From e53ed9e35053dc012185f3b8ce5b3b5937585f25 Mon Sep 17 00:00:00 2001
From: Abhishek Kumar <abhishek.kumar@shapeblue.com>
Date: Wed, 27 Apr 2022 08:00:44 +0530
Subject: [PATCH] network: fix event, acl, firewall for ipv6 nw (#6314)

* add guest ipv6 cidr for fw rule

Signed-off-by: Abhishek Kumar <abhishek.kumar@shapeblue.com>

* fix fw, acl nft chains

Signed-off-by: Abhishek Kumar <abhishek.kumar@shapeblue.com>

* remove unnecessary log

Signed-off-by: Abhishek Kumar <abhishek.kumar@shapeblue.com>

* api response should return default internet protocol

Signed-off-by: Abhishek Kumar <abhishek.kumar@shapeblue.com>

* event resource fix for ipv6 firewall rule events

Signed-off-by: Abhishek Kumar <abhishek.kumar@shapeblue.com>

* fix radvd, restore ipv6 intf in vm type script

Signed-off-by: Abhishek Kumar <abhishek.kumar@shapeblue.com>

* fix dadfailed with rvr

Signed-off-by: Abhishek Kumar <abhishek.kumar@shapeblue.com>
---
 .../user/ipv6/CreateIpv6FirewallRuleCmd.java  | 11 +++
 .../user/ipv6/DeleteIpv6FirewallRuleCmd.java  | 14 +++
 .../user/ipv6/UpdateIpv6FirewallRuleCmd.java  | 14 +++
 .../routing/SetIpv6FirewallRulesCommand.java  |  8 +-
 .../SetIpv6FirewallRulesConfigItem.java       |  1 +
 .../virtualnetwork/model/FirewallRule.java    |  8 ++
 .../offerings/dao/NetworkOfferingDao.java     |  2 +
 .../offerings/dao/NetworkOfferingDaoImpl.java |  9 ++
 .../java/com/cloud/api/ApiResponseHelper.java |  2 +-
 .../query/dao/NetworkOfferingJoinDaoImpl.java |  8 +-
 .../api/query/dao/VpcOfferingJoinDaoImpl.java |  8 +-
 .../network/router/CommandSetupHelper.java    | 18 ++--
 systemvm/debian/opt/cloud/bin/configure.py    | 46 +++++++---
 .../debian/opt/cloud/bin/cs/CsNetfilter.py    | 20 +++--
 .../debian/opt/cloud/bin/setup/bootstrap.sh   |  9 --
 systemvm/debian/opt/cloud/bin/setup/common.sh | 88 ++++++++++++++-----
 systemvm/debian/opt/cloud/bin/setup/router.sh |  1 +
 17 files changed, 200 insertions(+), 67 deletions(-)

diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/CreateIpv6FirewallRuleCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/CreateIpv6FirewallRuleCmd.java
index 780baa5664d..be158c9de02 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/CreateIpv6FirewallRuleCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/CreateIpv6FirewallRuleCmd.java
@@ -21,6 +21,7 @@ import java.util.List;
 
 import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiCommandResourceType;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
 import org.apache.cloudstack.api.BaseAsyncCreateCmd;
@@ -252,4 +253,14 @@ public class CreateIpv6FirewallRuleCmd extends BaseAsyncCreateCmd {
             }
         }
     }
+
+    @Override
+    public Long getApiResourceId() {
+        return getNetworkId();
+    }
+
+    @Override
+    public ApiCommandResourceType getApiResourceType() {
+        return ApiCommandResourceType.Network;
+    }
 }
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/DeleteIpv6FirewallRuleCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/DeleteIpv6FirewallRuleCmd.java
index 04c6082e05a..e7343a80d05 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/DeleteIpv6FirewallRuleCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/DeleteIpv6FirewallRuleCmd.java
@@ -17,6 +17,7 @@
 package org.apache.cloudstack.api.command.user.ipv6;
 
 import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiCommandResourceType;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
 import org.apache.cloudstack.api.BaseAsyncCmd;
@@ -94,4 +95,17 @@ public class DeleteIpv6FirewallRuleCmd extends BaseAsyncCmd {
         }
     }
 
