neutron

[OVN] Unable to ping router from test IPV6 subnet

Bug #1928330 reported by Piotr Parczewski on 2021-05-13

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	New	Medium	yatin

Bug Description

Steps to reproduce:

1) Create test network, IPV6 subnet in arbitrary mode, eg. SLAAC;
2) Create test router and add an interface in the test subnet;
3) Create test instance and try to ping the router - it fails.

Sample OVN trace:

# ovn-trace piotr-geneve-ipv6-stateful 'inport == "9b6d8c19-ca57-4f0d-8af0-ee29642c6fb8" && eth.src == fa:16:3e:f5:aa:2a && eth.dst == fa:16:3e:6b:1b:79 && ip6.src == 2a01:49a0:112a::289 && ip6.dst == 2a01:49a0:112a::'

0. ls_out_pre_lb (ovn-northd.c:5169): ip && outport == "7f82a5", priority 110, uuid 4cb710e8
    next;
1. ls_out_pre_acl (ovn-northd.c:5169): ip && outport == "7f82a5", priority 110, uuid 65a121ee
    next;
4. ls_out_acl_hint (ovn-northd.c:5486): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0, priority 4, uuid 99195420
    reg0[8] = 1;
    reg0[10] = 1;
    next;
10. ls_out_port_sec_l2 (ovn-northd.c:5118): outport == "7f82a5", priority 50, uuid cc53fba5
    output;
    /* output to "7f82a5", type "patch" */

ingress(dp="test-router", inport="lrp-7f82a5")
----------------------------------------------
0. lr_in_admission (ovn-northd.c:9556): eth.dst == fa:16:3e:6b:1b:79 && inport == "lrp-7f82a5", priority 50, uuid ba5e360d
    xreg0[0..47] = fa:16:3e:6b:1b:79;
    next;
1. lr_in_lookup_neighbor (ovn-northd.c:9635): 1, priority 0, uuid 75a8a812
    reg9[2] = 1;
    next;
2. lr_in_learn_neighbor (ovn-northd.c:9644): reg9[2] == 1, priority 100, uuid 72706c4a
    next;
3. lr_in_ip_input (ovn-northd.c:10884): ip6 && ip6.dst == 2a01:49a0:112a:: && !ip.later_frag, priority 70, uuid 13d497b1
    icmp6 { eth.dst <-> eth.src; ip6.dst <-> ip6.src; ip.ttl = 255; icmp6.type = 1; icmp6.code = 3; next; };

icmp6
-----
    eth.dst <-> eth.src;
    ip6.dst <-> ip6.src;
    ip.ttl = 255;
    icmp6.type = 1;
    icmp6.code = 3;
    next;
10. lr_in_ip_routing (ovn-northd.c:8710): ip6.dst == 2a01:49a0:112a::/112, priority 225, uuid 57af3cd5
10. lr_in_ip_routing (ovn-northd.c:8710): ip6.dst == 2a01:49a0:112a::/112, priority 225, uuid 57af3cd5
    ip.ttl--;
    reg8[0..15] = 0;
    xxreg0 = ip6.dst;
    xxreg1 = 2a01:49a0:112a::;
    eth.src = fa:16:3e:6b:1b:79;
    outport = "lrp-7f82a5";
    flags.loopback = 1;
    next;
11. lr_in_ip_routing_ecmp (ovn-northd.c:9902): reg8[0..15] == 0, priority 150, uuid 7e1242f0
    next;
12. lr_in_policy (ovn-northd.c:10027): 1, priority 0, uuid dfb65200
    reg8[0..15] = 0;
    next;
13. lr_in_policy_ecmp (ovn-northd.c:10029): reg8[0..15] == 0, priority 150, uuid a59e560f
    next;
14. lr_in_arp_resolve (ovn-northd.c:10245): outport == "lrp-7f82a5" && xxreg0 == 2a01:49a0:112a::289, priority 100, uuid 1e99a10c
    eth.dst = fa:16:3e:f5:aa:2a;
    next;
18. lr_in_arp_request (ovn-northd.c:10652): 1, priority 0, uuid d05b7ef1
    output;

egress(dp="test-router", inport="lrp-7f82a5", outport="lrp-7f82a5")
-------------------------------------------------------------------
3. lr_out_delivery (ovn-northd.c:10700): outport == "lrp-7f82a5", priority 100, uuid 3d0b42d6
output;
/* output to "lrp-7f82a5", type "patch" */

