Public bug reported: I run into a problem when unicast RA messages are not accepted by openflow rules. In my configuration I'm using radvd daemon to send RA messages in my IPv6 network. Here is a config of radvd with `clients` dirrective to turn off multicast messages:
[root@radvd ~]# cat /etc/radvd.conf
interface br-eth0
{
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 5;
prefix 2001:db8:123::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
clients
{
fe80::f816:3eff:fed7:358a;
};
};
[root@radvd ~]#
I use devstack installation with Neutron from the master branch.
I've create a virtual flat network with dual stack: IPv4 and IPv6 subnets.
IPv6 subnet has a SLAAC address mode.
And created a VM to test IPv6 address assignment inside VM.
But RA message doesn't reach the VM.
VM/port/security group rules:
[root@devstack ~]# openstack server list
+--------------------------------------+------+--------+----------------------------------------------------------+-----------------------------------------+----------+
| ID | Name | Status | Networks
| Image |
Flavor |
+--------------------------------------+------+--------+----------------------------------------------------------+-----------------------------------------+----------+
| 332942be-0869-403f-9aba-386f88b9bc9d | test | ACTIVE | public=10.136.17.163,
2001:db8:123:0:f816:3eff:fed7:358a | CentOS-7-x86_64-GenericCloud-2009.qcow2 |
m1.small |
+--------------------------------------+------+--------+----------------------------------------------------------+-----------------------------------------+----------+
[root@devstack ~]#
[root@devstack ~]# openstack port show 664489d1-f15f-4990-99eb-b53ad21f673a
+-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value
|
+-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| admin_state_up | UP
|
| allowed_address_pairs |
|
| binding_host_id | devstack
|
| binding_profile |
|
| binding_vif_details | bridge_name='br-int', connectivity='l2',
datapath_type='system', ovs_hybrid_plug='False', port_filter='True'
|
| binding_vif_type | ovs
|
| binding_vnic_type | normal
|
| created_at | 2022-01-21T11:32:19Z
|
| data_plane_status | None
|
| description |
|
| device_id | 332942be-0869-403f-9aba-386f88b9bc9d
|
| device_owner | compute:nova
|
| device_profile | None
|
| dns_assignment | None
|
| dns_domain | None
|
| dns_name | None
|
| extra_dhcp_opts |
|
| fixed_ips | ip_address='10.136.17.163',
subnet_id='6d9a7fb5-5c1b-4759-b32b-5720b5cedbf4'
|
| | ip_address='2001:db8:123:0:f816:3eff:fed7:358a',
subnet_id='410b7327-12c9-4085-9c75-7667308adee2'
|
| id | 664489d1-f15f-4990-99eb-b53ad21f673a
|
| ip_allocation | None
|
| location | Munch({'cloud': '', 'region_name': 'RegionOne',
'zone': None, 'project': Munch({'id': 'f6cfa1cd01fa4486b6b5f54231a8ac14',
'name': 'admin', 'domain_id': 'default', 'domain_name': None})}) |
| mac_address | fa:16:3e:d7:35:8a
|
| name |
|
| network_id | f1f3d967-26db-41b3-b6f6-1d5356e33a84
|
| numa_affinity_policy | None
|
| port_security_enabled | True
|
| project_id | f6cfa1cd01fa4486b6b5f54231a8ac14
|
| propagate_uplink_status | None
|
| qos_network_policy_id | None
|
| qos_policy_id | None
|
| resource_request | None
|
| revision_number | 4
|
| security_group_ids | 72d69550-1140-4a49-8b9e-ed896ab9dff9
|
| status | ACTIVE
|
| tags |
|
| trunk_details | None
|
| updated_at | 2022-01-21T11:32:21Z
|
+-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
[root@devstack ~]#
[root@devstack ~]# openstack security group rule list
72d69550-1140-4a49-8b9e-ed896ab9dff9
+--------------------------------------+-------------+-----------+-----------+------------+-----------+--------------------------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range |
Port Range | Direction | Remote Security Group | Remote Address
Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+--------------------------------------+----------------------+
| 10634cea-baa3-44ab-8f47-69df7c3de7b4 | None | IPv6 | ::/0 |
| ingress | 72d69550-1140-4a49-8b9e-ed896ab9dff9 | None
|
| 137df694-615b-4540-8ca5-63b70f04e23d | None | IPv6 | ::/0 |
| ingress | None | None
|
| 1e1d88e9-55a7-469c-bfdf-f306b85ea322 | None | IPv4 | 0.0.0.0/0 |
| ingress | None | None
|
| 38f2ed6a-6360-438e-90ee-78f4745efa45 | None | IPv4 | 0.0.0.0/0 |
| ingress | 72d69550-1140-4a49-8b9e-ed896ab9dff9 | None
|
| 523b3f1d-6a54-45cd-b084-3501da20bcd7 | None | IPv6 | ::/0 |
| egress | None | None