+    @Override
+    public Long getApiResourceId() {
+        FirewallRule rule = _firewallService.getFirewallRule(id);
+        if (rule != null) {
+            return rule.getNetworkId();
+        }
+        return null;
+    }
+
+    @Override
+    public ApiCommandResourceType getApiResourceType() {
+        return ApiCommandResourceType.Network;
+    }
 }
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/UpdateIpv6FirewallRuleCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/UpdateIpv6FirewallRuleCmd.java
index bb8fc71b553..8a05d02ae59 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/UpdateIpv6FirewallRuleCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/UpdateIpv6FirewallRuleCmd.java
@@ -20,6 +20,7 @@ import java.util.List;
 
 import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiCommandResourceType;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.BaseAsyncCustomIdCmd;
 import org.apache.cloudstack.api.Parameter;
@@ -172,4 +173,17 @@ public class UpdateIpv6FirewallRuleCmd extends BaseAsyncCustomIdCmd {
         }
     }
 
+    @Override
+    public Long getApiResourceId() {
+        FirewallRule rule = _firewallService.getFirewallRule(id);
+        if (rule != null) {
+            return rule.getNetworkId();
+        }
+        return null;
+    }
+
+    @Override
+    public ApiCommandResourceType getApiResourceType() {
+        return ApiCommandResourceType.Network;
+    }
 }
diff --git a/core/src/main/java/com/cloud/agent/api/routing/SetIpv6FirewallRulesCommand.java b/core/src/main/java/com/cloud/agent/api/routing/SetIpv6FirewallRulesCommand.java
index 62cc2cabaaa..638ba408de6 100644
--- a/core/src/main/java/com/cloud/agent/api/routing/SetIpv6FirewallRulesCommand.java
+++ b/core/src/main/java/com/cloud/agent/api/routing/SetIpv6FirewallRulesCommand.java
@@ -30,18 +30,24 @@ import com.cloud.agent.api.to.FirewallRuleTO;
  */
 public class SetIpv6FirewallRulesCommand extends NetworkElementCommand {
     FirewallRuleTO[] rules;
+    String guestIp6Cidr;
 
     protected SetIpv6FirewallRulesCommand() {
     }
 
-    public SetIpv6FirewallRulesCommand(List<FirewallRuleTO> rules) {
+    public SetIpv6FirewallRulesCommand(List<FirewallRuleTO> rules, String guestIp6Cidr) {
         this.rules = rules.toArray(new FirewallRuleTO[rules.size()]);
+        this.guestIp6Cidr = guestIp6Cidr;
     }
 
     public FirewallRuleTO[] getRules() {
         return rules;
     }
 
+    public String getGuestIp6Cidr() {
+        return guestIp6Cidr;
+    }
+
     @Override
     public int getAnswersCount() {
         return rules.length;
diff --git a/core/src/main/java/com/cloud/agent/resource/virtualnetwork/facade/SetIpv6FirewallRulesConfigItem.java b/core/src/main/java/com/cloud/agent/resource/virtualnetwork/facade/SetIpv6FirewallRulesConfigItem.java
index ff4f266f995..75ec5396810 100644
--- a/core/src/main/java/com/cloud/agent/resource/virtualnetwork/facade/SetIpv6FirewallRulesConfigItem.java
+++ b/core/src/main/java/com/cloud/agent/resource/virtualnetwork/facade/SetIpv6FirewallRulesConfigItem.java
@@ -42,6 +42,7 @@ public class SetIpv6FirewallRulesConfigItem extends AbstractConfigItemFacade{
             final FirewallRule fwRule = new FirewallRule(rule.getId(), rule.getSrcVlanTag(), rule.getSrcIp(), rule.getProtocol(), rule.getSrcPortRange(), rule.revoked(),
                     rule.isAlreadyAdded(), rule.getSourceCidrList(), rule.getDestCidrList(), rule.getPurpose().toString(), rule.getIcmpType(), rule.getIcmpCode(), rule.getTrafficType().toString(),
                     rule.getGuestCidr(), rule.isDefaultEgressPolicy());
+            fwRule.setGuestIp6Cidr(command.getGuestIp6Cidr());
             rules.add(fwRule);
         }
 
diff --git a/core/src/main/java/com/cloud/agent/resource/virtualnetwork/model/FirewallRule.java b/core/src/main/java/com/cloud/agent/resource/virtualnetwork/model/FirewallRule.java
index 44ec9bef76b..1baf05657fb 100644
--- a/core/src/main/java/com/cloud/agent/resource/virtualnetwork/model/FirewallRule.java
+++ b/core/src/main/java/com/cloud/agent/resource/virtualnetwork/model/FirewallRule.java
@@ -38,6 +38,7 @@ public class FirewallRule {
     private String guestCidr;
     private boolean defaultEgressPolicy;
     private String type;
+    private String guestIp6Cidr;
 
     public FirewallRule() {
         // Empty constructor for (de)serialization
@@ -174,4 +175,11 @@ public class FirewallRule {
         this.defaultEgressPolicy = defaultEgressPolicy;
     }
 
