Issue 4404: Add support for "icmpv6" protocol to ASGs

jochenehret · jochenehret · commit 45da5e26a0e4 · 2025-07-01T11:51:57.000+02:00
* "icmpv6" can be used if "enable_ipv6" is configured
* "icmp" destinations may only consist of IPv4 addresses
* "icmpv6" destinations may only consist of IPv6 addresses
diff --git a/spec/unit/messages/validators/security_group_rule_validator_spec.rb b/spec/unit/messages/validators/security_group_rule_validator_spec.rb
@@ -1303,6 +1303,153 @@ def self.name
           expect(subject.errors.full_messages).to include 'Rules[0]: code must be an integer between -1 and 255 (inclusive)'
         end
       end
+
+      context 'ipv6 is disabled' do
+        before do
+          TestConfig.config[:enable_ipv6] = false
+        end
+
+        context 'icmpv6 protocol in a rule' do
+          let(:rules) do
+            [
+              {
+                protocol: 'icmpv6',
+                destination: '2001:db8::/32',
+                type: -1,
+                code: 255
+              }
+            ]
+          end
+
+          it 'is not valid' do
+            expect(subject).not_to be_valid
+            expect(subject.errors.full_messages).to include 'Rules[0]: icmpv6 cannot be used if enable_ipv6 is false'
+          end
+        end
+      end
+
+      context 'ipv6 is enabled' do
+        before do
+          TestConfig.config[:enable_ipv6] = true
+        end
+        context 'icmp protocol contains an IPv6 destination' do
+          let(:rules) do
+            [
+              {
+                protocol: 'icmp',
+                destination: '2001:db8::/32',
+                type: -1,
+                code: 255
+              }
+            ]
+          end
+
+          it 'is invalid' do
+            expect(subject).not_to be_valid
+            expect(subject.errors.full_messages).to include 'Rules[0]: for protocol "icmp" you cannot use IPv6 addresses'
+          end
+        end
+
+        context 'icmp protocol contains a comma-delimited list of IPv6 destinations' do
+          before do
+            TestConfig.config[:security_groups][:enable_comma_delimited_destinations] = true
+          end
+
+          let(:rules) do
+            [
+              {
+                protocol: 'icmp',
+                destination: '2001:db8::/32,2001:db8:85a3::/64',
+                type: -1,
+                code: 255
+              }
+            ]
+          end
+
+          it 'is invalid' do
+            expect(subject).not_to be_valid
+            expect(subject.errors.full_messages).to include 'Rules[0]: for protocol "icmp" you cannot use IPv6 addresses'
+          end
+        end
+
+        context 'icmpv6 protocol contains an IPv6 destination' do
+          let(:rules) do
+            [
+              {
+                protocol: 'icmpv6',
+                destination: '2001:db8::/32',
+                type: -1,
+                code: 255
+              }
+            ]
+          end
+
+          it 'is valid' do
+            expect(subject).to be_valid
+          end
+        end
+
+        context 'icmpv6 protocol contains a comma-delimited list of IPv6 destinations' do
+          before do
+            TestConfig.config[:security_groups][:enable_comma_delimited_destinations] = true
+          end
+
+          let(:rules) do
+            [
+              {
+                protocol: 'icmpv6',
+                destination: '2001:db8::/32,2001:db8:85a3::/64',
+                type: -1,
+                code: 255
+              }
+            ]
+          end
+
+          it 'is valid' do
+            expect(subject).to be_valid
+          end
+        end
+
+        context 'icmpv6 protocol contains an IPv4 destination' do
+          let(:rules) do
+            [
+              {
+                protocol: 'icmpv6',
+                destination: '10.0.0.0/8',
+                type: -1,
+                code: 255
+              }
+            ]
+          end
+
+          it 'is invalid' do
+            expect(subject).not_to be_valid
+            expect(subject.errors.full_messages).to include 'Rules[0]: for protocol "icmpv6" you cannot use IPv4 addresses'
+          end
+        end
+
+        context 'icmpv6 protocol contains a comma-delimited list of IPv4 destinations' do
+          before do
+            TestConfig.config[:security_groups][:enable_comma_delimited_destinations] = true
+          end
+
+          let(:rules) do
+            [
+              {
+                protocol: 'icmpv6',
+                destination: '10.0.0.0/8,192.168.0.0/16',
+                type: -1,
+                code: 255
+              }
+            ]
+          end
+
+          it 'is invalid' do
+            expect(subject).not_to be_valid
+            expect(subject.errors.full_messages).to include 'Rules[0]: for protocol "icmpv6" you cannot use IPv4 addresses'
+          end
+        end
+      end
     end
   end
 end
