Creation of ICMPV6 rule through horizon is treating as invalid packet

Fix proposed to branch: master
Review: https://review.openstack.org/473481

Please note that users have always been able to create ICMPV6 rules by selecting "Other protocol" and specifying the "IP protocol" field value as "58".

The neutron security group allows 'icmp' for both IPv4 and IPv6. We can distinguish IPv4 and IPv6 based on 'ethertype' field.
You specify ethertype == IPv6 and protocol 'icmp', but IPv6 ICMP is not allowed, it should be a bug in neutron.
As my hat of neutron team, we didn't change the behavior (at least it is not intentional).

I don't think it is a horizon bug.

I added neutron as affected project.

I created a new security group named 'sg1' and then add a new rule by selecting "All ICMP" and specifying "::/0" as CIDR.
After that I see the following security group rules: http://paste.openstack.org/show/612436/

In the neutron API, we consider 'icmp' protocol with 'IPv6' ethertype as ICMPv6 packets (from the beginning) and in my understanding we haven't changed the behavior. I think it is a bug in neutron (if true). I haven't tried to reproduce it though.

@mahesh
What happens if you create a security group rule with protocol icmp from CLI?
I would like to clarify this is a neutron issue or horizon side.

neutron security-group-rule-create --protocol icmp --direction egress --ethertype IPv6 SG1
neutron security-group-rule-create --protocol icmp --direction ingress --ethertype IPv6 SG1

As the design of neutron API, it should work in the same way as when specifying --protocol icmpv6 or --protocol ipv6-icmp.

Well, if you do the equivalent of "neutron security-group-rule-create --protocol icmp --direction ingress --ethertype IPv6 SG1" from Horizon, the ip_protocol ends up being set to "icmp". However, if you do "neutron security-group-rule-create --protocol 58 --direction ingress --ethertype IPv6 SG1" (using the "custom protocol" option, you get the correct ip_protocol set to "icmpv6".

@amatoki
This:
neutron security-group-rule-create --protocol icmp --direction egress --ethertype IPv6 SG1

Results in this being displayed by Horizon:

    Direction Ether Type IP Protocol Port Range Remote IP Prefix
    Egress IPv6 ICMP Any ::/0

Whereas this:

neutron security-group-rule-create --protocol icmpv6 --direction egress --ethertype IPv6 SG1

Results in a separate rule being added, reading:

    Direction Ether Type IP Protocol Port Range Remote IP Prefix
    Egress IPv6 ICMP Any ::/0
    Egress IPv6 ICMPV6 Any ::/0

Note, that if I try this:

neutron security-group-rule-create --protocol 58 --direction egress --ethertype IPv6 SG1

I get this error:

Security group rule already exists. Rule id is 4d125465-cbfa-4716-980b-fa2b85361243.

Which points to the ICMPV6 rule.

We are tracking a fix the neutron server with bug https://bugs.launchpad.net/neutron/+bug/1582500

When complete, the API will only accept 'ipv6-icmp' for IPv6 rules like this, and complain if either 'icmpv6' or 'icmp' is used. Horizon could start using that today to be consistent.

Akihiro,

Sorry for delay response :

looks like its neutron issues and after creating icmp rule from horizon and getting the following flow update in
neutron CLI prompt :

In CLI , getting the following output:
                                                         |
| | | ingress, IPv6, icmp, remote_ip_prefix: ::/0

but issue is occurring, when you send icmpv6 packets, security group is dropping the packet as invalid since flows are creating as icmpv6 but not as icmp.

BRs,
Mahesh Loni

@mahesh,
sorry for late response. Precisely neutron should allow ICMPv6 packets if ethertype IPv6 and protocol ICMP is specified. This is the original intention and if the neutron behavior was changed somehow it should be fixed. The reason ICMPv6 was introduced is because ICMPv6 has a different type from ICMPv4, but the original behavior should be kept.

Summarizing the current situation....

there are two separate issues around this bug:

(1) In horizon side, ICMP with ethertype IPv6 actually does not work expectedly as reported here. It sounds reasonable to change the protocol type to 'ipv6-icmp' (or 'icmpv6' ) when ICMP is requested for IPv6 packets. If it addresses the problem reported here, it really sounds nice.

(2) neutron defines three variants for ICMPv6: icmp (with IPv6 ethertype), icmpv6, ipv6-icmp, and integer 58. 'ipv6-icmp' will be used as the standard one (as mentioned in #9). All variants should be handled equally and this is being tackled as bug 1582500.

Thus, I think this bug should focus on (1) and neutron is not related.
(2) should be tackled as part of bug 1582500.

On (2), neutron is still related. My previous comment was not correct on this point.

