Reviewed: https://review.openstack.org/407025 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=cd38886d20c0900788f2c15157be1a016cb475be Submitter: Jenkins Branch: master
commit cd38886d20c0900788f2c15157be1a016cb475be Author: John Davidge <[email protected]> Date: Mon Dec 5 12:32:19 2016 +0000 Fix iptables rules for Prefix Delegated subnets Make sure the correct iptables rule is added when the router gets an interface on a PD-enabled subnet. This will allow traffic on PD subnets to reach the external network. Includes a unit test for the new function, and modifies an existing test to verify the adding and removal of the rule. Change-Id: I42f8f42995e9809e5bda2b29726f7244c052ca1c Closes-Bug: #1570122 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1570122 Title: ipv6 prefix delegated subnets are not accessable external of the router they are attached. Status in neutron: Fix Released Bug description: currently ip6tables in the qrouter namespace has the following rule. This causes unmarked packets to drop. -A neutron-l3-agent-scope -o qr-ca9ffa4f-fd -m mark ! --mark 0x4010000/0xffff0000 -j DROP It seems that prefix delegated subnets don't get that mark set on incoming trafic from the gateway port, I had to add my own rule to do that. ip6tables -t mangle -A neutron-l3-agent-scope -i qg-ac290c4b-4f -j MARK --set-xmark 0x4010000/0xffff0000 At the moment that is probably too permissive, it should likely be limited based on the prefix delegated. with a '-d dead:beef:cafe::/64' or whatever the delegation is (tested this and it does work). To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1570122/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
