← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1958643] Re: Unicast RA messages for a VM are filtered out by ovs rules

 

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/827159
Committed: https://opendev.org/openstack/neutron/commit/0d233041206434b91e5f2d1f00593e592019a99d
Submitter: "Zuul (22348)"
Branch:    master

commit 0d233041206434b91e5f2d1f00593e592019a99d
Author: Rodolfo Alonso Hernandez <ralonsoh@xxxxxxxxxx>
Date:   Mon Jan 31 17:26:01 2022 +0000

    [OVS] Add IPv6 ICMP RA to the default ingress rules
    
    "ICMPV6_TYPE_RA" was removed from "ICMPV6_ALLOWED_INGRESS_TYPES"
    because of a bug in the iptables firewall (described in the LP
    bug). This rule was added in "_add_ingress_ra_rule" to
    port["security_group_rules"]. However, the OVS firewall does not
    use this rule list but builds the default rules from scratch.
    
    Closes-Bug: #1958643
    Change-Id: I53ee3c87ab2a6306b31fc3387b706d8296031a14


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1958643

Title:
  Unicast RA messages for a VM are filtered out by ovs rules

Status in neutron:
  Fix Released

Bug description:
  I run into a problem when unicast RA messages are not accepted by openflow rules.
  In my configuration I'm using radvd daemon to send RA messages in my IPv6 network.
  Here is a config of radvd with `clients` dirrective to turn off multicast messages:

  [root@radvd ~]# cat /etc/radvd.conf
  interface br-eth0
  {
      AdvSendAdvert on;
      MinRtrAdvInterval 3;
      MaxRtrAdvInterval 5;
      prefix 2001:db8:123::/64
      {
          AdvOnLink on;
          AdvAutonomous on;
          AdvRouterAddr off;
      };
      clients
      {
          fe80::f816:3eff:fed7:358a;
      };
  };
  [root@radvd ~]#

  I use devstack installation with Neutron from the master branch.
  I've create a virtual flat network with dual stack: IPv4 and IPv6 subnets.
  IPv6 subnet has a SLAAC address mode.
  And created a VM to test IPv6 address assignment inside VM.
  But RA message doesn't reach the VM.

  VM/port/security group rules:

  [root@devstack ~]# openstack server list
  +--------------------------------------+------+--------+----------------------------------------------------------+-----------------------------------------+----------+
  | ID                                   | Name | Status | Networks                                                 | Image                                   | Flavor   |
  +--------------------------------------+------+--------+----------------------------------------------------------+-----------------------------------------+----------+
  | 332942be-0869-403f-9aba-386f88b9bc9d | test | ACTIVE | public=10.136.17.163, 2001:db8:123:0:f816:3eff:fed7:358a | CentOS-7-x86_64-GenericCloud-2009.qcow2 | m1.small |
  +--------------------------------------+------+--------+----------------------------------------------------------+-----------------------------------------+----------+
  [root@devstack ~]#
  [root@devstack ~]# openstack port show 664489d1-f15f-4990-99eb-b53ad21f673a
  +-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  | Field                   | Value                                                                                                                                                                                      |
  +-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  | admin_state_up          | UP                                                                                                                                                                                         |
  | allowed_address_pairs   |                                                                                                                                                                                            |
  | binding_host_id         | devstack                                                                                                                                                                                   |
  | binding_profile         |                                                                                                                                                                                            |
  | binding_vif_details     | bridge_name='br-int', connectivity='l2', datapath_type='system', ovs_hybrid_plug='False', port_filter='True'                                                                               |
  | binding_vif_type        | ovs                                                                                                                                                                                        |
  | binding_vnic_type       | normal                                                                                                                                                                                     |
  | created_at              | 2022-01-21T11:32:19Z                                                                                                                                                                       |
  | data_plane_status       | None                                                                                                                                                                                       |
  | description             |                                                                                                                                                                                            |
  | device_id               | 332942be-0869-403f-9aba-386f88b9bc9d                                                                                                                                                       |
  | device_owner            | compute:nova                                                                                                                                                                               |
  | device_profile          | None                                                                                                                                                                                       |
  | dns_assignment          | None                                                                                                                                                                                       |
  | dns_domain              | None                                                                                                                                                                                       |
  | dns_name                | None                                                                                                                                                                                       |
  | extra_dhcp_opts         |                                                                                                                                                                                            |
  | fixed_ips               | ip_address='10.136.17.163', subnet_id='6d9a7fb5-5c1b-4759-b32b-5720b5cedbf4'                                                                                                               |
  |                         | ip_address='2001:db8:123:0:f816:3eff:fed7:358a', subnet_id='410b7327-12c9-4085-9c75-7667308adee2'                                                                                          |
  | id                      | 664489d1-f15f-4990-99eb-b53ad21f673a                                                                                                                                                       |
  | ip_allocation           | None                                                                                                                                                                                       |
  | location                | Munch({'cloud': '', 'region_name': 'RegionOne', 'zone': None, 'project': Munch({'id': 'f6cfa1cd01fa4486b6b5f54231a8ac14', 'name': 'admin', 'domain_id': 'default', 'domain_name': None})}) |
  | mac_address             | fa:16:3e:d7:35:8a                                                                                                                                                                          |
  | name                    |                                                                                                                                                                                            |
  | network_id              | f1f3d967-26db-41b3-b6f6-1d5356e33a84                                                                                                                                                       |
  | numa_affinity_policy    | None                                                                                                                                                                                       |
  | port_security_enabled   | True                                                                                                                                                                                       |
  | project_id              | f6cfa1cd01fa4486b6b5f54231a8ac14                                                                                                                                                           |
  | propagate_uplink_status | None                                                                                                                                                                                       |
  | qos_network_policy_id   | None                                                                                                                                                                                       |
  | qos_policy_id           | None                                                                                                                                                                                       |
  | resource_request        | None                                                                                                                                                                                       |
  | revision_number         | 4                                                                                                                                                                                          |
  | security_group_ids      | 72d69550-1140-4a49-8b9e-ed896ab9dff9                                                                                                                                                       |
  | status                  | ACTIVE                                                                                                                                                                                     |
  | tags                    |                                                                                                                                                                                            |
  | trunk_details           | None                                                                                                                                                                                       |
  | updated_at              | 2022-01-21T11:32:21Z                                                                                                                                                                       |
  +-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  [root@devstack ~]#
  [root@devstack ~]# openstack security group rule list 72d69550-1140-4a49-8b9e-ed896ab9dff9
  +--------------------------------------+-------------+-----------+-----------+------------+-----------+--------------------------------------+----------------------+
  | ID                                   | IP Protocol | Ethertype | IP Range  | Port Range | Direction | Remote Security Group                | Remote Address Group |
  +--------------------------------------+-------------+-----------+-----------+------------+-----------+--------------------------------------+----------------------+
  | 10634cea-baa3-44ab-8f47-69df7c3de7b4 | None        | IPv6      | ::/0      |            | ingress   | 72d69550-1140-4a49-8b9e-ed896ab9dff9 | None                 |
  | 137df694-615b-4540-8ca5-63b70f04e23d | None        | IPv6      | ::/0      |            | ingress   | None                                 | None                 |
  | 1e1d88e9-55a7-469c-bfdf-f306b85ea322 | None        | IPv4      | 0.0.0.0/0 |            | ingress   | None                                 | None                 |
  | 38f2ed6a-6360-438e-90ee-78f4745efa45 | None        | IPv4      | 0.0.0.0/0 |            | ingress   | 72d69550-1140-4a49-8b9e-ed896ab9dff9 | None                 |
  | 523b3f1d-6a54-45cd-b084-3501da20bcd7 | None        | IPv6      | ::/0      |            | egress    | None                                 | None                 |
  | 82f511ff-b685-4247-87d3-b3d430f89b22 | None        | IPv4      | 0.0.0.0/0 |            | egress    | None                                 | None                 |
  +--------------------------------------+-------------+-----------+-----------+------------+-----------+--------------------------------------+----------------------+
  [root@devstack ~]#


