yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #88257
[Bug 1958643] Re: Unicast RA messages for a VM are filtered out by ovs rules
Reviewed: https://review.opendev.org/c/openstack/neutron/+/827159
Committed: https://opendev.org/openstack/neutron/commit/0d233041206434b91e5f2d1f00593e592019a99d
Submitter: "Zuul (22348)"
Branch: master
commit 0d233041206434b91e5f2d1f00593e592019a99d
Author: Rodolfo Alonso Hernandez <ralonsoh@xxxxxxxxxx>
Date: Mon Jan 31 17:26:01 2022 +0000
[OVS] Add IPv6 ICMP RA to the default ingress rules
"ICMPV6_TYPE_RA" was removed from "ICMPV6_ALLOWED_INGRESS_TYPES"
because of a bug in the iptables firewall (described in the LP
bug). This rule was added in "_add_ingress_ra_rule" to
port["security_group_rules"]. However, the OVS firewall does not
use this rule list but builds the default rules from scratch.
Closes-Bug: #1958643
Change-Id: I53ee3c87ab2a6306b31fc3387b706d8296031a14
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1958643
Title:
Unicast RA messages for a VM are filtered out by ovs rules
Status in neutron:
Fix Released
Bug description:
I run into a problem when unicast RA messages are not accepted by openflow rules.
In my configuration I'm using radvd daemon to send RA messages in my IPv6 network.
Here is a config of radvd with `clients` dirrective to turn off multicast messages:
[root@radvd ~]# cat /etc/radvd.conf
interface br-eth0
{
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 5;
prefix 2001:db8:123::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
clients
{
fe80::f816:3eff:fed7:358a;
};
};
[root@radvd ~]#
I use devstack installation with Neutron from the master branch.
I've create a virtual flat network with dual stack: IPv4 and IPv6 subnets.
IPv6 subnet has a SLAAC address mode.
And created a VM to test IPv6 address assignment inside VM.
But RA message doesn't reach the VM.
VM/port/security group rules:
[root@devstack ~]# openstack server list
+--------------------------------------+------+--------+----------------------------------------------------------+-----------------------------------------+----------+
| ID | Name | Status | Networks | Image | Flavor |
+--------------------------------------+------+--------+----------------------------------------------------------+-----------------------------------------+----------+
| 332942be-0869-403f-9aba-386f88b9bc9d | test | ACTIVE | public=10.136.17.163, 2001:db8:123:0:f816:3eff:fed7:358a | CentOS-7-x86_64-GenericCloud-2009.qcow2 | m1.small |
+--------------------------------------+------+--------+----------------------------------------------------------+-----------------------------------------+----------+
[root@devstack ~]#
[root@devstack ~]# openstack port show 664489d1-f15f-4990-99eb-b53ad21f673a
+-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| admin_state_up | UP |
| allowed_address_pairs | |
| binding_host_id | devstack |
| binding_profile | |
| binding_vif_details | bridge_name='br-int', connectivity='l2', datapath_type='system', ovs_hybrid_plug='False', port_filter='True' |
| binding_vif_type | ovs |
| binding_vnic_type | normal |
| created_at | 2022-01-21T11:32:19Z |
| data_plane_status | None |
| description | |
| device_id | 332942be-0869-403f-9aba-386f88b9bc9d |
| device_owner | compute:nova |
| device_profile | None |
| dns_assignment | None |
| dns_domain | None |
| dns_name | None |
| extra_dhcp_opts | |
| fixed_ips | ip_address='10.136.17.163', subnet_id='6d9a7fb5-5c1b-4759-b32b-5720b5cedbf4' |
| | ip_address='2001:db8:123:0:f816:3eff:fed7:358a', subnet_id='410b7327-12c9-4085-9c75-7667308adee2' |
| id | 664489d1-f15f-4990-99eb-b53ad21f673a |
| ip_allocation | None |
