Reviewed: https://review.opendev.org/c/openstack/neutron/+/827159 Committed: https://opendev.org/openstack/neutron/commit/0d233041206434b91e5f2d1f00593e592019a99d Submitter: "Zuul (22348)" Branch: master
commit 0d233041206434b91e5f2d1f00593e592019a99d Author: Rodolfo Alonso Hernandez <[email protected]> Date: Mon Jan 31 17:26:01 2022 +0000 [OVS] Add IPv6 ICMP RA to the default ingress rules "ICMPV6_TYPE_RA" was removed from "ICMPV6_ALLOWED_INGRESS_TYPES" because of a bug in the iptables firewall (described in the LP bug). This rule was added in "_add_ingress_ra_rule" to port["security_group_rules"]. However, the OVS firewall does not use this rule list but builds the default rules from scratch. Closes-Bug: #1958643 Change-Id: I53ee3c87ab2a6306b31fc3387b706d8296031a14 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1958643 Title: Unicast RA messages for a VM are filtered out by ovs rules Status in neutron: Fix Released Bug description: I run into a problem when unicast RA messages are not accepted by openflow rules. In my configuration I'm using radvd daemon to send RA messages in my IPv6 network. Here is a config of radvd with `clients` dirrective to turn off multicast messages: [root@radvd ~]# cat /etc/radvd.conf interface br-eth0 { AdvSendAdvert on; MinRtrAdvInterval 3; MaxRtrAdvInterval 5; prefix 2001:db8:123::/64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr off; }; clients { fe80::f816:3eff:fed7:358a; }; }; [root@radvd ~]# I use devstack installation with Neutron from the master branch. I've create a virtual flat network with dual stack: IPv4 and IPv6 subnets. IPv6 subnet has a SLAAC address mode. And created a VM to test IPv6 address assignment inside VM. But RA message doesn't reach the VM. VM/port/security group rules: [root@devstack ~]# openstack server list +--------------------------------------+------+--------+----------------------------------------------------------+-----------------------------------------+----------+ | ID | Name | Status | Networks | Image | Flavor | +--------------------------------------+------+--------+----------------------------------------------------------+-----------------------------------------+----------+ | 332942be-0869-403f-9aba-386f88b9bc9d | test | ACTIVE | public=10.136.17.163, 2001:db8:123:0:f816:3eff:fed7:358a | CentOS-7-x86_64-GenericCloud-2009.qcow2 | m1.small | +--------------------------------------+------+--------+----------------------------------------------------------+-----------------------------------------+----------+ [root@devstack ~]# [root@devstack ~]# openstack port show 664489d1-f15f-4990-99eb-b53ad21f673a +-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | admin_state_up | UP | | allowed_address_pairs | | | binding_host_id | devstack | | binding_profile | | | binding_vif_details | bridge_name='br-int', connectivity='l2', datapath_type='system', ovs_hybrid_plug='False', port_filter='True' | | binding_vif_type | ovs | | binding_vnic_type | normal | | created_at | 2022-01-21T11:32:19Z | | data_plane_status | None | | description | | | device_id | 332942be-0869-403f-9aba-386f88b9bc9d | | device_owner | compute:nova | | device_profile | None | | dns_assignment | None | | dns_domain | None | | dns_name | None | | extra_dhcp_opts | | | fixed_ips | ip_address='10.136.17.163', subnet_id='6d9a7fb5-5c1b-4759-b32b-5720b5cedbf4' | | | ip_address='2001:db8:123:0:f816:3eff:fed7:358a', subnet_id='410b7327-12c9-4085-9c75-7667308adee2' | | id | 664489d1-f15f-4990-99eb-b53ad21f673a | | ip_allocation | None | | location | Munch({'cloud': '', 'region_name': 'RegionOne', 'zone': None, 'project': Munch({'id': 'f6cfa1cd01fa4486b6b5f54231a8ac14', 'name': 'admin', 'domain_id': 'default', 'domain_name': None})}) | | mac_address | fa:16:3e:d7:35:8a | | name | | | network_id | f1f3d967-26db-41b3-b6f6-1d5356e33a84 | | numa_affinity_policy | None | | port_security_enabled | True | | project_id | f6cfa1cd01fa4486b6b5f54231a8ac14 | | propagate_uplink_status | None | | qos_network_policy_id | None | | qos_policy_id | None | | resource_request | None | | revision_number | 4 | | security_group_ids | 72d69550-1140-4a49-8b9e-ed896ab9dff9 | | status | ACTIVE | | tags | | | trunk_details | None | | updated_at | 2022-01-21T11:32:21Z | +-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [root@devstack ~]# [root@devstack ~]# openstack security group rule list 72d69550-1140-4a49-8b9e-ed896ab9dff9 +--------------------------------------+-------------+-----------+-----------+------------+-----------+--------------------------------------+----------------------+ | ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group | +--------------------------------------+-------------+-----------+-----------+------------+-----------+--------------------------------------+----------------------+ | 10634cea-baa3-44ab-8f47-69df7c3de7b4 | None | IPv6 | ::/0 | | ingress | 72d69550-1140-4a49-8b9e-ed896ab9dff9 | None | | 137df694-615b-4540-8ca5-63b70f04e23d | None | IPv6 | ::/0 | | ingress | None | None | | 1e1d88e9-55a7-469c-bfdf-f306b85ea322 | None | IPv4 | 0.0.0.0/0 | | ingress | None | None | | 38f2ed6a-6360-438e-90ee-78f4745efa45 | None | IPv4 | 0.0.0.0/0 | | ingress | 72d69550-1140-4a49-8b9e-ed896ab9dff9 | None | | 523b3f1d-6a54-45cd-b084-3501da20bcd7 | None | IPv6 | ::/0 | | egress | None | None | | 82f511ff-b685-4247-87d3-b3d430f89b22 | None | IPv4 | 0.0.0.0/0 | | egress | None | None | +--------------------------------------+-------------+-----------+-----------+------------+-----------+--------------------------------------+----------------------+ [root@devstack ~]# Tcpdump for the external physical interface (you can see RA messages are here): [root@devstack ~]# tcpdump -nnn -e -i eth0 'icmp6 && ip6[40] == 134' dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 11:42:46.412136 fa:16:3e:f6:83:3d > fa:16:3e:d7:35:8a, ethertype IPv6 (0x86dd), length 110: fe80::f816:3eff:fef6:833d > fe80::f816:3eff:fed7:358a: ICMP6, router advertisement, length 56 11:42:49.601990 fa:16:3e:f6:83:3d > fa:16:3e:d7:35:8a, ethertype IPv6 (0x86dd), length 110: fe80::f816:3eff:fef6:833d > fe80::f816:3eff:fed7:358a: ICMP6, router advertisement, length 56 11:42:53.164055 fa:16:3e:f6:83:3d > fa:16:3e:d7:35:8a, ethertype IPv6 (0x86dd), length 110: fe80::f816:3eff:fef6:833d > fe80::f816:3eff:fed7:358a: ICMP6, router advertisement, length 56 ^C [root@devstack ~]# Tcpdump for VM's tap interface (no RA messages): [root@devstack ~]# tcpdump -nnn -e -i tap664489d1-f1 'icmp6 && ip6[40] == 134' dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tap664489d1-f1, link-type EN10MB (Ethernet), capture size 262144 bytes ^C [root@devstack ~]# I guess ICMPV6_TYPE_RA is not included into ICMPV6_ALLOWED_INGRESS_TYPES after commit [1] , so, RA rule is not added into br-int in `_initialize_ingress_ipv6_icmp` func [2]. Also I've found that `openvswitch` driver doesn't use port['security_group_rules'] from [3] at all. It seems to me that some logic has been lost in the code for `openvswitch` driver. [1] https://opendev.org/openstack/neutron/commit/157c5c261d95e40f2916f0cb91f3d529f2490457 [2] https://opendev.org/openstack/neutron/src/commit/24c802711a939f532842c1d7b95a1afe004e809a/neutron/agent/linux/openvswitch_firewall/firewall.py#L1347 [3] https://opendev.org/openstack/neutron/src/commit/24c802711a939f532842c1d7b95a1afe004e809a/neutron/db/securitygroups_rpc_base.py#L360 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1958643/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