+    public String getGuestIp6Cidr() {
+        return guestIp6Cidr;
+    }
+
+    public void setGuestIp6Cidr(String guestIp6Cidr) {
+        this.guestIp6Cidr = guestIp6Cidr;
+    }
 }
diff --git a/engine/schema/src/main/java/com/cloud/offerings/dao/NetworkOfferingDao.java b/engine/schema/src/main/java/com/cloud/offerings/dao/NetworkOfferingDao.java
index 60d7701cd05..381d2144df1 100644
--- a/engine/schema/src/main/java/com/cloud/offerings/dao/NetworkOfferingDao.java
+++ b/engine/schema/src/main/java/com/cloud/offerings/dao/NetworkOfferingDao.java
@@ -73,5 +73,7 @@ public interface NetworkOfferingDao extends GenericDao<NetworkOfferingVO, Long>
 
     NetUtils.InternetProtocol getNetworkOfferingInternetProtocol(long offeringId);
 
+    NetUtils.InternetProtocol getNetworkOfferingInternetProtocol(long offeringId, NetUtils.InternetProtocol defaultProtocol);
+
     boolean isIpv6Supported(long offeringId);
 }
diff --git a/engine/schema/src/main/java/com/cloud/offerings/dao/NetworkOfferingDaoImpl.java b/engine/schema/src/main/java/com/cloud/offerings/dao/NetworkOfferingDaoImpl.java
index fd36a1b825d..65362eba3c7 100644
--- a/engine/schema/src/main/java/com/cloud/offerings/dao/NetworkOfferingDaoImpl.java
+++ b/engine/schema/src/main/java/com/cloud/offerings/dao/NetworkOfferingDaoImpl.java
@@ -278,6 +278,15 @@ public class NetworkOfferingDaoImpl extends GenericDaoBase<NetworkOfferingVO, Lo
         return NetUtils.InternetProtocol.fromValue(internetProtocolStr);
     }
 
+    @Override
+    public NetUtils.InternetProtocol getNetworkOfferingInternetProtocol(long offeringId,NetUtils.InternetProtocol defaultProtocol) {
+        NetUtils.InternetProtocol protocol = getNetworkOfferingInternetProtocol(offeringId);
+        if (protocol == null) {
+            return defaultProtocol;
+        }
+        return protocol;
+    }
+
     @Override
     public boolean isIpv6Supported(long offeringId) {
         NetUtils.InternetProtocol internetProtocol = getNetworkOfferingInternetProtocol(offeringId);
diff --git a/server/src/main/java/com/cloud/api/ApiResponseHelper.java b/server/src/main/java/com/cloud/api/ApiResponseHelper.java
index d7f03bc51c2..2afe1d7d38f 100644
--- a/server/src/main/java/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/main/java/com/cloud/api/ApiResponseHelper.java
@@ -2533,7 +2533,7 @@ public class ApiResponseHelper implements ResponseGenerator {
         response.setBytesSent(bytesSent);
 
         if (networkOfferingDao.isIpv6Supported(network.getNetworkOfferingId())) {
-            response.setInternetProtocol(networkOfferingDao.getNetworkOfferingInternetProtocol(network.getNetworkOfferingId()).toString());
+            response.setInternetProtocol(networkOfferingDao.getNetworkOfferingInternetProtocol(network.getNetworkOfferingId(), NetUtils.InternetProtocol.IPv4).toString());
             response.setIpv6Routing(Network.Routing.Static.toString());
             response.setIpv6Routes(new LinkedHashSet<>());
             if (Network.GuestType.Isolated.equals(networkOffering.getGuestType())) {
diff --git a/server/src/main/java/com/cloud/api/query/dao/NetworkOfferingJoinDaoImpl.java b/server/src/main/java/com/cloud/api/query/dao/NetworkOfferingJoinDaoImpl.java
index ae51df3cb65..474409a976c 100644
--- a/server/src/main/java/com/cloud/api/query/dao/NetworkOfferingJoinDaoImpl.java
+++ b/server/src/main/java/com/cloud/api/query/dao/NetworkOfferingJoinDaoImpl.java
@@ -19,6 +19,7 @@ package com.cloud.api.query.dao;
 
 import java.util.List;
 
+import org.apache.commons.lang3.StringUtils;
 import org.apache.cloudstack.api.response.NetworkOfferingResponse;
 import org.apache.log4j.Logger;
 