ingress(dp="piotr-geneve-ipv6-stateful", inport="7f82a5")
---------------------------------------------------------
0. ls_in_port_sec_l2 (ovn-northd.c:5023): inport == "7f82a5", priority 50, uuid e1f011ad
    next;
5. ls_in_pre_acl (ovn-northd.c:5166): ip && inport == "7f82a5", priority 110, uuid f4b6d9ab
    next;
6. ls_in_pre_lb (ovn-northd.c:5166): ip && inport == "7f82a5", priority 110, uuid c42a6170
    next;
8. ls_in_acl_hint (ovn-northd.c:5486): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0, priority 4, uuid 5d064a89
    reg0[8] = 1;
    reg0[10] = 1;
    next;
23. ls_in_l2_lkup (ovn-northd.c:7615): eth.dst == fa:16:3e:f5:aa:2a, priority 50, uuid 7faa449b
    outport = "9b6d8c";
    output;

egress(dp="piotr-geneve-ipv6-stateful", inport="7f82a5", outport="9b6d8c")
--------------------------------------------------------------------------
1. ls_out_pre_acl (ovn-northd.c:5226): ip, priority 100, uuid 32588e71
    reg0[0] = 1;
    next;
2. ls_out_pre_stateful (ovn-northd.c:5411): reg0[0] == 1, priority 100, uuid 58780681
    ct_next;

ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---------------------------------------------------------------
4. ls_out_acl_hint (ovn-northd.c:5486): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0, priority 4, uuid 99195420
    reg0[8] = 1;
    reg0[10] = 1;
    next;
5. ls_out_acl (ovn-northd.c:5744): reg0[10] == 1 && (outport == @neutron_pg_drop && ip), priority 2001, uuid ec8b7afe
    ct_commit { ct_label.blocked = 1; };

Tags:

Michal Nasiadka (mnasiadka) on 2021-05-13

tags:

added: ovn

Oleg Bondarev (obondarev) on 2021-05-13

Changed in neutron:
importance:	Undecided → Medium

Revision history for this message

Piotr Parczewski (parczewski) wrote on 2021-05-13:

OpenStack Release: Victoria

Dr. Jens Harbott (j-harbott) on 2021-11-16

tags:

added: ipv6

yatin (yatinkarel) on 2022-02-14

Changed in neutron:
assignee:	nobody → yatin (yatinkarel)

Revision history for this message

yatin (yatinkarel) wrote on 2022-02-17:

Download full text (9.5 KiB)

I tried to reproduce but couldn't, i did on master devstack env:-

openstack security group create basic
openstack security group rule create basic --protocol tcp --dst-port 22:22 --remote-ip 0.0.0.0/0
openstack security group rule create basic --protocol tcp --dst-port 22:22 --ethertype ipv6
openstack security group rule create --protocol icmp basic
openstack security group rule create --protocol icmp basic --ethertype ipv6
openstack security group rule create --protocol udp --dst-port 53:53 basic

test -f ~/.ssh/id_rsa.pub || ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa
openstack keypair create --public-key ~/.ssh/id_rsa.pub default
# nova flavor
openstack flavor create --ram 512 --disk 1 --vcpu 1 --public tiny

openstack network create ipv6-pd
openstack subnet create --ip-version 6 --ipv6-ra-mode slaac --ipv6-address-mode slaac --network ipv6-pd --gateway 2001:db8:2222:d1c::1 --allocation-pool=start=2001:db8:2222:d1c::2,end=2001:db8:2222:d1c:ffff:ffff:ffff:ffff ipv6-pd-1 --subnet-range 2001:db8:2222:d1c::/64
openstack router add subnet router1 ipv6-pd-1

openstack server create --nic net-id=ipv6-pd --image cirros-0.5.2-x86_64-disk --security-group basic --key-name default --flavor tiny testvm

