cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <>
Subject [jira] [Commented] (CLOUDSTACK-676) Firewall / ACL support for ipv6
Date Fri, 27 Jan 2017 00:14:25 GMT


ASF subversion and git services commented on CLOUDSTACK-676:

Commit f10c8bfe0c99a762c2606459413a47219614e775 in cloudstack's branch refs/heads/master from
[;h=f10c8bf ]

Merge pull request #1700 from wido/ipv6-basic-networking

CLOUDSTACK-9359: IPv6 for Basic NetworkingThis PR is a proposal for adding very basic IPv6
to Basic Networking. The main goal of this PR is that the API returns a valid IPv6 address
over which the Instance is reachable.

The GUI will show the IPv6 address after deployment of the Instance.

![screenshot from 2016-10-03 16 34 56](

If the table VLAN has a proper IPv6 CIDR configured the DirectPodBasedNetworkGuru will calculate
the IPv6 Address the Instance will obtain using EUI-64 and SLAAC:

In this case the _vlan_ table contained:

<pre>mysql> select * from vlan \G
*************************** 1. row ***************************
                 id: 1
               uuid: 90e0716c-5261-4992-bb9d-0afd3006f476
            vlan_id: vlan://untagged
          vlan_type: DirectAttached
     data_center_id: 1
         network_id: 204
physical_network_id: 200
        ip6_gateway: 2001:980:7936:112::1
           ip6_cidr: 2001:980:7936:112::/64
          ip6_range: NULL
            removed: NULL
            created: 2016-07-19 20:39:41
1 row in set (0.00 sec)


It will then log:

<pre>2016-10-04 11:42:44,998 DEBUG [c.c.n.g.DirectPodBasedNetworkGuru] (Work-Job-Executor-1:ctx-1975ec54
job-186/job-187 ctx-0d967d88) (logid:275c4961) Found IPv6 CIDR 2001:980:7936:112::/64 for
2016-10-04 11:42:45,009 INFO  [c.c.n.g.DirectPodBasedNetworkGuru] (Work-Job-Executor-1:ctx-1975ec54
job-186/job-187 ctx-0d967d88) (logid:275c4961) Calculated IPv6 address 2001:980:7936:112:4ba:80ff:fe00:e9
using EUI-64 for NIC 6a05deab-b5d9-4116-80da-c94b48333e5e</pre>

The template has to be configured accordingly:
- No IPv6 Privacy Extensions
- Follow RFC4862

This is also described in:

The next steps after this will be:
- Security Grouping to prevent IPv6 Address Spoofing
- Security Grouping to filter ICMP, UDP and TCP traffic

* pr/1700:
  CLOUDSTACK-676: IPv6 In -and Egress filtering for Basic Networking
  CLOUDSTACK-676: IPv6 Basic Security Grouping for KVM
  CLOUDSTACK-9359: IPv6 for Basic Networking with KVM

Signed-off-by: Rajani Karuturi <>

> Firewall / ACL support for ipv6
> -------------------------------
>                 Key: CLOUDSTACK-676
>                 URL:
>             Project: CloudStack
>          Issue Type: Sub-task
>      Security Level: Public(Anyone can view this level - this is the default.) 
>            Reporter: Chiradeep Vittal
>            Assignee: Wido den Hollander
>             Fix For: Future
> An ability to specify a firewall / ACL rule set for a subnet which has instances with
ipv6 addresses. The implementation can be at the VR level, at the hypervisor level or in an
external firewall

This message was sent by Atlassian JIRA

View raw message