@@ -27,6 +28,7 @@ import com.cloud.offering.NetworkOffering;
 import com.cloud.utils.db.GenericDaoBase;
 import com.cloud.utils.db.SearchBuilder;
 import com.cloud.utils.db.SearchCriteria;
+import com.cloud.utils.net.NetUtils;
 
 public class NetworkOfferingJoinDaoImpl extends GenericDaoBase<NetworkOfferingJoinVO, Long> implements NetworkOfferingJoinDao {
     public static final Logger s_logger = Logger.getLogger(NetworkOfferingJoinDaoImpl.class);
@@ -99,7 +101,11 @@ public class NetworkOfferingJoinDaoImpl extends GenericDaoBase<NetworkOfferingJo
             networkOfferingResponse.setDomain(networkOfferingJoinVO.getDomainPath());
             networkOfferingResponse.setZoneId(networkOfferingJoinVO.getZoneUuid());
             networkOfferingResponse.setZone(networkOfferingJoinVO.getZoneName());
-            networkOfferingResponse.setInternetProtocol(networkOfferingJoinVO.getInternetProtocol());
+            String protocol = networkOfferingJoinVO.getInternetProtocol();
+            if (StringUtils.isEmpty(protocol)) {
+                protocol = NetUtils.InternetProtocol.IPv4.toString();
+            }
+            networkOfferingResponse.setInternetProtocol(protocol);
         }
         networkOfferingResponse.setObjectName("networkoffering");
 
diff --git a/server/src/main/java/com/cloud/api/query/dao/VpcOfferingJoinDaoImpl.java b/server/src/main/java/com/cloud/api/query/dao/VpcOfferingJoinDaoImpl.java
index c7afbe17901..0413d8eb52a 100644
--- a/server/src/main/java/com/cloud/api/query/dao/VpcOfferingJoinDaoImpl.java
+++ b/server/src/main/java/com/cloud/api/query/dao/VpcOfferingJoinDaoImpl.java
@@ -20,6 +20,7 @@ package com.cloud.api.query.dao;
 import java.util.List;
 
 import org.apache.cloudstack.api.response.VpcOfferingResponse;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.log4j.Logger;
 
 import com.cloud.api.query.vo.VpcOfferingJoinVO;
@@ -27,6 +28,7 @@ import com.cloud.network.vpc.VpcOffering;
 import com.cloud.utils.db.GenericDaoBase;
 import com.cloud.utils.db.SearchBuilder;
 import com.cloud.utils.db.SearchCriteria;
+import com.cloud.utils.net.NetUtils;
 
 public class VpcOfferingJoinDaoImpl extends GenericDaoBase<VpcOfferingJoinVO, Long> implements VpcOfferingJoinDao {
     public static final Logger s_logger = Logger.getLogger(VpcOfferingJoinDaoImpl.class);
@@ -70,7 +72,11 @@ public class VpcOfferingJoinDaoImpl extends GenericDaoBase<VpcOfferingJoinVO, Lo
             offeringResponse.setDomain(offeringJoinVO.getDomainPath());
             offeringResponse.setZoneId(offeringJoinVO.getZoneUuid());
             offeringResponse.setZone(offeringJoinVO.getZoneName());
-            offeringResponse.setInternetProtocol(offeringJoinVO.getInternetProtocol());
+            String protocol = offeringJoinVO.getInternetProtocol();
+            if (StringUtils.isEmpty(protocol)) {
+                protocol = NetUtils.InternetProtocol.IPv4.toString();
+            }
+            offeringResponse.setInternetProtocol(protocol);
         }
         offeringResponse.setObjectName("vpcoffering");
 
diff --git a/server/src/main/java/com/cloud/network/router/CommandSetupHelper.java b/server/src/main/java/com/cloud/network/router/CommandSetupHelper.java
index 5cf9f51a7d6..d6ee6e844df 100644
--- a/server/src/main/java/com/cloud/network/router/CommandSetupHelper.java
+++ b/server/src/main/java/com/cloud/network/router/CommandSetupHelper.java
@@ -461,7 +461,9 @@ public class CommandSetupHelper {
     public void createApplyIpv6FirewallRulesCommands(final List<? extends FirewallRule> rules, final VirtualRouter router, final Commands cmds, final long guestNetworkId) {
         final List<FirewallRuleTO> rulesTO = new ArrayList<>();
         String systemRule = null;
-        Boolean defaultEgressPolicy = false;
+        final NetworkVO network = _networkDao.findById(guestNetworkId);
+        final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
+        Boolean defaultEgressPolicy = offering.isEgressDefaultPolicy();;
         if (rules != null) {
             if (rules.size() > 0) {
                 if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System) {
@@ -476,16 +478,13 @@ public class CommandSetupHelper {
                     final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, null, Purpose.Ipv6Firewall, trafficType);
                     rulesTO.add(ruleTO);
                 } else if (rule.getTrafficType() == FirewallRule.TrafficType.Egress) {
-                    final NetworkVO network = _networkDao.findById(guestNetworkId);
-                    final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
-                    defaultEgressPolicy = offering.isEgressDefaultPolicy();
                     final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, "", Purpose.Ipv6Firewall, trafficType, defaultEgressPolicy);
                     rulesTO.add(ruleTO);
                 }
             }
         }
 
