Security Group Rules fails to apply on IPv6 only shared network

[rajujith]

problem

In a shared network with IPv6 only ie the offering has only Security Group as service, the rules fails to apply on the KVM host:

2026-02-24 09:50:14,298 DEBUG [cloud.agent.Agent] (AgentRequest-Handler-1:[]) (logid:58a52ca1) Request:Seq 2-7693555538432382383:  { Cmd , MgmtId: 32988855272485, via: 2, Ver: v1, Flags: 100111, [{"com.cloud.agent.api.SecurityGroupRulesCmd":{"guestIp6":"fd6f:ed8b:1fb6:dcb8:1:ff:fee2:2","vmName":"i-2-66-VM","guestMac":"02:01:00:e2:00:02","signature":"3f503368f6f02b0dd4fd636f3fb9cddd","seqNum":"12","vmId":"66","msId":"32988855272485","ingressRuleSet":[{"proto":"all","startPort":"0","endPort":"0"},{"proto":"icmp","startPort":"-1","endPort":"-1"}],"egressRuleSet":[],"vmTO":{"id":"66","name":"i-2-66-VM","state":"Running","type":"User","cpus":"1","minSpeed":"500","maxSpeed":"500","minRam":"(512.00 MB) 536870912","maxRam":"(512.00 MB) 536870912","arch":"x86_64","os":"Rocky Linux 8","platformEmulator":"Rocky Linux 8","bootArgs":"","enableHA":"false","limitCpuUse":"false","enableDynamicallyScaleVm":"false","details":{"cpuOvercommitRatio":"2.0","Message.ReservedCapacityFreed.Flag":"false","rootDiskController":"osdefault"},"uuid":"76ea93e1-00ac-4d1a-93e7-76f5a8341fed","enterHardwareSetup":"false","disks":[],"nics":[{"deviceId":"0","defaultNic":"true","pxeDisable":"false","nicUuid":"3afd5d0c-01ba-4ea6-81b6-6bac4768c5c2","details":{"PromiscuousMode":"false","ForgedTransmits":"true","MacAddressChanges":"true","MacLearning":"false"},"dpdkEnabled":"false","networkId":"226","networkSegmentName":"D1-A1-Z1-S226","uuid":"2ef0d164-5a22-410d-be12-d1256621141d","mac":"02:01:00:e2:00:02","broadcastType":"Vlan","type":"Guest","broadcastUri":"vlan://4001","securityGroupEnabled":"true","name":"cloudbr1","ip6address":"fd6f:ed8b:1fb6:dcb8:1:ff:fee2:2","ip6gateway":"fd6f:ed8b:1fb6:dcb8::1","ip6cidr":"fd6f:ed8b:1fb6:dcb8::/64"}],"vcpuMaxLimit":"1","configDriveLocation":"SECONDARY","guestOsDetails":{},"extraConfig":{},"networkIdToNetworkNameMap":{}},"wait":"0","bypassHostMaintenance":"false"}}] }
2026-02-24 09:50:14,298 DEBUG [cloud.agent.Agent] (AgentRequest-Handler-1:[]) (logid:58a52ca1) Processing command: com.cloud.agent.api.SecurityGroupRulesCmd
2026-02-24 09:50:14,298 DEBUG [agent.properties.AgentPropertiesFileHandler] (AgentRequest-Handler-1:[]) (logid:58a52ca1) Property [hypervisor.uri] has empty or null value. Using default value [null].
2026-02-24 09:50:14,298 DEBUG [kvm.resource.LibvirtConnection] (AgentRequest-Handler-1:[]) (logid:58a52ca1) Looking for libvirtd connection at: qemu:///system
2026-02-24 09:50:14,301 DEBUG [kvm.resource.LibvirtVMDef] (AgentRequest-Handler-1:[]) (logid:58a52ca1) Using informed label [hdc] for volume [null].
2026-02-24 09:50:14,301 DEBUG [kvm.resource.LibvirtComputingResource] (AgentRequest-Handler-1:[]) (logid:58a52ca1) Checking default network rules for vm i-2-66-VM
2026-02-24 09:50:14,303 DEBUG [kvm.resource.LibvirtVMDef] (AgentRequest-Handler-1:[]) (logid:58a52ca1) Using informed label [hdc] for volume [null].
2026-02-24 09:50:14,303 DEBUG [kvm.resource.LibvirtComputingResource] (AgentRequest-Handler-1:[]) (logid:58a52ca1) Executing command [/usr/share/cloudstack-common/scripts/vm/network/security_group.py default_network_rules --vmname i-2-66-VM --vmid 66 --vmip6 fd6f:ed8b:1fb6:dcb8:1:ff:fee2:2 --vmmac 02:01:00:e2:00:02 --vif vnet53 --brname breth1-4001 --nicsecips 0; --isFirstNic --check ].
