neutron

IPv4 Link Local Addresses Not Supported in OVS firewall

Bug #1649581 reported by Drew Thorstensen on 2016-12-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Expired	Medium	Unassigned

Bug Description

There are certain workloads that require the ability to define IPv4 Link Local addresses dynamically, as defined in RFC3927.

The openvswitch_firewall service allows for IPv6 link local addresses (likely because they are deterministic), but does not account for IPv4 Link Local addresses. Without support of this, workloads that have not yet made the transition to IPv6 support won't be able to run with the openvswitch_firewall.

Tags:

Miguel Lavalle (minsel) on 2016-12-13

tags:	added: rfe vpnaas
Changed in neutron:
importance:	Undecided → Wishlist
tags:	added: fwaas removed: vpnaas

Miguel Lavalle (minsel) on 2016-12-13

Changed in neutron:
status:	New → Incomplete
importance:	Wishlist → Undecided

Revision history for this message

Miguel Lavalle (minsel) wrote on 2016-12-13:

@Drew,

I checked with a member of the FWaaS team (https://github.com/openstack/neutron-fwaas). This firewall is iptables based, not ovs. Are you referring to Neutron security groups?

Revision history for this message

Drew Thorstensen (thorst) wrote on 2016-12-14:

@Miguel,

I'm referring to this component: https://github.com/openstack/neutron/blob/master/neutron/agent/linux/openvswitch_firewall/firewall.py

My team actually has a patch that we're working on to propose up.

Revision history for this message

Ravi Kumar Kota (ravkota3) wrote on 2016-12-14:

@Miguel, I am going to propose a patch for this.

Changed in neutron:
assignee:	nobody → Ravi Kumar Kota (ravkota3)

Ravi Kumar Kota (ravkota3) on 2016-12-14

Changed in neutron:
status:	Incomplete → In Progress

Miguel Lavalle (minsel) on 2016-12-14

Changed in neutron:
importance:	Undecided → Medium

Jakub Libosvar (libosvar) on 2017-04-10

tags:

added: ovs-fw
removed: fwaas

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-05-05: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/462920

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2017-11-04: auto-abandon-script

This bug has had a related patch abandoned and has been automatically un-assigned due to inactivity. Please re-assign yourself if you are continuing work or adjust the state as appropriate if it is no longer valid.

Changed in neutron:
assignee:	Ravi Kumar Kota (ravkota3) → nobody
status:	In Progress → New
tags:	added: timeout-abandon

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-11-04: Change abandoned on neutron (master)

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: master
Review: https://review.openstack.org/462920
Reason: This review is > 4 weeks without comment and currently blocked by a core reviewer with a -2. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and contacting the reviewer with the -2 on this review to ensure you address their concerns.

Revision history for this message

YAMAMOTO Takashi (yamamoto) wrote on 2017-12-06:

if you mean openflow implementation and iptables implementation behaves differently, it sounds like a normal bug, rather than an RFE.
otherwise, i'm not sure what's wrong with allowed address pairs.

Changed in neutron:
status:	New → Incomplete

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-02-05:

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.