[cloudstack] branch master updated: ipv6: Allow all ICMPv6 traffic if -1 is provided as a ICMP type

Tue, 25 Jul 2017 07:32:00 -0700 

This is an automated email from the ASF dual-hosted git repository.

bhaisaab pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cloudstack.git


The following commit(s) were added to refs/heads/master by this push:
     new 990e4a6  ipv6: Allow all ICMPv6 traffic if -1 is provided as a ICMP 
type
990e4a6 is described below

commit 990e4a6e4053c4d2bbdf7269068ee7feea930a08
Author: Wido den Hollander <[email protected]>
AuthorDate: Wed Apr 12 15:02:30 2017 +0200

    ipv6: Allow all ICMPv6 traffic if -1 is provided as a ICMP type
    
    ip6tables no longer takes '--icmpv6-type any' as a argument.
    
    To allow all ICMPv6 traffic with ip6tables it has to be invoked this way:
    
      $ ip6tables -I i-2-14-VM -p icmpv6 -s ::/0 -j ACCEPT
    
    All ICMPv6 traffic is now allow into the Instance.
    
    Signed-off-by: Wido den Hollander <[email protected]>
---
 scripts/vm/network/security_group.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/scripts/vm/network/security_group.py 
b/scripts/vm/network/security_group.py
index d95e35d..9e3eeb0 100755
--- a/scripts/vm/network/security_group.py
+++ b/scripts/vm/network/security_group.py
@@ -1052,7 +1052,11 @@ def add_network_rules(vm_name, vm_id, vm_ip, vm_ip6, 
signature, seqno, vmMac, ru
             elif 'icmp' != protocol:
                 execute('ip6tables -I ' + vmchain + ' -p ' + protocol + ' -m ' 
+ protocol + ' --dport ' + range + ' -m state --state NEW ' + direction + ' ' + 
ip + ' -j ' + action)
             else:
-                execute('ip6tables -I ' + vmchain + ' -p icmpv6 --icmpv6-type 
' + range + ' ' + direction + ' ' + ip + ' -j ' + action)
+                # ip6tables does not allow '--icmpv6-type any', allowing all 
ICMPv6 is done by not allowing a specific type
+                if range == 'any':
+                    execute('ip6tables -I ' + vmchain + ' -p icmpv6 ' + 
direction + ' ' + ip + ' -j ' + action)
+                else:
+                    execute('ip6tables -I ' + vmchain + ' -p icmpv6 
--icmpv6-type ' + range + ' ' + direction + ' ' + ip + ' -j ' + action)
 
     egress_vmchain = egress_chain_name(vm_name)
     if egressrule_v4 == 0 :

-- 
To stop receiving notification emails like this one, please contact
['"[email protected]" <[email protected]>'].

Reply via email to