-        final SetIpv6FirewallRulesCommand cmd = new SetIpv6FirewallRulesCommand(rulesTO);
+        final SetIpv6FirewallRulesCommand cmd = new SetIpv6FirewallRulesCommand(rulesTO, network.getIp6Cidr());
         cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP, _routerControlHelper.getRouterControlIp(router.getId()));
         cmd.setAccessDetail(NetworkElementCommand.ROUTER_GUEST_IP, _routerControlHelper.getRouterIpInNetwork(guestNetworkId, router.getId()));
         cmd.setAccessDetail(NetworkElementCommand.ROUTER_NAME, router.getInstanceName());
@@ -547,7 +546,9 @@ public class CommandSetupHelper {
     public void createIpv6FirewallRulesCommands(final List<? extends FirewallRule> rules, final VirtualRouter router, final Commands cmds, final long guestNetworkId) {
         final List<FirewallRuleTO> rulesTO = new ArrayList<>();
         String systemRule = null;
-        Boolean defaultEgressPolicy = false;
+        final NetworkVO network = _networkDao.findById(guestNetworkId);
+        final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
+        Boolean defaultEgressPolicy = offering.isEgressDefaultPolicy();
         if (rules != null) {
             if (rules.size() > 0) {
                 if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System) {
@@ -562,16 +563,13 @@ public class CommandSetupHelper {
                     final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, null, Purpose.Ipv6Firewall, traffictype);
                     rulesTO.add(ruleTO);
                 } else if (rule.getTrafficType() == FirewallRule.TrafficType.Egress) {
-                    final NetworkVO network = _networkDao.findById(guestNetworkId);
-                    final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
-                    defaultEgressPolicy = offering.isEgressDefaultPolicy();
                     final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, "", Purpose.Ipv6Firewall, traffictype, defaultEgressPolicy);
                     rulesTO.add(ruleTO);
                 }
             }
         }
 
-        final SetIpv6FirewallRulesCommand cmd = new SetIpv6FirewallRulesCommand(rulesTO);
+        final SetIpv6FirewallRulesCommand cmd = new SetIpv6FirewallRulesCommand(rulesTO, network.getIp6Cidr());
         cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP, _routerControlHelper.getRouterControlIp(router.getId()));
         cmd.setAccessDetail(NetworkElementCommand.ROUTER_GUEST_IP, _routerControlHelper.getRouterIpInNetwork(guestNetworkId, router.getId()));
         cmd.setAccessDetail(NetworkElementCommand.ROUTER_NAME, router.getInstanceName());
diff --git a/systemvm/debian/opt/cloud/bin/configure.py b/systemvm/debian/opt/cloud/bin/configure.py
index e6c608b4699..67e575bfb7a 100755
--- a/systemvm/debian/opt/cloud/bin/configure.py
+++ b/systemvm/debian/opt/cloud/bin/configure.py
@@ -296,17 +296,13 @@ class CsAcl(CsDataBag):
                 return
             tier_cidr = self.ip6_cidr
             chain = "%s_%s_policy" % (self.device, direction)
-            rule = "accept"
-            parent_chain = "acl_output"
+            parent_chain = "acl_forward"
             cidr_key = "saddr"
-            parent_chain_rule = "ip6 saddr ::/0 jump %s" % (chain)
             if direction == "ingress":
-                rule = "drop"
-                parent_chain = "acl_input"
                 cidr_key = "daddr"
             parent_chain_rule = "ip6 %s %s jump %s" % (cidr_key, tier_cidr, chain)
-            self.ipv6_acl.append({'type': "", 'chain': parent_chain, 'rule': parent_chain_rule})
-            self.ipv6_acl.insert(0, {'type': "chain", 'chain': chain, 'rule': rule})
+            self.ipv6_acl.insert(0, {'type': "", 'chain': parent_chain, 'rule': parent_chain_rule})
+            self.ipv6_acl.insert(0, {'type': "chain", 'chain': chain})
             for rule in rule_list:
                 cidr = rule['cidr']
                 if cidr != None and cidr != "":
@@ -369,6 +365,8 @@ class CsAcl(CsDataBag):
                     self.ipv6_acl.insert(0, {'type': type, 'chain': chain, 'rule': rstr})
                 else:
                     self.ipv6_acl.append({'type': type, 'chain': chain, 'rule': rstr})
+            rstr = "counter packets 0 bytes 0 drop"
+            self.ipv6_acl.append({'type': "", 'chain': chain, 'rule': rstr})
 
