Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1365874 - [RFE] [ODL] [RHEL 7.3] IPv4 security-groups support with OVS conntrack
Summary: [RFE] [ODL] [RHEL 7.3] IPv4 security-groups support with OVS conntrack
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: opendaylight
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Unspecified
Target Milestone: z2
: 10.0 (Newton)
Assignee: Aswin Suryanarayanan
QA Contact: Itzik Brown
Depends On:
TreeView+ depends on / blocked
Reported: 2016-08-10 11:52 UTC by Nir Yechiel
Modified: 2018-10-18 07:18 UTC (History)
10 users (show)

Fixed In Version: opendaylight-5.2.0-2.el7ost
Doc Type: Enhancement
Doc Text:
Red Hat OpenDaylight now supports tenant-configurable security groups for IPv4 traffic. In the default setting, each tenant uses a security group that allows communication among instances associated with that group. Consequently, all egress traffic within the security group is allowed, while the ingress traffic from the outside is dropped.
Clone Of:
Last Closed: 2017-02-27 15:12:26 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:0326 normal SHIPPED_LIVE opendaylight enhancement advisory 2017-02-27 20:12:03 UTC

Description Nir Yechiel 2016-08-10 11:52:35 UTC
Description of problem:

As a tenant, I want to be able to control what traffic can flow in and out my VM using standard TCP/IP characteristics, so that I can limit the applications running on it.

Comment 2 Nir Yechiel 2016-08-17 11:34:43 UTC
Upstream gerrit:

Comment 3 Aswin Suryanarayanan 2016-08-17 11:51:37 UTC
1)IETF yang added in MDSAL project

2)Added support for fixed Security group.
 a) Added DHCP and Arp rules 
 b) Added default connection tracking rules.

3)AclService Custom Security Group
 a)TCP, UDP ,ICMP and Other protocl support added 
 b)ietf acl to flow converter added.

4)Added Port Range and Ipv6 matches 
 a)Added port range match using nicira extension. 
 b)Added IPV6 source and destination matches

5)ACL ingress/egress service bindings (integration with genius)
  a)ACL ingress/egress service binding implementation is done but currently the  call to bind/unbind services are commented. This should be uncommented once ACL related flow programming is complete. 
  b) Service priorities have been updated for L3VPN and ELAN. + Added table miss entries for both ingress and egress ACL tables during node up.

6)Neutron VPNListener changes
  a)added Security Rule listener to handle coversion from security rule to acl model

7)Support for interface update and acl update 
 a)handled interface update (security group added/deleted, port security flag enable/disable) 
 b)handled acl update (security rule is added/deleted from security group)

8)Support ace(security rule) add/remove in egress/ingress service

9)Changes to support RemoteSecurityGroup 
 a)handled remote security group for interface add/delete, interface update (SG add/delete and AllowedAddressPair add/delete) and SG update (SR add/delete)

10)Security Group: Allowed address pair changes 
  a)Updated Neutron port listener to pass Neutron port's MAC + Fixed Ips as allowed address pairs to Acl Service 
  b)Moved all SG utility methods to NeutronvpnUtils

11)ACL: Updated to cache interface/interface state details 
 a)Updated to cache only required interface/interface state details in  AclInterface object 
 b)AclInterface object used now as reference in all listeners for programming ACL flows instead of Interface/Interface State object from config/operational DS 
 c)Resolved NullPointerException observed while ACL flows were deleted - Updated AclDataUtil to use UUID of SG everywhere instead of SG name

12)Code optimization for cluster environment 
 a)handle to execute code only from one of the cluster node. 
 b)handle local cache updation in all the cluster nodes.

Comment 4 Nir Yechiel 2016-09-22 11:32:27 UTC
Boron SR1 won't be available on time for RHOSP 10 GA - this will be shipped as an update in a point release, post RHOSP 10 GA.

Comment 12 Itzik Brown 2017-02-21 06:26:40 UTC

Comment 14 errata-xmlrpc 2017-02-27 15:12:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

Note You need to log in before you can comment on or make changes to this bug.