From ba7ec8865049794dc5a0c8beddfcd43de497c7bc Mon Sep 17 00:00:00 2001
From: Wei Zhou <weizhou@apache.org>
Date: Fri, 29 Aug 2025 11:39:50 +0200
Subject: [PATCH] SG: Apply rules for both ipv4/ipv6 of VMs with associated
 account/SG (#11243)

---
 .../com/cloud/network/security/SecurityGroupVMMapVO.java   | 7 +++++++
 .../cloud/network/security/SecurityGroupManagerImpl.java   | 3 +++
 .../cloud/network/security/SecurityGroupManagerImpl2.java  | 3 +++
 3 files changed, 13 insertions(+)

diff --git a/engine/schema/src/main/java/com/cloud/network/security/SecurityGroupVMMapVO.java b/engine/schema/src/main/java/com/cloud/network/security/SecurityGroupVMMapVO.java
index d12b9f9443f..59699cba1d4 100644
--- a/engine/schema/src/main/java/com/cloud/network/security/SecurityGroupVMMapVO.java
+++ b/engine/schema/src/main/java/com/cloud/network/security/SecurityGroupVMMapVO.java
@@ -50,6 +50,9 @@ public class SecurityGroupVMMapVO implements InternalIdentity {
     @Column(name = "ip4_address", table = "nics", insertable = false, updatable = false)
     private String guestIpAddress;
 
+    @Column(name = "ip6_address", table = "nics", insertable = false, updatable = false)
+    private String guestIpv6Address;
+
     @Column(name = "state", table = "vm_instance", insertable = false, updatable = false)
     private State vmState;
 
@@ -77,6 +80,10 @@ public class SecurityGroupVMMapVO implements InternalIdentity {
         return guestIpAddress;
     }
 
+    public String getGuestIpv6Address() {
+        return guestIpv6Address;
+    }
+
     public long getInstanceId() {
         return instanceId;
     }
diff --git a/server/src/main/java/com/cloud/network/security/SecurityGroupManagerImpl.java b/server/src/main/java/com/cloud/network/security/SecurityGroupManagerImpl.java
index 5d4b4737cbe..585975e7898 100644
--- a/server/src/main/java/com/cloud/network/security/SecurityGroupManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/security/SecurityGroupManagerImpl.java
@@ -354,6 +354,9 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro
                             String cidr = defaultNic.getIPv4Address();
                             cidr = cidr + "/32";
                             cidrs.add(cidr);
+                            if (defaultNic.getIPv6Address() != null) {
+                                cidrs.add(defaultNic.getIPv6Address() + "/64");
+                            }
                         }
                     }
                 } else if (rule.getAllowedSourceIpCidr() != null) {
diff --git a/server/src/main/java/com/cloud/network/security/SecurityGroupManagerImpl2.java b/server/src/main/java/com/cloud/network/security/SecurityGroupManagerImpl2.java
index b75c39560cf..b8be55c4048 100644
--- a/server/src/main/java/com/cloud/network/security/SecurityGroupManagerImpl2.java
+++ b/server/src/main/java/com/cloud/network/security/SecurityGroupManagerImpl2.java
@@ -250,6 +250,9 @@ public class SecurityGroupManagerImpl2 extends SecurityGroupManagerImpl {
                         //did a join with the nics table
                         String cidr = ngmapVO.getGuestIpAddress() + "/32";
                         cidrs.add(cidr);
+                        if (ngmapVO.getGuestIpv6Address() != null) {
+                            cidrs.add(ngmapVO.getGuestIpv6Address() + "/64");
+                        }
                     }
                 } else if (rule.getAllowedSourceIpCidr() != null) {
                     cidrs.add(rule.getAllowedSourceIpCidr());