Skip to content

Commit d451666

Browse files
committed
TELCODOCS-999 Support MultiNetworkPolicies in IPv6 networks
1 parent 97bce5d commit d451666

File tree

2 files changed

+46
-6
lines changed

2 files changed

+46
-6
lines changed
Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
// Module included in the following assemblies:
2+
//
3+
// * networking/multiple_networks/configuring-multi-network-policy.adoc
4+
5+
:_mod-docs-content-type: CONCEPT
6+
[id="nw-multi-network-policy-ipv6-support_{context}"]
7+
= Supporting multi-network policies in IPv6 networks
8+
9+
The ICMPv6 Neighbor Discovery Protocol (NDP) is a set of messages and processes that enable devices to discover and maintain information about neighboring nodes. NDP plays a crucial role in IPv6 networks, facilitating the interaction between devices on the same link.
10+
11+
The Cluster Network Operator (CNO) deploys the iptables implementation of multi-network policy when the `useMultiNetworkPolicy` parameter is set to `true`.
12+
13+
To support multi-network policies in IPv6 networks the Cluster Network Operator deploys the following set of rules in every pod affected by a multi-network policy:
14+
15+
.Multi-network policy custom rules
16+
17+
[source,yaml]
18+
----
19+
kind: ConfigMap
20+
apiVersion: v1
21+
metadata:
22+
name: multi-networkpolicy-custom-rules
23+
namespace: openshift-multus
24+
data:
25+
26+
custom-v6-rules.txt: |
27+
# accept NDP
28+
-p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT <1>
29+
-p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT <2>
30+
# accept RA/RS
31+
-p icmpv6 --icmpv6-type router-solicitation -j ACCEPT <3>
32+
-p icmpv6 --icmpv6-type router-advertisement -j ACCEPT <4>
33+
----
34+
35+
<1> This rule allows incoming ICMPv6 neighbor solicitation messages, which are part of the neighbor discovery protocol (NDP). These messages help determine the link-layer addresses of neighboring nodes.
36+
<2> This rule allows incoming ICMPv6 neighbor advertisement messages, which are part of NDP and provide information about the link-layer address of the sender.
37+
<3> This rule permits incoming ICMPv6 router solicitation messages. Hosts use these messages to request router configuration information.
38+
<4> This rule allows incoming ICMPv6 router advertisement messages, which give configuration information to hosts.
39+
40+
[NOTE]
41+
====
42+
You cannot edit these predefined rules.
43+
====
44+
45+
These rules collectively enable essential ICMPv6 traffic for correct network functioning, including address resolution and router communication in an IPv6 environment. With these rules in place and a multi-network policy denying traffic, applications are not expected to experience connectivity issues.

networking/multiple_networks/configuring-multi-network-policy.adoc

Lines changed: 1 addition & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -15,14 +15,9 @@ Support for configuring multi-network policies for SR-IOV additional networks is
1515
For more information about the support scope of Red Hat Technology Preview features, see link:https://access.redhat.com/support/offerings/techpreview/[Technology Preview Features Support Scope].
1616
====
1717

18-
[NOTE]
19-
====
20-
Configured network policies are ignored in IPv6 networks.
21-
====
22-
23-
2418
include::modules/nw-multi-network-policy-differences.adoc[leveloffset=+1]
2519
include::modules/nw-multi-network-policy-enable.adoc[leveloffset=+1]
20+
include::modules/nw-multi-network-policy-ipv6-suppport.adoc[leveloffset=+1]
2621

2722
[id="{context}_working-with-multi-network-policy"]
2823
== Working with multi-network policy

0 commit comments

Comments
 (0)