yahoo-eng-team team mailing list archive

[Matthew Thode <1570122@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

currently ip6tables in the qrouter namespace has the following rule.
This causes unmarked packets to drop.

-A neutron-l3-agent-scope -o qr-ca9ffa4f-fd -m mark ! --mark
0x4010000/0xffff0000 -j DROP

It seems that prefix delegated subnets don't get that mark set on
incoming trafic from the gateway port, I had to add my own rule to do
that.

ip6tables -t mangle -A neutron-l3-agent-scope -i qg-ac290c4b-4f -j MARK
--set-xmark 0x4010000/0xffff0000

At the moment that is probably too permissive, it should likely be
limited based on the prefix delegated. with a '-d dead:beef:cafe::/64'
or whatever the delegation is (tested this and it does work).

** Affects: neutron
     Importance: Undecided
         Status: Confirmed


** Tags: ipv6 l3-ipam-dhcp

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1570122

Title:
  ipv6 prefix delegated subnets are not accessable external of the
  router they are attached.

Status in neutron:
  Confirmed

Bug description:
  currently ip6tables in the qrouter namespace has the following rule.
  This causes unmarked packets to drop.

  -A neutron-l3-agent-scope -o qr-ca9ffa4f-fd -m mark ! --mark
  0x4010000/0xffff0000 -j DROP

  It seems that prefix delegated subnets don't get that mark set on
  incoming trafic from the gateway port, I had to add my own rule to do
  that.

  ip6tables -t mangle -A neutron-l3-agent-scope -i qg-ac290c4b-4f -j
  MARK --set-xmark 0x4010000/0xffff0000

  At the moment that is probably too permissive, it should likely be
  limited based on the prefix delegated. with a '-d dead:beef:cafe::/64'
  or whatever the delegation is (tested this and it does work).

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1570122/+subscriptions