yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1818960] [NEW] IPv6 not working with iptables

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Junien Fridrick <1818960@xxxxxxxxxxxxxxxxxx>
Date: Thu, 07 Mar 2019 06:59:32 -0000
Reply-to: Bug 1818960 <1818960@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Hi,

Running rocky on Ubuntu 18.04 deployed by juju, using ML2, ovs,
iptables. IPv6 appears to be broken because of missing MARK-related
rules in the qrouter netns.

The iptables and ip6tables rules generated by neutron are
https://pastebin.ubuntu.com/p/S32TQcmTzX/

For egress (traffic leaving an instance) to work, the following additional rule is needed :
sudo ip6tables -t mangle -I neutron-l3-agent-POSTROUTING -o qg-45ba891c-4c -m connmark --mark 0x0/0xffff0000 -j CONNMARK --save-mark --nfmask 0xffff0000 --ctmask 0xffff0000

The following patch should fix the problem :
https://pastebin.ubuntu.com/p/RpbYBjCVnp/ (sorry, I don't have time
right now to update the tests for a proper merge request)


For ingress, the following is needed :
sudo ip6tables -t mangle -A neutron-l3-agent-scope -i qg-45ba891c-4c -j MARK --set-xmark 0x4000000/0xffff0000

Haven't had the time to dig out in the code where exactly the bug is.


Is IPv6 working for anyone with this setup ? Are these commands the right fix ? (I'm just mimicking what IPv4 does)

I've looked at unit tests for my patch above, and IPv6 testing is
extremely limited.

My IPv6 subnet got created with :
$ openstack subnet create --network net_instances --ip-version 6 --ipv6-address-mode=slaac --ipv6-ra-mode=slaac --allocation-pool start=<ipv6start>,end=<ipv6end> --subnet-range <ipv6net>::/64 --gateway <ipv6gateway> subnet_instances_v6

Thanks

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1818960

Title:
  IPv6 not working with iptables

Status in neutron:
  New

Bug description:
  Hi,

  Running rocky on Ubuntu 18.04 deployed by juju, using ML2, ovs,
  iptables. IPv6 appears to be broken because of missing MARK-related
  rules in the qrouter netns.

  The iptables and ip6tables rules generated by neutron are
  https://pastebin.ubuntu.com/p/S32TQcmTzX/

  For egress (traffic leaving an instance) to work, the following additional rule is needed :
  sudo ip6tables -t mangle -I neutron-l3-agent-POSTROUTING -o qg-45ba891c-4c -m connmark --mark 0x0/0xffff0000 -j CONNMARK --save-mark --nfmask 0xffff0000 --ctmask 0xffff0000

  The following patch should fix the problem :
  https://pastebin.ubuntu.com/p/RpbYBjCVnp/ (sorry, I don't have time
  right now to update the tests for a proper merge request)

  
  For ingress, the following is needed :
  sudo ip6tables -t mangle -A neutron-l3-agent-scope -i qg-45ba891c-4c -j MARK --set-xmark 0x4000000/0xffff0000

  Haven't had the time to dig out in the code where exactly the bug is.

  
  Is IPv6 working for anyone with this setup ? Are these commands the right fix ? (I'm just mimicking what IPv4 does)

  I've looked at unit tests for my patch above, and IPv6 testing is
  extremely limited.

  My IPv6 subnet got created with :
  $ openstack subnet create --network net_instances --ip-version 6 --ipv6-address-mode=slaac --ipv6-ra-mode=slaac --allocation-pool start=<ipv6start>,end=<ipv6end> --subnet-range <ipv6net>::/64 --gateway <ipv6gateway> subnet_instances_v6

  Thanks

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1818960/+subscriptions

Follow ups

[Bug 1818960] Re: IPv6 not working with iptables
From: Launchpad Bug Tracker, 2019-05-15