Issue 4404: Add support for "icmpv6" protocol to ASGs (#4424)

jochenehret · web-flow · commit f7bc6d86b276 · 2025-07-08T10:09:41.000+02:00
* Issue 4404: Add support for "icmpv6" protocol to ASGs

* "icmpv6" can be used if "enable_ipv6" is configured
* "icmp" destinations may only consist of IPv4 addresses
* "icmpv6" destinations may only consist of IPv6 addresses

* Fix Rubocop findings

* Add test for icmpv6 with IPv6 address range

* and fix version check

* Spec for icmp with IPv4 address range

* Add "icmpv6" protocol to SecurityGroup class

* Update v3 security group docu with "icmpv6" protocol
diff --git a/app/messages/validators/security_group_rule_validator.rb b/app/messages/validators/security_group_rule_validator.rb
@@ -26,29 +26,28 @@ def validate(record)
       end
 
       validate_allowed_keys(rule, record, index)
-
-      add_rule_error("protocol must be 'tcp', 'udp', 'icmp', or 'all'", record, index) unless valid_protocol(rule[:protocol])
+      add_rule_error("protocol must be 'tcp', 'udp', 'icmp', 'icmpv6' or 'all'", record, index) unless valid_protocol(rule[:protocol])
 
       if valid_destination_type(rule[:destination], record, index)
         destinations = rule[:destination].split(',', -1)
         add_rule_error("maximum destinations per rule exceeded - must be under #{MAX_DESTINATIONS_PER_RULE}", record, index) unless destinations.length <= MAX_DESTINATIONS_PER_RULE
 
         destinations.each do |d|
-          validate_destination(d, record, index)
+          validate_destination(d, rule[:protocol], get_allowed_ip_version(rule), record, index)
         end
       end
 
       validate_description(rule, record, index)
       validate_log(rule, record, index)
+      validate_protocol(rule, record, index)
+    end
+  end
 
-      case rule[:protocol]
-      when 'tcp', 'udp'
-        validate_tcp_udp_protocol(rule, record, index)
-      when 'icmp'
-        validate_icmp_protocol(rule, record, index)
-      when 'all'
-        add_rule_error('ports are not allowed for protocols of type all', record, index) if rule[:ports]
-      end
+  def get_allowed_ip_version(rule)
+    if rule[:protocol] == 'icmp'
+      4
+    elsif rule[:protocol] == 'icmpv6'
+      6
     end
   end
 
@@ -57,7 +56,7 @@ def boolean?(value)
   end
 
   def valid_protocol(protocol)
-    protocol.is_a?(String) && %w[tcp udp icmp all].include?(protocol)
+    protocol.is_a?(String) && %w[tcp udp icmp icmpv6 all].include?(protocol)
   end
 
   def validate_allowed_keys(rule, record, index)
@@ -73,6 +72,20 @@ def validate_log(rule, record, index)
     add_rule_error('log must be a boolean', record, index) if rule[:log] && !boolean?(rule[:log])
   end
 
+  def validate_protocol(rule, record, index)
+    case rule[:protocol]
+    when 'tcp', 'udp'
+      validate_tcp_udp_protocol(rule, record, index)
+    when 'icmp'
+      validate_icmp_protocol(rule, record, index)
+    when 'icmpv6'
+      add_rule_error('icmpv6 cannot be used if enable_ipv6 is false', record, index) unless CloudController::RuleValidator.ipv6_enabled?
+      validate_icmp_protocol(rule, record, index)
+    when 'all'
+      add_rule_error('ports are not allowed for protocols of type all', record, index) if rule[:ports]
+    end
+  end
+
   def validate_tcp_udp_protocol(rule, record, index)
     add_rule_error('ports are required for protocols of type TCP and UDP', record, index) unless rule[:ports]
 
@@ -128,7 +141,7 @@ def valid_destination_type(destination, record, index)
     true
   end
 
-  def validate_destination(destination, record, index)
+  def validate_destination(destination, protocol, allowed_ip_version, record, index)
     error_message = 'destination must be a valid CIDR, IP address, or IP address range'
     error_message = 'destination must contain valid CIDR(s), IP address(es), or IP address range(s)' if CloudController::RuleValidator.comma_delimited_destinations_enabled?
     add_rule_error('empty destination specified in comma-delimited list', record, index) if destination.empty?
@@ -137,12 +150,14 @@ def validate_destination(destination, record, index)
 
     zeros_error_message = 'destination octets cannot contain leading zeros'
     add_rule_error(zeros_error_message, record, index) unless CloudController::RuleValidator.no_leading_zeros(address_list)
-
     if address_list.length == 1
-      add_rule_error(error_message, record, index) unless CloudController::RuleValidator.parse_ip(address_list.first)
-
+      parsed_ip = CloudController::RuleValidator.parse_ip(address_list.first)
+      add_rule_error(error_message, record, index) unless parsed_ip
+      add_rule_error("for protocol \"#{protocol}\" you cannot use IPv#{parsed_ip.version} addresses", record, index) \
+        unless valid_ip_version?(allowed_ip_version, parsed_ip)
     elsif address_list.length == 2
       ips = CloudController::RuleValidator.parse_ip(address_list)
+
       return add_rule_error('destination IP address range is invalid', record, index) unless ips
 
