mirror of
https://github.com/apache/cloudstack.git
synced 2025-10-26 08:42:29 +01:00
84e496b4f9
This commit implements basic Security Grouping for KVM in Basic Networking. It does not implement full Security Grouping yet, but it does: - Prevent IP-Address source spoofing - Allow DHCPv6 clients, but disallow DHCPv6 servers - Disallow Instances to send out Router Advertisements The Security Grouping allows ICMPv6 packets as described by RFC4890 as they are essential for IPv6 connectivity. Following RFC4890 it allows: - Router Solicitations - Router Advertisements (incoming only) - Neighbor Advertisements - Neighbor Solicitations - Packet Too Big - Time Exceeded - Destination Unreachable - Parameter Problem - Echo Request ICMPv6 is a essential part of IPv6, without it connectivity will break or be very unreliable. For now it allows any UDP and TCP packet to be send in to the Instance which effectively opens up the firewall completely. Future commits will implement Security Grouping further which allows controlling UDP and TCP ports for IPv6 like can be done with IPv4. Regardless of the egress filtering (which can't be done yet) it will always allow outbound DNS to port 53 over UDP or TCP. Signed-off-by: Wido den Hollander <wido@widodh.nl>