key, Value and ID in
it. For ICMP type RA filter, we can add key="icmp-type" value="134", and
security group rule to the table. When other ICMP type filters are needed,
similar records can be stored. This table can also be used for other
firewall rule key values.
API change is also needed.

Please let me know your comments about this blueprint.

[2] https://review.openstack.org/#/c/72252/

Thank you!
Xuhan Peng
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140303/1beba946/attachment.html>

More information about the OpenStack-dev mailing list