Public bug reported:
currently ip6tables in the qrouter namespace has the following rule.
This causes unmarked packets to drop.
-A neutron-l3-agent-scope -o qr-f4eceee5-a4 -m mark ! --mark
0x4000000/0xffff0000 -j DROP
In a related bug (1570122) there was a problem that prefix-delegated
sub-nets did not get a rule setting this mark on traffic incoming on the
gateway port, and this traffic was thus dropped. Now, this seems to work
correctly when a user creates a subnet with IPv6 from PD. The problem
arises when the l3-agent restarts, or the router moves to another
l3-agent, as the rule marking the traffic is not recreated in these
cases. The result is the same symptoms as the bug #1570122
Adding the rule manually makes traffic flowing again, for instance with the
line:
$ip6tables -t mangle -A neutron-l3-agent-scope -i qg-28f7e259-d2 -j MARK
--set-xmark 0x4000000/0xffff0000
We are running at the Queens release at the moment:
- neutron-l3-agent 2:12.0.2-0ubuntu1~cloud0
This bugs are a major obstacle for IPv6 in our clouds, as we cannot
deliver reliable transport of ipv6 packets when this rule suddenly are
missing.
** Affects: neutron
Importance: Undecided
Status: New
** Tags: ipv6 queens-backport-potential
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1789403
Title:
ip6tables rules for PD subnets not fully recreated at l3-agent restart
Status in neutron:
New
Bug description:
currently ip6tables in the qrouter namespace has the following rule.
This causes unmarked packets to drop.
-A neutron-l3-agent-scope -o qr-f4eceee5-a4 -m mark ! --mark
0x4000000/0xffff0000 -j DROP
In a related bug (1570122) there was a problem that prefix-delegated
sub-nets did not get a rule setting this mark on traffic incoming on
the gateway port, and this traffic was thus dropped. Now, this seems
to work correctly when a user creates a subnet with IPv6 from PD. The
problem arises when the l3-agent restarts, or the router moves to
another l3-agent, as the rule marking the traffic is not recreated in
these cases. The result is the same symptoms as the bug #1570122
Adding the rule manually makes traffic flowing again, for instance with the
line:
$ip6tables -t mangle -A neutron-l3-agent-scope -i qg-28f7e259-d2 -j MARK
--set-xmark 0x4000000/0xffff0000
We are running at the Queens release at the moment:
- neutron-l3-agent 2:12.0.2-0ubuntu1~cloud0
This bugs are a major obstacle for IPv6 in our clouds, as we cannot
deliver reliable transport of ipv6 packets when this rule suddenly are
missing.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1789403/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