       sorted_ips = if ips.first.is_a?(NetAddr::IPv4)
@@ -153,12 +168,17 @@ def validate_destination(destination, record, index)
 
       reversed_range_error = 'beginning of IP address range is numerically greater than the end of its range (range endpoints are inverted)'
       add_rule_error(reversed_range_error, record, index) unless ips.first == sorted_ips.first
-
+      add_rule_error("for protocol \"#{protocol}\" you cannot use IPv#{ips.first.version} addresses", record, index) \
+        unless valid_ip_version?(allowed_ip_version, sorted_ips.first)
     else
       add_rule_error(error_message, record, index)
     end
   end
 
+  def valid_ip_version?(allowed_ip_version, parsed_ip)
+    parsed_ip.nil? || allowed_ip_version.nil? || parsed_ip.version == allowed_ip_version
+  end
+
   def add_rule_error(message, record, index)
     record.errors.add("Rules[#{index}]:", message)
   end
diff --git a/app/models/runtime/security_group.rb b/app/models/runtime/security_group.rb
@@ -71,7 +71,7 @@ def validate_rules
         validation_errors = case protocol
                             when 'tcp', 'udp'
                               CloudController::TransportRuleValidator.validate(stringified_rule)
-                            when 'icmp'
+                            when 'icmp', 'icmpv6'
                               CloudController::ICMPRuleValidator.validate(stringified_rule)
                             when 'all'
                               CloudController::RuleValidator.validate(stringified_rule)
diff --git a/docs/v3/source/includes/api_resources/_security_groups.erb b/docs/v3/source/includes/api_resources/_security_groups.erb
@@ -21,6 +21,13 @@
       "code": 0,
       "description": "Allow ping requests to private services"
     },
+    {
+      "protocol": "icmpv6",
+      "destination": "::/0",
+      "type": -1,
+      "code": -1,
+      "description": "Allow all ICMPv6 traffic"
+    },
     {
       "protocol": "tcp",
       "destination": "1.1.1.1,2.2.2.2/24,10.0.0.0-10.0.0.255",
diff --git a/docs/v3/source/includes/resources/security_groups/_object.md.erb b/docs/v3/source/includes/resources/security_groups/_object.md.erb
@@ -25,8 +25,8 @@ Name | Type | Description
 
 | Name | Type | Description | Required | Default
 | ---- | ---- | ----------- | -------- | -------
-| **protocol** | _string_ | Protocol type Valid values are `tcp`, `udp`, `icmp`, or `all` | yes | N/A |
-| **destination** | _string_ | The destination where the rule applies. Must be a singular Valid CIDR, IP address, or IP address range unless `cc.security_groups.enable_comma_delimited_destinations` is enabled. Then, the destination can be a comma-delimited string of CIDRs, IP addresses, or IP address ranges. Octets within destinations cannot contain leading zeros; eg. `10.0.0.0/24` is valid, but `010.00.000.0/24` is *not*.  | yes | N/A |
+| **protocol** | _string_ | Protocol type Valid values are `tcp`, `udp`, `icmp`, `icmpv6` or `all` | yes | N/A |
+| **destination** | _string_ | The destination where the rule applies. Must be a singular valid CIDR, IP address, or IP address range unless `cc.security_groups.enable_comma_delimited_destinations` is enabled. Then, the destination can be a comma-delimited string of CIDRs, IP addresses, or IP address ranges. Octets within destinations cannot contain leading zeros; eg. `10.0.0.0/24` is valid, but `010.00.000.0/24` is *not*. For `icmp`, only IPv4 addresses are allowed and for `icmpv6` only IPv6 addresses. | yes | N/A |
 | **ports** | _string_ | Ports that the rule applies to; can be a single port (`9000`), a comma-separated list (`9000,9001`), or a range (`9000-9200`) | no | `null` |
 | **type** | _integer_ |[Type](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml#icmp-parameters-types) required for ICMP protocol; valid values are between -1 and 255 (inclusive), where -1 allows all | no | `null` |
 | **code** | _integer_ |[Code](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml#icmp-parameters-codes) required for ICMP protocol; valid values are between -1 and 255 (inclusive), where -1 allows all | no | `null` |
diff --git a/lib/cloud_controller/rule_validator.rb b/lib/cloud_controller/rule_validator.rb
@@ -77,6 +77,10 @@ def self.parse_ip(val)
       ipv4 || ipv6
     end
 
+    def self.ipv6_enabled?
+      config.get(:enable_ipv6)
+    end
+
     def self.comma_delimited_destinations_enabled?
       config.get(:security_groups, :enable_comma_delimited_destinations)
     end
diff --git a/spec/unit/messages/validators/security_group_rule_validator_spec.rb b/spec/unit/messages/validators/security_group_rule_validator_spec.rb
diff --git a/spec/unit/models/runtime/security_group_spec.rb b/spec/unit/models/runtime/security_group_spec.rb