         def process(self, direction, rule_list, base):
             count = base
@@ -480,10 +478,30 @@ class CsIpv6Firewall(CsDataBag):
     def process(self):
         fw = self.config.get_ipv6_fw()
         logging.info("Processing IPv6 firewall rules %s; %s" % (self.dbag, fw))
+        chains_added = False
+        egress_policy = None
         for item in self.dbag:
             if item == "id":
                 continue
             rule = self.dbag[item]
+
+            if chains_added == False:
+                guest_cidr = rule['guest_ip6_cidr']
+                parent_chain = "fw_forward"
+                chain = "fw_chain_egress"
+                parent_chain_rule = "ip6 saddr %s jump %s" % (guest_cidr, chain)
+                fw.append({'type': "chain", 'chain': chain})
+                fw.append({'type': "", 'chain': parent_chain, 'rule': parent_chain_rule})
+                chain = "fw_chain_ingress"
+                parent_chain_rule = "ip6 daddr %s jump %s" % (guest_cidr, chain)
+                fw.append({'type': "chain", 'chain': chain})
+                fw.append({'type': "", 'chain': parent_chain, 'rule': parent_chain_rule})
+                if rule['default_egress_policy']:
+                    egress_policy = "accept"
+                else:
+                    egress_policy = "drop"
+                chains_added = True
+
             rstr = ""
 
             chain = "fw_chain_ingress"
@@ -561,14 +579,14 @@ class CsIpv6Firewall(CsDataBag):
             rstr = appendStringIfNotEmpty(rstr, proto)
             if rstr and action:
                 rstr = rstr + " " + action
-            else:
-                type = "chain"
-                rstr = action
-            logging.debug("Process IPv6 firewall rule %s" % rstr)
-            if type == "chain":
-                fw.insert(0, {'type': type, 'chain': chain, 'rule': rstr})
-            else:
+                logging.debug("Process IPv6 firewall rule %s" % rstr)
                 fw.append({'type': type, 'chain': chain, 'rule': rstr})
+        if chains_added:
+            base_rstr = "counter packets 0 bytes 0"
+            rstr = "%s drop" % base_rstr
+            fw.append({'type': "", 'chain': "fw_chain_ingress", 'rule': rstr})
+            rstr = "%s %s" % (base_rstr, egress_policy)
+            fw.append({'type': "", 'chain': "fw_chain_egress", 'rule': rstr})
 
 
 class CsVmMetadata(CsDataBag):
diff --git a/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py b/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py
index 65bf4114a29..a034034dc8b 100755
--- a/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py
+++ b/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py
@@ -229,23 +229,23 @@ class CsNetfilters(object):
             if chain_policy and action:
                 chain_policy = "%s policy %s;" % (chain_policy, action)
             CsHelper.execute("nft add chain %s %s %s '{ %s }'" % (address_family, table, chain, chain_policy))
-            if chain_policy:
+            if hook == "input" or hook == "output":
                 CsHelper.execute("nft add rule %s %s %s icmpv6 type { echo-request, echo-reply, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept" % (address_family, table, chain))
 
