[openstack-dev] [Neutron][IPv6][Security Group] BP: Support ICMP type filter by security group

Akihiro Motoki amotoki at gmail.com
Fri Mar 7 05:00:23 UTC 2014


I wonder why RA needs to be exposed by security group API.
Does a user need to configure security group to allow IPv6 RA? or
should it be allowed in infra side?

In the current implementation DHCP packets are allowed by provider
rule (which is hardcoded in neutron code now).
I think the role of IPv6 RA is similar to DHCP in IPv4. If so, we
don't need to expose RA in security group API.
Am I missing something?

Thanks,
Akihiro

On Mon, Mar 3, 2014 at 10:39 PM, Xuhan Peng <pengxuhan at gmail.com> wrote:
> I created a new blueprint [1] which is triggered by the requirement to allow
> IPv6 Router Advertisement security group rule on compute node in my on-going
> code review [2].
>
> Currently, only security group rule direction, protocol, ethertype and port
> range are supported by neutron security group rule data structure. To allow
> Router Advertisement coming from network node or provider network to VM on
> compute node, we need to specify ICMP type to only allow RA from known hosts
> (network node dnsmasq binded IP or known provider gateway).
>
> To implement this and make the implementation extensible, maybe we can add
> an additional table name "SecurityGroupRuleData" with Key, Value and ID in
> it. For ICMP type RA filter, we can add key="icmp-type" value="134", and
> security group rule to the table. When other ICMP type filters are needed,
> similar records can be stored. This table can also be used for other
> firewall rule key values.
> API change is also needed.
>
> Please let me know your comments about this blueprint.
>
> [1]
> https://blueprints.launchpad.net/neutron/+spec/security-group-icmp-type-filter
> [2] https://review.openstack.org/#/c/72252/
>
> Thank you!
> Xuhan Peng
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



More information about the OpenStack-dev mailing list