|
| 82f511ff-b685-4247-87d3-b3d430f89b22 | None | IPv4 | 0.0.0.0/0 |
| egress | None | None
|
+--------------------------------------+-------------+-----------+-----------+------------+-----------+--------------------------------------+----------------------+
[root@devstack ~]#
Tcpdump for the external physical interface (you can see RA messages are
here):
[root@devstack ~]# tcpdump -nnn -e -i eth0 'icmp6 && ip6[40] == 134'
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:42:46.412136 fa:16:3e:f6:83:3d > fa:16:3e:d7:35:8a, ethertype IPv6 (0x86dd),
length 110: fe80::f816:3eff:fef6:833d > fe80::f816:3eff:fed7:358a: ICMP6,
router advertisement, length 56
11:42:49.601990 fa:16:3e:f6:83:3d > fa:16:3e:d7:35:8a, ethertype IPv6 (0x86dd),
length 110: fe80::f816:3eff:fef6:833d > fe80::f816:3eff:fed7:358a: ICMP6,
router advertisement, length 56
11:42:53.164055 fa:16:3e:f6:83:3d > fa:16:3e:d7:35:8a, ethertype IPv6 (0x86dd),
length 110: fe80::f816:3eff:fef6:833d > fe80::f816:3eff:fed7:358a: ICMP6,
router advertisement, length 56
^C
[root@devstack ~]#
Tcpdump for VM's tap interface (no RA messages):
[root@devstack ~]# tcpdump -nnn -e -i tap664489d1-f1 'icmp6 && ip6[40] == 134'
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap664489d1-f1, link-type EN10MB (Ethernet), capture size 262144
bytes
^C
[root@devstack ~]#
I guess ICMPV6_TYPE_RA is not included into ICMPV6_ALLOWED_INGRESS_TYPES after
commit [1] ,
so, RA rule is not added into br-int in `_initialize_ingress_ipv6_icmp` func
[2].
Also I've found that `openvswitch` driver doesn't use
port['security_group_rules'] from [3] at all.
It seems to me that some logic has been lost in the code for `openvswitch`
driver.
[1]
https://opendev.org/openstack/neutron/commit/157c5c261d95e40f2916f0cb91f3d529f2490457
[2]
https://opendev.org/openstack/neutron/src/commit/24c802711a939f532842c1d7b95a1afe004e809a/neutron/agent/linux/openvswitch_firewall/firewall.py#L1347
[3]
https://opendev.org/openstack/neutron/src/commit/24c802711a939f532842c1d7b95a1afe004e809a/neutron/db/securitygroups_rpc_base.py#L360
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1958643
Title:
Unicast RA messages for a VM are filtered out by ovs rules
Status in neutron:
New
Bug description:
I run into a problem when unicast RA messages are not accepted by openflow
rules.
In my configuration I'm using radvd daemon to send RA messages in my IPv6
network.
Here is a config of radvd with `clients` dirrective to turn off multicast
messages:
[root@radvd ~]# cat /etc/radvd.conf
interface br-eth0
{
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 5;
prefix 2001:db8:123::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
clients
{
fe80::f816:3eff:fed7:358a;
};
};
[root@radvd ~]#
I use devstack installation with Neutron from the master branch.
I've create a virtual flat network with dual stack: IPv4 and IPv6 subnets.
IPv6 subnet has a SLAAC address mode.
And created a VM to test IPv6 address assignment inside VM.
But RA message doesn't reach the VM.
VM/port/security group rules:
[root@devstack ~]# openstack server list
+--------------------------------------+------+--------+----------------------------------------------------------+-----------------------------------------+----------+
| ID | Name | Status | Networks
| Image |
Flavor |
+--------------------------------------+------+--------+----------------------------------------------------------+-----------------------------------------+----------+
| 332942be-0869-403f-9aba-386f88b9bc9d | test | ACTIVE |
public=10.136.17.163, 2001:db8:123:0:f816:3eff:fed7:358a |
CentOS-7-x86_64-GenericCloud-2009.qcow2 | m1.small |
+--------------------------------------+------+--------+----------------------------------------------------------+-----------------------------------------+----------+
[root@devstack ~]#
[root@devstack ~]# openstack port show 664489d1-f15f-4990-99eb-b53ad21f673a
+-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value
|
+-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| admin_state_up | UP
|
| allowed_address_pairs |
|
| binding_host_id | devstack
|
| binding_profile |
|
| binding_vif_details | bridge_name='br-int', connectivity='l2',
datapath_type='system', ovs_hybrid_plug='False', port_filter='True'
|
| binding_vif_type | ovs
|
| binding_vnic_type | normal
|
| created_at | 2022-01-21T11:32:19Z
|
| data_plane_status | None
|
| description |
|