     def apply_ip6_rules(self, rules, type):
-        logging.debug("Add IPv6 rules: %s", rules)
         if len(rules) == 0:
             return
         address_family = 'ip6'
         table = 'ip6_firewall'
         default_chains = [
-            { "chain": "fw_chain_ingress", "hook": "input", "action": "drop"}
+            { "chain": "fw_input", "hook": "input", "action": "drop"},
+            { "chain": "fw_forward", "hook": "forward", "action": "accept"}
         ]
         if type == "acl":
             table = 'ip6_acl'
             default_chains = [
                 { "chain": "acl_input", "hook": "input", "action": "drop" },
-                { "chain": "acl_output", "hook": "output", "action": "accept" }
+                { "chain": "acl_forward", "hook": "forward", "action": "accept"}
             ]
         CsHelper.execute("nft add table %s %s" % (address_family, table))
         for chain in default_chains:
@@ -253,13 +253,15 @@ class CsNetfilters(object):
         for fw in rules:
             chain = fw['chain']
             type = fw['type']
-            rule = fw['rule']
+            rule = None
+            if 'rule' in fw:
+                rule = fw['rule']
             if type == "chain":
-                hook = "input"
-                if "egress" in chain:
+                hook = ""
+                if "output" in chain:
                     hook = "output"
-                if chain.startswith("eth"):
-                    hook = ""
+                elif "input" in chain:
+                    hook = "input"
                 self.add_ip6_chain(address_family, table, chain, hook, rule)
             else:
                 logging.info("Add: rule=%s in address_family=%s table=%s, chain=%s", rule, address_family, table, chain)
diff --git a/systemvm/debian/opt/cloud/bin/setup/bootstrap.sh b/systemvm/debian/opt/cloud/bin/setup/bootstrap.sh
index b3409213ed0..4720237543f 100755
--- a/systemvm/debian/opt/cloud/bin/setup/bootstrap.sh
+++ b/systemvm/debian/opt/cloud/bin/setup/bootstrap.sh
@@ -85,15 +85,6 @@ config_sysctl() {
       sed  -i "/^vm.vfs_cache_pressure/ c\vm.vfs_cache_pressure = 100" /etc/sysctl.conf
   fi
 
-  eth0_ip6=$(grep -Po 'eth0ip6=\K[0-9a-zA-Z:]*' $CMDLINE)
-  eth2_ip6=$(grep -Po 'eth2ip6=\K[0-9a-zA-Z:]*' $CMDLINE)
-  if [ -n "$eth0_ip6" ] || [ -n "$eth2_ip6" ]
-  then
-      sed  -i "s/net.ipv6.conf.all.disable_ipv6 =.*$/net.ipv6.conf.all.disable_ipv6 = 0/" /etc/sysctl.conf
-      sed  -i "s/net.ipv6.conf.all.forwarding =.*$/net.ipv6.conf.all.forwarding = 1/" /etc/sysctl.conf
-      sed  -i "s/net.ipv6.conf.all.accept_ra =.*$/net.ipv6.conf.all.accept_ra = 1/" /etc/sysctl.conf
-  fi
-
   sync
   sysctl -p
 }
diff --git a/systemvm/debian/opt/cloud/bin/setup/common.sh b/systemvm/debian/opt/cloud/bin/setup/common.sh
index b937fd889bb..a799a88be8a 100755
--- a/systemvm/debian/opt/cloud/bin/setup/common.sh
+++ b/systemvm/debian/opt/cloud/bin/setup/common.sh
@@ -110,23 +110,31 @@ setup_interface() {
   fi
 }
 
-setup_interface_ipv6() {
+enable_interface_ipv6() {
+  local intf=eth${1}
+  log_it "Enabling IPv6 on interface: ${intf}"
   sysctl net.ipv6.conf.all.disable_ipv6=0
   sysctl net.ipv6.conf.all.forwarding=1
   sysctl net.ipv6.conf.all.accept_ra=1
-
   sed  -i "s/net.ipv6.conf.all.disable_ipv6 =.*$/net.ipv6.conf.all.disable_ipv6 = 0/" /etc/sysctl.conf
   sed  -i "s/net.ipv6.conf.all.forwarding =.*$/net.ipv6.conf.all.forwarding = 1/" /etc/sysctl.conf
   sed  -i "s/net.ipv6.conf.all.accept_ra =.*$/net.ipv6.conf.all.accept_ra = 1/" /etc/sysctl.conf
+  sysctl net.ipv6.conf.${intf}.accept_dad=0
+  sysctl net.ipv6.conf.${intf}.use_tempaddr=0
+  if [ "$2" = true ] ; then
+    ifdown ${intf}
+    ifup ${intf}
+  fi
+}
+
+setup_interface_ipv6() {
+  enable_interface_ipv6 $1 false
 
   local intfnum=$1
   local ipv6="$2"
   local prelen="$3"
   local intf=eth${intfnum}
 
-  sysctl net.ipv6.conf.$intf.accept_dad=0
-  sysctl net.ipv6.conf.$intf.use_tempaddr=0
-
   echo "iface $intf inet6 static" >> /etc/network/interfaces
   echo "  address $ipv6 " >> /etc/network/interfaces
   echo "  netmask $prelen" >> /etc/network/interfaces
@@ -266,31 +274,52 @@ enable_rpsrfs() {
   echo 256 > /sys/class/net/eth2/queues/rx-0/rps_flow_cnt
 }
 
