Unicast RA messages for a VM are filtered out by ovs rules
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
Rodolfo Alonso |
Bug Description
I run into a problem when unicast RA messages are not accepted by openflow rules.
In my configuration I'm using radvd daemon to send RA messages in my IPv6 network.
Here is a config of radvd with `clients` dirrective to turn off multicast messages:
[root@radvd ~]# cat /etc/radvd.conf
interface br-eth0
{
AdvSendAdvert on;
MinRtrAdvIn
MaxRtrAdvIn
prefix 2001:db8:123::/64
{
AdvOnLink on;
};
clients
{
};
};
[root@radvd ~]#
I use devstack installation with Neutron from the master branch.
I've create a virtual flat network with dual stack: IPv4 and IPv6 subnets.
IPv6 subnet has a SLAAC address mode.
And created a VM to test IPv6 address assignment inside VM.
But RA message doesn't reach the VM.
VM/port/security group rules:
[root@devstack ~]# openstack server list
+------
| ID | Name | Status | Networks | Image | Flavor |
+------
| 332942be-
+------
[root@devstack ~]#
[root@devstack ~]# openstack port show 664489d1-
+------
| Field | Value |
+------
| admin_state_up | UP |
| allowed_
| binding_host_id | devstack |
| binding_profile | |
| binding_vif_details | bridge_
| binding_vif_type | ovs |
| binding_vnic_type | normal |
| created_at | 2022-01-
| data_plane_status | None |
| description | |
| device_id | 332942be-
| device_owner | compute:nova |
| device_profile | None |
| dns_assignment | None |
| dns_domain | None |
| dns_name | None |
| extra_dhcp_opts | |
| fixed_ips | ip_address=
| | ip_address=
| id | 664489d1-
| ip_allocation | None |
| location | Munch({'cloud': '', 'region_name': 'RegionOne', 'zone': None, 'project': Munch({'id': 'f6cfa1cd01fa44
| mac_address | fa:16:3e:d7:35:8a |
| name | |
| network_id | f1f3d967-
| numa_affinity_
| port_security_
| project_id | f6cfa1cd01fa448
| propagate_
| qos_network_
| qos_policy_id | None |
| resource_request | None |
| revision_number | 4 |
| security_group_ids | 72d69550-
| status | ACTIVE |
| tags | |
| trunk_details | None |
| updated_at | 2022-01-
+------
[root@devstack ~]#
[root@devstack ~]# openstack security group rule list 72d69550-
+------
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+------
| 10634cea-
| 137df694-
| 1e1d88e9-
| 38f2ed6a-
| 523b3f1d-
| 82f511ff-
+------
[root@devstack ~]#
Tcpdump for the external physical interface (you can see RA messages are here):
[root@devstack ~]# tcpdump -nnn -e -i eth0 'icmp6 && ip6[40] == 134'
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:42:46.412136 fa:16:3e:f6:83:3d > fa:16:3e:d7:35:8a, ethertype IPv6 (0x86dd), length 110: fe80::f816:
11:42:49.601990 fa:16:3e:f6:83:3d > fa:16:3e:d7:35:8a, ethertype IPv6 (0x86dd), length 110: fe80::f816:
11:42:53.164055 fa:16:3e:f6:83:3d > fa:16:3e:d7:35:8a, ethertype IPv6 (0x86dd), length 110: fe80::f816:
^C
[root@devstack ~]#
Tcpdump for VM's tap interface (no RA messages):
[root@devstack ~]# tcpdump -nnn -e -i tap664489d1-f1 'icmp6 && ip6[40] == 134'
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap664489d1-f1, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
[root@devstack ~]#
I guess ICMPV6_TYPE_RA is not included into ICMPV6_
so, RA rule is not added into br-int in `_initialize_
Also I've found that `openvswitch` driver doesn't use port['security_
It seems to me that some logic has been lost in the code for `openvswitch` driver.
[1] https:/
[2] https:/
[3] https:/
tags: | added: ipv6 ovs-fw |
Changed in neutron: | |
importance: | Undecided → Medium |
status: | New → Confirmed |
Changed in neutron: | |
assignee: | nobody → Rodolfo Alonso (rodolfo-alonso-hernandez) |
Hello:
Thanks for the detailed analysis. I think you are right: in the OVS firewall, we don't use the SG rules created by the SG handler. That was initially created for the iptables firewall, that is also used in the OVS firewall when using hybrid plug.
However, this "security_ group_rules" list created in the port object is not used at all in the OVS FW using Open Flows. Instead we build the default rules (DHCP, ICMP, etc) and then apply the defined ones in the SG rules.
Just as OVN, this driver gets the SG rules and does not use the RPC SG object (we don't use this RPC anymore in OVN).
I think the easier approach here will be to just add this rule harcoded in the OVS FW, same as for IPv5 ICMP traffic. I'll push a patch.
Regards.