$ openstack port list --network ipv6-pd
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
from cryptography.utils import int_from_bytes
+--------------------------------------+------+-------------------+-----------------------------------------------------------------------------------------------------+--------+
| ID | Name | MAC Address | Fixed IP Addresses | Status |
+--------------------------------------+------+-------------------+-----------------------------------------------------------------------------------------------------+--------+
| 4e0179bb-1dbd-46bb-b86e-935224889858 | | fa:16:3e:7b:2b:b6 | ip_address='2001:db8:2222:d1c::1', subnet_id='db9e25b3-9a51-488a-b257-658351e928c6' | ACTIVE |
| dc7ef71d-ec1d-44eb-be9f-fb2c67f6cac2 | | fa:16:3e:51:0b:fa | ip_address='2001:db8:2222:d1c:f816:3eff:fe51:bfa', subnet_id='db9e25b3-9a51-488a-b257-658351e928c6' | ACTIVE |
| f7de9144-45c4-4664-bf91-eb4048de1670 | | fa:16:3e:bd:06:e0 | ip_address='2001:db8:2222:d1c:f816:3eff:febd:6e0', subnet_id='db9e25b3-9a51-488a-b257-658351e928c6' | DOWN |
+--------------------------------------+------+-------------------+-----------------------------------------------------------------------------------------------------+--------+

From vm:-
$ ping 2001:db8:2222:d1c::1
PING 2001:db8:2222:d1c::1 (2001:db8:2222:d1c::1): 56 data bytes ...

I tried to reproduce but couldn't, i did on master devstack env:-

openstack network create ipv6-pd
openstack subnet create --ip-version 6 --ipv6-ra-mode slaac --ipv6-address-mode slaac  --network ipv6-pd --gateway 2001:db8:2222:d1c::1  --allocation-pool=start=2001:db8:2222:d1c::2,end=2001:db8:2222:d1c:ffff:ffff:ffff:ffff  ipv6-pd-1 --subnet-range 2001:db8:2222:d1c::/64
openstack router add subnet router1 ipv6-pd-1

openstack server create --nic net-id=ipv6-pd --image cirros-0.5.2-x86_64-disk --security-group basic --key-name default --flavor tiny testvm

$ openstack port list --network ipv6-pd
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
+--------------------------------------+------+-------------------+-----------------------------------------------------------------------------------------------------+--------+
| ID                                   | Name | MAC Address       | Fixed IP Addresses                                                                                  | Status |
+--------------------------------------+------+-------------------+-----------------------------------------------------------------------------------------------------+--------+
| 4e0179bb-1dbd-46bb-b86e-935224889858 |      | fa:16:3e:7b:2b:b6 | ip_address='2001:db8:2222:d1c::1', subnet_id='db9e25b3-9a51-488a-b257-658351e928c6'                 | ACTIVE |
| dc7ef71d-ec1d-44eb-be9f-fb2c67f6cac2 |      | fa:16:3e:51:0b:fa | ip_address='2001:db8:2222:d1c:f816:3eff:fe51:bfa', subnet_id='db9e25b3-9a51-488a-b257-658351e928c6' | ACTIVE |
| f7de9144-45c4-4664-bf91-eb4048de1670 |      | fa:16:3e:bd:06:e0 | ip_address='2001:db8:2222:d1c:f816:3eff:febd:6e0', subnet_id='db9e25b3-9a51-488a-b257-658351e928c6' | DOWN   |
+--------------------------------------+------+-------------------+-----------------------------------------------------------------------------------------------------+--------+

From vm:-
$ ping 2001:db8:2222:d1c::1                                                                                                                       
PING 2001:db8:2222:d1c::1 (2001:db8:2222:d1c::1): 56 data bytes                                                                                   
64 bytes from 2001:db8:2222:d1c::1: seq=0 ttl=254 time=2.191 ms          
64 bytes from 2001:db8:2222:d1c::1: seq=1 ttl=254 time=0.785 ms                                                                                   
64 bytes from 2001:db8:2222:d1c::1: seq=2 ttl=254 time=0.834 ms                                                                                   
^C                                                                                                                                                
--- 2001:db8:2222:d1c::1 ping statistics ---                                                                                                      
3 packets transmitted, 3 packets received, 0% packet loss                                                                                         
round-trip min/avg/max = 0.785/1.270/2.191 ms