+setup_ipv6() {
+  local enableradvd=false
+  if [ -n "$ETH0_IP6" ]
+  then
+    enableradvd=true
+    setup_interface_ipv6 "0" $ETH0_IP6 $ETH0_IP6_PRELEN
+  fi
+  if [ -n "$ETH0_IP6" ] || [ -n "$GUEST_GW6"  -a -n "$GUEST_CIDR6_SIZE" ]
+  then
+    rm -rf /etc/radvd.conf
+    setup_radvd "0" $GUEST_GW6 $GUEST_CIDR6_SIZE $enableradvd
+  fi
+  if [ -n "$ETH2_IP6" ]
+  then
+    setup_interface_ipv6 "2" $ETH2_IP6 $ETH2_IP6_PRELEN
+  fi
+}
+
+restore_ipv6() {
+  if [ -n "$ETH0_IP6" ] || [ -n "$GUEST_GW6"  -a -n "$GUEST_CIDR6_SIZE" ]
+    then
+    enable_interface_ipv6 "0" true
+  fi
+  if [ -n "$ETH0_IP6" ]
+  then
+    enable_radvd
+  fi
+  if [ -n "$ETH2_IP6" ]
+  then
+    enable_interface_ipv6 "2" true
+  fi
+}
+
+
 setup_common() {
   init_interfaces $1 $2 $3
   if [ -n "$ETH0_IP" ]
   then
     setup_interface "0" $ETH0_IP $ETH0_MASK $GW
   fi
-  if [ -n "$ETH0_IP6" ]
-  then
-      setup_interface_ipv6 "0" $ETH0_IP6 $ETH0_IP6_PRELEN
-      rm -rf /etc/radvd.conf
-      setup_radvd "0" $ETH0_IP6 $ETH0_IP6_PRELEN true
-  elif [ -n "$GUEST_GW6"  -a -n "$GUEST_CIDR6_SIZE" ]
-  then
-      rm -rf /etc/radvd.conf
-      setup_radvd "0" $GUEST_GW6 $GUEST_CIDR6_SIZE false
-  fi
   setup_interface "1" $ETH1_IP $ETH1_MASK $GW
   if [ -n "$ETH2_IP" ]
   then
     setup_interface "2" $ETH2_IP $ETH2_MASK $GW
   fi
-  if [ -n "$ETH2_IP6" ]
-  then
-      setup_interface_ipv6 "2" $ETH2_IP6 $ETH2_IP6_PRELEN
-  fi
+  setup_ipv6
 
   echo $NAME > /etc/hostname
   echo 'AVAHI_DAEMON_DETECT_LOCAL=0' > /etc/default/avahi-daemon
@@ -370,6 +399,24 @@ setup_common() {
   fi
 }
 
+enable_radvd() {
+  systemctl -q is-enabled radvd
+  status=$?
+  if [ $status -ne 0 ]
+  then
+    log_it "Enabling radvd"
+    systemctl enable radvd
+    echo "radvd" >> /var/cache/cloud/enabled_svcs
+  fi
+  systemctl -q is-active radvd
+  status=$?
+  if [ $status -ne 0 ]
+  then
+    log_it "Starting radvd"
+    systemctl start radvd
+  fi
+}
+
 setup_radvd() {
   log_it "Setting up radvd"
 
@@ -394,8 +441,7 @@ setup_radvd() {
   sed -i "s,{{ RDNSS_CONFIG }},$RDNSS_CFG,g" /etc/radvd.conf.$intf
   cat /etc/radvd.conf.$intf >> /etc/radvd.conf
   if [ "$enable" = true ] ; then
-    systemctl enable radvd
-    echo "radvd" >> /var/cache/cloud/enabled_svcs
+    enable_radvd
   fi
 }
 
diff --git a/systemvm/debian/opt/cloud/bin/setup/router.sh b/systemvm/debian/opt/cloud/bin/setup/router.sh
index d7113c49302..f5fa95c7b13 100755
--- a/systemvm/debian/opt/cloud/bin/setup/router.sh
+++ b/systemvm/debian/opt/cloud/bin/setup/router.sh
@@ -71,6 +71,7 @@ setup_router() {
   enable_fwding 1
   enable_rpsrfs 1
   enable_passive_ftp 1
+  restore_ipv6
 
   # Only allow DNS service for current network
   sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4