| device_id | 332942be-0869-403f-9aba-386f88b9bc9d
|
| device_owner | compute:nova
|
| device_profile | None
|
| dns_assignment | None
|
| dns_domain | None
|
| dns_name | None
|
| extra_dhcp_opts |
|
| fixed_ips | ip_address='10.136.17.163',
subnet_id='6d9a7fb5-5c1b-4759-b32b-5720b5cedbf4'
|
| | ip_address='2001:db8:123:0:f816:3eff:fed7:358a',
subnet_id='410b7327-12c9-4085-9c75-7667308adee2'
|
| id | 664489d1-f15f-4990-99eb-b53ad21f673a
|
| ip_allocation | None
|
| location | Munch({'cloud': '', 'region_name': 'RegionOne',
'zone': None, 'project': Munch({'id': 'f6cfa1cd01fa4486b6b5f54231a8ac14',
'name': 'admin', 'domain_id': 'default', 'domain_name': None})}) |
| mac_address | fa:16:3e:d7:35:8a
|
| name |
|
| network_id | f1f3d967-26db-41b3-b6f6-1d5356e33a84
|
| numa_affinity_policy | None
|
| port_security_enabled | True
|
| project_id | f6cfa1cd01fa4486b6b5f54231a8ac14
|
| propagate_uplink_status | None
|
| qos_network_policy_id | None
|
| qos_policy_id | None
|
| resource_request | None
|
| revision_number | 4
|
| security_group_ids | 72d69550-1140-4a49-8b9e-ed896ab9dff9
|
| status | ACTIVE
|
| tags |
|
| trunk_details | None
|
| updated_at | 2022-01-21T11:32:21Z
|
+-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
[root@devstack ~]#
[root@devstack ~]# openstack security group rule list
72d69550-1140-4a49-8b9e-ed896ab9dff9
+--------------------------------------+-------------+-----------+-----------+------------+-----------+--------------------------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range
| Port Range | Direction | Remote Security Group | Remote
Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+--------------------------------------+----------------------+
| 10634cea-baa3-44ab-8f47-69df7c3de7b4 | None | IPv6 | ::/0
| | ingress | 72d69550-1140-4a49-8b9e-ed896ab9dff9 | None
|
| 137df694-615b-4540-8ca5-63b70f04e23d | None | IPv6 | ::/0
| | ingress | None | None
|
| 1e1d88e9-55a7-469c-bfdf-f306b85ea322 | None | IPv4 | 0.0.0.0/0
| | ingress | None | None
|
| 38f2ed6a-6360-438e-90ee-78f4745efa45 | None | IPv4 | 0.0.0.0/0
| | ingress | 72d69550-1140-4a49-8b9e-ed896ab9dff9 | None
|
| 523b3f1d-6a54-45cd-b084-3501da20bcd7 | None | IPv6 | ::/0
| | egress | None | None
|
| 82f511ff-b685-4247-87d3-b3d430f89b22 | None | IPv4 | 0.0.0.0/0
| | egress | None | None
|
+--------------------------------------+-------------+-----------+-----------+------------+-----------+--------------------------------------+----------------------+
[root@devstack ~]#
Tcpdump for the external physical interface (you can see RA messages
are here):
[root@devstack ~]# tcpdump -nnn -e -i eth0 'icmp6 && ip6[40] == 134'
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:42:46.412136 fa:16:3e:f6:83:3d > fa:16:3e:d7:35:8a, ethertype IPv6
(0x86dd), length 110: fe80::f816:3eff:fef6:833d > fe80::f816:3eff:fed7:358a:
ICMP6, router advertisement, length 56
11:42:49.601990 fa:16:3e:f6:83:3d > fa:16:3e:d7:35:8a, ethertype IPv6
(0x86dd), length 110: fe80::f816:3eff:fef6:833d > fe80::f816:3eff:fed7:358a:
ICMP6, router advertisement, length 56
11:42:53.164055 fa:16:3e:f6:83:3d > fa:16:3e:d7:35:8a, ethertype IPv6
(0x86dd), length 110: fe80::f816:3eff:fef6:833d > fe80::f816:3eff:fed7:358a:
ICMP6, router advertisement, length 56
^C
[root@devstack ~]#
Tcpdump for VM's tap interface (no RA messages):
[root@devstack ~]# tcpdump -nnn -e -i tap664489d1-f1 'icmp6 && ip6[40] == 134'
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap664489d1-f1, link-type EN10MB (Ethernet), capture size 262144
bytes
^C
[root@devstack ~]#
I guess ICMPV6_TYPE_RA is not included into ICMPV6_ALLOWED_INGRESS_TYPES
after commit [1] ,
so, RA rule is not added into br-int in `_initialize_ingress_ipv6_icmp` func
[2].
Also I've found that `openvswitch` driver doesn't use
port['security_group_rules'] from [3] at all.
It seems to me that some logic has been lost in the code for `openvswitch`
driver.
[1]
https://opendev.org/openstack/neutron/commit/157c5c261d95e40f2916f0cb91f3d529f2490457
[2]
https://opendev.org/openstack/neutron/src/commit/24c802711a939f532842c1d7b95a1afe004e809a/neutron/agent/linux/openvswitch_firewall/firewall.py#L1347
[3]
https://opendev.org/openstack/neutron/src/commit/24c802711a939f532842c1d7b95a1afe004e809a/neutron/db/securitygroups_rpc_base.py#L360
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1958643/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