$ sudo ovn-trace ipv6-pd 'inport == "dc7ef71d-ec1d-44eb-be9f-fb2c67f6cac2" && eth.src == fa:16:3e:51:0b:fa && eth.dst == fa:16:3e:65:02:e9 && ip6.src == 2001:db8:2222:d1c:f816:3eff:fe51:bfa && ip6.dst == 2001:db8:2222:d1c::1'                              
# ipv6,reg14=0x3,vlan_tci=0x0000,dl_src=fa:16:3e:51:0b:fa,dl_dst=fa:16:3e:65:02:e9,ipv6_src=2001:db8:2222:d1c:f816:3eff:fe51:bfa,ipv6_dst=2001:db8
:2222:d1c::1,ipv6_label=0x00000,nw_proto=0,nw_tos=0,nw_ecn=0,nw_ttl=0                                                                             
                                                                                                                                                  
ingress(dp="ipv6-pd", inport="dc7ef7")                                                                                                            
--------------------------------------                                                                                                            
 0. ls_in_port_sec_l2 (northd.c:5205): inport == "dc7ef7" && eth.src == {fa:16:3e:51:0b:fa}, priority 50, uuid af10c8f9                           
    next;                                                                                                                                         
 1. ls_in_port_sec_ip (northd.c:4868): inport == "dc7ef7" && eth.src == fa:16:3e:51:0b:fa && ip6.src == {fe80::f816:3eff:fe51:bfa, 2001:db8:2222:d
1c:f816:3eff:fe51:bfa}, priority 90, uuid 956e95d5                                                                                                
    next;                                                                                                                                         
 5. ls_in_pre_acl (northd.c:5463): ip, priority 100, uuid 7f9b5be9                                                                                
    reg0[0] = 1;                                                                                                                                  
    next;                                                                                                                                         
 7. ls_in_pre_stateful (northd.c:5669): reg0[0] == 1, priority 100, uuid 2fdb9eda                                                                 
    ct_next;                                                                                                                                      
                                                                                                                                                  
ct_next(ct_state=est|trk /* default (use --ct to customize) */)                                                                                   
---------------------------------------------------------------                                                                                   
 8. ls_in_acl_hint (northd.c:5748): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0, priority 4, uuid 5b28b009                              
    reg0[8] = 1;                                                                                                                                  
    reg0[10] = 1;                                                                                                                                 
    next;                                                                                                                                         
 9. ls_in_acl (northd.c:5974): reg0[8] == 1 && (inport == @pg_32cb109b_1eda_4a3b_b3e5_2269b388b6f1 && ip6), priority 2002, uuid d03ea4c0          
    next;                                                                                                                                         22. ls_in_l2_lkup (northd.c:8034): eth.dst == fa:16:3e:65:02:e9, priority 50, uuid 89615973                                                       
    outport = "536736";                                                                                                                           
    output;
egress(dp="ipv6-pd", inport="dc7ef7", outport="536736")                                                                                 [265/1998]-------------------------------------------------------                                                                                           
 0. ls_out_pre_lb (northd.c:5355): ip && outport == "536736", priority 110, uuid c0d52ba8                
    next;
 1. ls_out_pre_acl (northd.c:5355): ip && outport == "536736", priority 110, uuid 88fed770
    next;
 3. ls_out_acl_hint (northd.c:5748): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0, priority 4, uuid ea31d707
    reg0[8] = 1;
    reg0[10] = 1;
    next;
 9. ls_out_port_sec_l2 (northd.c:5302): outport == "536736", priority 50, uuid f81bc41d
    output;
    /* output to "536736", type "patch" */

ingress(dp="router1", inport="lrp-536736")
------------------------------------------
 0. lr_in_admission (northd.c:10271): eth.dst == fa:16:3e:65:02:e9 && inport == "lrp-536736", priority 50, uuid 6d7cecd6
    xreg0[0..47] = fa:16:3e:65:02:e9;
    next;
 1. lr_in_lookup_neighbor (northd.c:10352): 1, priority 0, uuid 6438693f
    reg9[2] = 1;
    next;
 2. lr_in_learn_neighbor (northd.c:10361): reg9[2] == 1 || reg9[3] == 0, priority 100, uuid 4004d6b9
    next;
 3. lr_in_ip_input (northd.c:10048): ip6.dst == {2001:db8:2222:d1c::1, fe80::f816:3eff:fe65:2e9}, priority 60, uuid 4a85be6b
    drop;

Can you confirm if the above tests are correct, or need to try some other operations to reproduce the issue?

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.