| location | Munch({'cloud': '', 'region_name': 'RegionOne', 'zone': None, 'project': Munch({'id': 'f6cfa1cd01fa4486b6b5f54231a8ac14', 'name': 'admin', 'domain_id': 'default', 'domain_name': None})}) |
| mac_address | fa:16:3e:d7:35:8a |
| name | |
| network_id | f1f3d967-26db-41b3-b6f6-1d5356e33a84 |
| numa_affinity_policy | None |
| port_security_enabled | True |
| project_id | f6cfa1cd01fa4486b6b5f54231a8ac14 |
| propagate_uplink_status | None |
| qos_network_policy_id | None |
| qos_policy_id | None |
| resource_request | None |
| revision_number | 4 |
| security_group_ids | 72d69550-1140-4a49-8b9e-ed896ab9dff9 |
| status | ACTIVE |
| tags | |
| trunk_details | None |
| updated_at | 2022-01-21T11:32:21Z |
+-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
[root@devstack ~]#
[root@devstack ~]# openstack security group rule list 72d69550-1140-4a49-8b9e-ed896ab9dff9
+--------------------------------------+-------------+-----------+-----------+------------+-----------+--------------------------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+--------------------------------------+----------------------+
| 10634cea-baa3-44ab-8f47-69df7c3de7b4 | None | IPv6 | ::/0 | | ingress | 72d69550-1140-4a49-8b9e-ed896ab9dff9 | None |
| 137df694-615b-4540-8ca5-63b70f04e23d | None | IPv6 | ::/0 | | ingress | None | None |
| 1e1d88e9-55a7-469c-bfdf-f306b85ea322 | None | IPv4 | 0.0.0.0/0 | | ingress | None | None |
| 38f2ed6a-6360-438e-90ee-78f4745efa45 | None | IPv4 | 0.0.0.0/0 | | ingress | 72d69550-1140-4a49-8b9e-ed896ab9dff9 | None |
| 523b3f1d-6a54-45cd-b084-3501da20bcd7 | None | IPv6 | ::/0 | | egress | None | None |
| 82f511ff-b685-4247-87d3-b3d430f89b22 | None | IPv4 | 0.0.0.0/0 | | egress | None | None |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+--------------------------------------+----------------------+
[root@devstack ~]#
Tcpdump for the external physical interface (you can see RA messages
are here):
[root@devstack ~]# tcpdump -nnn -e -i eth0 'icmp6 && ip6[40] == 134'
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:42:46.412136 fa:16:3e:f6:83:3d > fa:16:3e:d7:35:8a, ethertype IPv6 (0x86dd), length 110: fe80::f816:3eff:fef6:833d > fe80::f816:3eff:fed7:358a: ICMP6, router advertisement, length 56
11:42:49.601990 fa:16:3e:f6:83:3d > fa:16:3e:d7:35:8a, ethertype IPv6 (0x86dd), length 110: fe80::f816:3eff:fef6:833d > fe80::f816:3eff:fed7:358a: ICMP6, router advertisement, length 56
11:42:53.164055 fa:16:3e:f6:83:3d > fa:16:3e:d7:35:8a, ethertype IPv6 (0x86dd), length 110: fe80::f816:3eff:fef6:833d > fe80::f816:3eff:fed7:358a: ICMP6, router advertisement, length 56
^C
[root@devstack ~]#
Tcpdump for VM's tap interface (no RA messages):
[root@devstack ~]# tcpdump -nnn -e -i tap664489d1-f1 'icmp6 && ip6[40] == 134'
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap664489d1-f1, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
[root@devstack ~]#
I guess ICMPV6_TYPE_RA is not included into ICMPV6_ALLOWED_INGRESS_TYPES after commit [1] ,
so, RA rule is not added into br-int in `_initialize_ingress_ipv6_icmp` func [2].
Also I've found that `openvswitch` driver doesn't use port['security_group_rules'] from [3] at all.
It seems to me that some logic has been lost in the code for `openvswitch` driver.
[1] https://opendev.org/openstack/neutron/commit/157c5c261d95e40f2916f0cb91f3d529f2490457
[2] https://opendev.org/openstack/neutron/src/commit/24c802711a939f532842c1d7b95a1afe004e809a/neutron/agent/linux/openvswitch_firewall/firewall.py#L1347
[3] https://opendev.org/openstack/neutron/src/commit/24c802711a939f532842c1d7b95a1afe004e809a/neutron/db/securitygroups_rpc_base.py#L360
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1958643/+subscriptions
References