  Tcpdump for the external physical interface (you can see RA messages
  are here):

  [root@devstack ~]# tcpdump -nnn -e -i eth0 'icmp6 && ip6[40] == 134'
  dropped privs to tcpdump
  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
  11:42:46.412136 fa:16:3e:f6:83:3d > fa:16:3e:d7:35:8a, ethertype IPv6 (0x86dd), length 110: fe80::f816:3eff:fef6:833d > fe80::f816:3eff:fed7:358a: ICMP6, router advertisement, length 56
  11:42:49.601990 fa:16:3e:f6:83:3d > fa:16:3e:d7:35:8a, ethertype IPv6 (0x86dd), length 110: fe80::f816:3eff:fef6:833d > fe80::f816:3eff:fed7:358a: ICMP6, router advertisement, length 56
  11:42:53.164055 fa:16:3e:f6:83:3d > fa:16:3e:d7:35:8a, ethertype IPv6 (0x86dd), length 110: fe80::f816:3eff:fef6:833d > fe80::f816:3eff:fed7:358a: ICMP6, router advertisement, length 56
  ^C
  [root@devstack ~]#

  
  Tcpdump for VM's tap interface (no RA messages):

  [root@devstack ~]# tcpdump -nnn -e -i tap664489d1-f1 'icmp6 && ip6[40] == 134'
  dropped privs to tcpdump
  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  listening on tap664489d1-f1, link-type EN10MB (Ethernet), capture size 262144 bytes
  ^C
  [root@devstack ~]#

  
  I guess ICMPV6_TYPE_RA is not included into ICMPV6_ALLOWED_INGRESS_TYPES after commit [1] ,
  so, RA rule is not added into br-int in `_initialize_ingress_ipv6_icmp` func [2].
  Also I've found that `openvswitch` driver doesn't use port['security_group_rules'] from [3] at all.
  It seems to me that some logic has been lost in the code for `openvswitch` driver.

  
  [1] https://opendev.org/openstack/neutron/commit/157c5c261d95e40f2916f0cb91f3d529f2490457
  [2] https://opendev.org/openstack/neutron/src/commit/24c802711a939f532842c1d7b95a1afe004e809a/neutron/agent/linux/openvswitch_firewall/firewall.py#L1347
  [3] https://opendev.org/openstack/neutron/src/commit/24c802711a939f532842c1d7b95a1afe004e809a/neutron/db/securitygroups_rpc_base.py#L360

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1958643/+subscriptions



References