Reviewed: https://review.opendev.org/473481
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=d5dcf1be93d9bb26bda7b375e41f03dd297888bb
Submitter: Zuul
Branch: master

commit d5dcf1be93d9bb26bda7b375e41f03dd297888bb
Author: Radomir Dopieralski <email address hidden>
Date: Mon Jun 12 16:23:54 2017 +0200

    Allow creating ICMPV6 rules

    Right now, even if we specify a ::/0 (or other IPv6) CIDR in an
    ICMP rule, Horizon sets 'icmp' as the ip_protocol of that rule but
    neutron expects 'ipv6-icmp' which is the right ip_protocol for ICMPv6.
    This results in that rule never matching anything.

    This change makes Horizon set the ip_protocol to ipv6-icmp when
    the CIDR is an IPv6 one, and icmp when it's IPv4.

    Co-Authored-By: Akihiro Motoki <email address hidden>
    Change-Id: I1f68e1e5a3e073e38ac258de5ed9c43f8acb04e9
    Closes-Bug: #1652619

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/678680

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/678681

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/678682

Reviewed: https://review.opendev.org/678680
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=4debec8524c81b85fd44d054c1b99c2109c6e17f
Submitter: Zuul
Branch: stable/stein

commit 4debec8524c81b85fd44d054c1b99c2109c6e17f
Author: Radomir Dopieralski <email address hidden>
Date: Mon Jun 12 16:23:54 2017 +0200

    Allow creating ICMPV6 rules

    Right now, even if we specify a ::/0 (or other IPv6) CIDR in an
    ICMP rule, Horizon sets 'icmp' as the ip_protocol of that rule but
    neutron expects 'ipv6-icmp' which is the right ip_protocol for ICMPv6.
    This results in that rule never matching anything.

    This change makes Horizon set the ip_protocol to ipv6-icmp when
    the CIDR is an IPv6 one, and icmp when it's IPv4.

    Co-Authored-By: Akihiro Motoki <email address hidden>
    Change-Id: I1f68e1e5a3e073e38ac258de5ed9c43f8acb04e9
    Closes-Bug: #1652619
    (cherry picked from commit d5dcf1be93d9bb26bda7b375e41f03dd297888bb)

This issue was fixed in the openstack/horizon 16.0.0.0b2 development milestone.

Reviewed: https://review.opendev.org/678681
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=7a5ed4b688c7f69ce63ef600611947e08e14bcd0
Submitter: Zuul
Branch: stable/rocky

commit 7a5ed4b688c7f69ce63ef600611947e08e14bcd0
Author: Radomir Dopieralski <email address hidden>
Date: Mon Jun 12 16:23:54 2017 +0200

    Allow creating ICMPV6 rules

    Right now, even if we specify a ::/0 (or other IPv6) CIDR in an
    ICMP rule, Horizon sets 'icmp' as the ip_protocol of that rule but
    neutron expects 'ipv6-icmp' which is the right ip_protocol for ICMPv6.
    This results in that rule never matching anything.

    This change makes Horizon set the ip_protocol to ipv6-icmp when
    the CIDR is an IPv6 one, and icmp when it's IPv4.

    Co-Authored-By: Akihiro Motoki <email address hidden>
    Change-Id: I1f68e1e5a3e073e38ac258de5ed9c43f8acb04e9
    Closes-Bug: #1652619
    (cherry picked from commit d5dcf1be93d9bb26bda7b375e41f03dd297888bb)

Reviewed: https://review.opendev.org/678682
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=bc2edc2e0cb776a8c53deea12c6d74b84fa47a99
Submitter: Zuul
Branch: stable/queens

commit bc2edc2e0cb776a8c53deea12c6d74b84fa47a99
Author: Radomir Dopieralski <email address hidden>
Date: Mon Jun 12 16:23:54 2017 +0200

    Allow creating ICMPV6 rules

    Right now, even if we specify a ::/0 (or other IPv6) CIDR in an
    ICMP rule, Horizon sets 'icmp' as the ip_protocol of that rule but
    neutron expects 'ipv6-icmp' which is the right ip_protocol for ICMPv6.
    This results in that rule never matching anything.

    This change makes Horizon set the ip_protocol to ipv6-icmp when
    the CIDR is an IPv6 one, and icmp when it's IPv4.

    Co-Authored-By: Akihiro Motoki <email address hidden>
    Change-Id: I1f68e1e5a3e073e38ac258de5ed9c43f8acb04e9
    Closes-Bug: #1652619
    (cherry picked from commit d5dcf1be93d9bb26bda7b375e41f03dd297888bb)
    (cherry picked from commit 7a5ed4b688c7f69ce63ef600611947e08e14bcd0)

This issue was fixed in the openstack/horizon 13.0.3 release.

This issue was fixed in the openstack/horizon 14.0.4 release.

This issue was fixed in the openstack/horizon 15.1.1 release.