← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #74776

[Bug 1789403] Re: ip6tables rules for PD subnets not fully recreated at l3-agent restart

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/597710
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d19dcf1ef2f8e4b837e57dfef4ed1580c5d1e7b7
Submitter: Zuul
Branch:    master

commit d19dcf1ef2f8e4b837e57dfef4ed1580c5d1e7b7
Author: Brian Haley <bhaley@xxxxxxxxxx>
Date:   Wed Aug 29 17:06:59 2018 -0400

    Fix IPv6 prefix delegation issue on agent restart
    
    On l3-agent restart, prefix delegation subnets weren't always
    inserted into the local router_info cache, leading to a missing
    ip6tables rule.  Add it when the internal network is configured
    if the prefix has already been assigned.
    
    Change-Id: Ic045e2763ba2772bcaf037591821501e84e40878
    Closes-bug: #1789403


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1789403

Title:
  ip6tables rules for PD subnets not fully recreated at l3-agent restart

Status in neutron:
  Fix Released

Bug description:
  currently ip6tables in the qrouter namespace has the following rule.
  This causes unmarked packets to drop.

  -A neutron-l3-agent-scope -o qr-f4eceee5-a4 -m mark ! --mark
  0x4000000/0xffff0000 -j DROP

  In a related bug (1570122) there was a problem that prefix-delegated
  sub-nets did not get a rule setting this mark on traffic incoming on
  the gateway port, and this traffic was thus dropped. Now, this seems
  to work correctly when a user creates a subnet with IPv6 from PD. The
  problem arises when the l3-agent restarts, or the router moves to
  another l3-agent, as the rule marking the traffic is not recreated in
  these cases. The result is the same symptoms as the bug #1570122

  Adding the rule manually makes traffic flowing again, for instance with the line:
  $ip6tables -t mangle -A neutron-l3-agent-scope -i qg-28f7e259-d2 -j MARK --set-xmark 0x4000000/0xffff0000

  We are running at the Queens release at the moment:
   - neutron-l3-agent 2:12.0.2-0ubuntu1~cloud0

  This bugs are a major obstacle for IPv6 in our clouds, as we cannot
  deliver reliable transport of ipv6 packets when this rule suddenly are
  missing.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1789403/+subscriptions

References

  Thread PreviousDate PreviousThread Next