2026-02-24 09:50:14,438 DEBUG [kvm.resource.LibvirtComputingResource] (AgentRequest-Handler-1:[]) (logid:58a52ca1) Successfully executed process [1034954] for command [/usr/share/cloudstack-common/scripts/vm/network/security_group.py default_network_rules --vmname i-2-66-VM --vmid 66 --vmip6 fd6f:ed8b:1fb6:dcb8:1:ff:fee2:2 --vmmac 02:01:00:e2:00:02 --vif vnet53 --brname breth1-4001 --nicsecips 0; --isFirstNic --check ].
2026-02-24 09:50:14,438 DEBUG [kvm.resource.LibvirtComputingResource] (AgentRequest-Handler-1:[]) (logid:58a52ca1) Executing command [/usr/share/cloudstack-common/scripts/vm/network/security_group.py add_network_rules --vmname i-2-66-VM --vmid 66 --vmip null --vmip6 fd6f:ed8b:1fb6:dcb8:1:ff:fee2:2 --sig 3f503368f6f02b0dd4fd636f3fb9cddd --seq 12 --vmmac 02:01:00:e2:00:02 --vif vnet53 --brname breth1-4001 --nicsecips 0; --rules I:all;0;0;fd6f:ed8b:1fb6:dcb8::/64,NEXT;I:icmp;-1;-1;fd6f:ed8b:1fb6:dcb8::/64,NEXT; ].
2026-02-24 09:50:14,438 WARN  [kvm.resource.LibvirtComputingResource] (AgentRequest-Handler-1:[]) (logid:58a52ca1) Exception [null] occurred when attempting to run command [/usr/share/cloudstack-common/scripts/vm/network/security_group.py add_network_rules --vmname i-2-66-VM --vmid 66 --vmip null --vmip6 fd6f:ed8b:1fb6:dcb8:1:ff:fee2:2 --sig 3f503368f6f02b0dd4fd636f3fb9cddd --seq 12 --vmmac 02:01:00:e2:00:02 --vif vnet53 --brname breth1-4001 --nicsecips 0; --rules I:all;0;0;fd6f:ed8b:1fb6:dcb8::/64,NEXT;I:icmp;-1;-1;fd6f:ed8b:1fb6:dcb8::/64,NEXT; ]. java.lang.NullPointerException
        at java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1092)
        at java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1073)
        at com.cloud.utils.script.Script.execute(Script.java:254)
        at com.cloud.utils.script.Script.execute(Script.java:219)
        at com.cloud.hypervisor.kvm.resource.LibvirtComputingResource.addNetworkRules(LibvirtComputingResource.java:5545)
        at com.cloud.hypervisor.kvm.resource.wrapper.LibvirtSecurityGroupRulesCommandWrapper.execute(LibvirtSecurityGroupRulesCommandWrapper.java:62)
        at com.cloud.hypervisor.kvm.resource.wrapper.LibvirtSecurityGroupRulesCommandWrapper.execute(LibvirtSecurityGroupRulesCommandWrapper.java:36)
        at com.cloud.hypervisor.kvm.resource.wrapper.LibvirtRequestWrapper.execute(LibvirtRequestWrapper.java:78)
        at com.cloud.hypervisor.kvm.resource.LibvirtComputingResource.executeRequest(LibvirtComputingResource.java:2280)
        at com.cloud.agent.Agent.processRequest(Agent.java:813)
        at com.cloud.agent.Agent$AgentRequestHandler.doTask(Agent.java:1295)
        at com.cloud.utils.nio.Task.call(Task.java:83)
        at com.cloud.utils.nio.Task.call(Task.java:29)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        at java.base/java.lang.Thread.run(Thread.java:840)

2026-02-24 09:50:14,438 WARN  [resource.wrapper.LibvirtSecurityGroupRulesCommandWrapper] (AgentRequest-Handler-1:[]) (logid:58a52ca1) Failed to program network rules for vm i-2-66-VM

versions

4.22.0.0

The steps to reproduce the bug

1. Create a shared guest network offering only with Security Group
2. Create a guest network with the offering
3. Deploy VM and configure the Security Group rules. No error is thrown but the rules won't work.
   ...

What to do about it?

SG rules should be applied.

[weizhouapache]

as mentioned on @rajujith 's doc PR: apache/cloudstack-documentation#628
IPv6-only shared network is unsupported.

@rajujith
can this issue be closed ?