cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <>
Subject [jira] [Commented] (CLOUDSTACK-676) Firewall / ACL support for ipv6
Date Fri, 27 Jan 2017 00:14:25 GMT


ASF subversion and git services commented on CLOUDSTACK-676:

Commit 84e496b4f9d06915fb07e3da330ca270e1e56ec2 in cloudstack's branch refs/heads/master from
[;h=84e496b ]

CLOUDSTACK-676: IPv6 Basic Security Grouping for KVM

This commit implements basic Security Grouping for KVM in
Basic Networking.

It does not implement full Security Grouping yet, but it does:
- Prevent IP-Address source spoofing
- Allow DHCPv6 clients, but disallow DHCPv6 servers
- Disallow Instances to send out Router Advertisements

The Security Grouping allows ICMPv6 packets as described by RFC4890
as they are essential for IPv6 connectivity.

Following RFC4890 it allows:
- Router Solicitations
- Router Advertisements (incoming only)
- Neighbor Advertisements
- Neighbor Solicitations
- Packet Too Big
- Time Exceeded
- Destination Unreachable
- Parameter Problem
- Echo Request

ICMPv6 is a essential part of IPv6, without it connectivity will break or be very

For now it allows any UDP and TCP packet to be send in to the Instance which
effectively opens up the firewall completely.

Future commits will implement Security Grouping further which allows controlling UDP and TCP
ports for IPv6 like can be done with IPv4.

Regardless of the egress filtering (which can't be done yet) it will always allow outbound
to port 53 over UDP or TCP.

Signed-off-by: Wido den Hollander <>

> Firewall / ACL support for ipv6
> -------------------------------
>                 Key: CLOUDSTACK-676
>                 URL:
>             Project: CloudStack
>          Issue Type: Sub-task
>      Security Level: Public(Anyone can view this level - this is the default.) 
>            Reporter: Chiradeep Vittal
>            Assignee: Wido den Hollander
>             Fix For: Future
> An ability to specify a firewall / ACL rule set for a subnet which has instances with
ipv6 addresses. The implementation can be at the VR level, at the hypervisor level or in an
external firewall

This message was sent by Atlassian JIRA

View raw message