neutron

Unicast RA messages for a VM are filtered out by ovs rules

Bug #1958643 reported by Anton Kurbatov on 2022-01-21

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Medium	Rodolfo Alonso

Bug Description

I run into a problem when unicast RA messages are not accepted by openflow rules.
In my configuration I'm using radvd daemon to send RA messages in my IPv6 network.
Here is a config of radvd with `clients` dirrective to turn off multicast messages:

[root@radvd ~]# cat /etc/radvd.conf
interface br-eth0
{
    AdvSendAdvert on;
    MinRtrAdvInterval 3;
    MaxRtrAdvInterval 5;
    prefix 2001:db8:123::/64
    {
        AdvOnLink on;
        AdvAutonomous on;
        AdvRouterAddr off;
    };
    clients
    {
        fe80::f816:3eff:fed7:358a;
    };
};
[root@radvd ~]#

I use devstack installation with Neutron from the master branch.
I've create a virtual flat network with dual stack: IPv4 and IPv6 subnets.
IPv6 subnet has a SLAAC address mode.
And created a VM to test IPv6 address assignment inside VM.
But RA message doesn't reach the VM.

VM/port/security group rules:

[root@devstack ~]# openstack server list
+--------------------------------------+------+--------+----------------------------------------------------------+-----------------------------------------+----------+
| ID | Name | Status | Networks | Image | Flavor |
+--------------------------------------+------+--------+----------------------------------------------------------+-----------------------------------------+----------+
| 332942be-0869-403f-9aba-386f88b9bc9d | test | ACTIVE | public=10.136.17.163, 2001:db8:123:0:f816:3eff:fed7:358a | CentOS-7-x86_64-GenericCloud-2009.qcow2 | m1.small |
+--------------------------------------+------+--------+----------------------------------------------------------+-----------------------------------------+----------+
[root@devstack ~]#
[root@devstack ~]# openstack port show 664489d1-f15f-4990-99eb-b53ad21f673a
+-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| admin_state_up | UP |
| allowed_address_pairs | |
| binding_host_id | devstack |
| binding_profile | |
| binding_vif_details | bridge_name='br-int', connectivity='l2', datapath_type='system', ovs_hybrid_plug='False', port_filter='True' |
| binding_vif_type | ovs |
| binding_vnic_type | normal |
| created_at | 2022-01-21T11:32:19Z |
| data_plane_status | None |
| description | |
| device_id | 332942be-0869-403f-9aba-386f88b9bc9d |
| device_owner | compute:nova |
| device_profile | None |
| dns_assignment | None |
| dns_domain | None |
| dns_name | None |
| extra_dhcp_opts | |
| fixed_ips | ip_address='10.136.17.163', subnet_id='6d9a7fb5-5c1b-4759-b32b-5720b5cedbf4' |
| | ip_address='2001:db8:123:0:f816:3eff:fed7:358a', subnet_id='410b7327-12c9-4085-9c75-7667308adee2' |
| id | 664489d1-f15f-4990-99eb-b53ad21f673a |
| ip_allocation | None |
| location | Munch({'cloud': '', 'region_name': 'RegionOne', 'zone': None, 'project': Munch({'id': 'f6cfa1cd01fa4486b6b5f54231a8ac14', 'name': 'admin', 'domain_id': 'default', 'domain_name': None})}) |
| mac_address | fa:16:3e:d7:35:8a |
| name | |
| network_id | f1f3d967-26db-41b3-b6f6-1d5356e33a84 |
| numa_affinity_policy | None |
| port_security_enabled | True |
| project_id | f6cfa1cd01fa4486b6b5f54231a8ac14 |
| propagate_uplink_status | None |
| qos_network_policy_id | None |
| qos_policy_id | None |
| resource_request | None |
| revision_number | 4 |
| security_group_ids | 72d69550-1140-4a49-8b9e-ed896ab9dff9 |
| status | ACTIVE |
| tags | |
| trunk_details | None |
| updated_at | 2022-01-21T11:32:21Z |
+-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
[root@devstack ~]#
[root@devstack ~]# openstack security group rule list 72d69550-1140-4a49-8b9e-ed896ab9dff9
+--------------------------------------+-------------+-----------+-----------+------------+-----------+--------------------------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+--------------------------------------+----------------------+
| 10634cea-baa3-44ab-8f47-69df7c3de7b4 | None | IPv6 | ::/0 | | ingress | 72d69550-1140-4a49-8b9e-ed896ab9dff9 | None |
| 137df694-615b-4540-8ca5-63b70f04e23d | None | IPv6 | ::/0 | | ingress | None | None |
| 1e1d88e9-55a7-469c-bfdf-f306b85ea322 | None | IPv4 | 0.0.0.0/0 | | ingress | None | None |
| 38f2ed6a-6360-438e-90ee-78f4745efa45 | None | IPv4 | 0.0.0.0/0 | | ingress | 72d69550-1140-4a49-8b9e-ed896ab9dff9 | None |
| 523b3f1d-6a54-45cd-b084-3501da20bcd7 | None | IPv6 | ::/0 | | egress | None | None |
| 82f511ff-b685-4247-87d3-b3d430f89b22 | None | IPv4 | 0.0.0.0/0 | | egress | None | None |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+--------------------------------------+----------------------+
[root@devstack ~]#

Tcpdump for the external physical interface (you can see RA messages are here):

[root@devstack ~]# tcpdump -nnn -e -i eth0 'icmp6 && ip6[40] == 134'
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:42:46.412136 fa:16:3e:f6:83:3d > fa:16:3e:d7:35:8a, ethertype IPv6 (0x86dd), length 110: fe80::f816:3eff:fef6:833d > fe80::f816:3eff:fed7:358a: ICMP6, router advertisement, length 56
11:42:49.601990 fa:16:3e:f6:83:3d > fa:16:3e:d7:35:8a, ethertype IPv6 (0x86dd), length 110: fe80::f816:3eff:fef6:833d > fe80::f816:3eff:fed7:358a: ICMP6, router advertisement, length 56
11:42:53.164055 fa:16:3e:f6:83:3d > fa:16:3e:d7:35:8a, ethertype IPv6 (0x86dd), length 110: fe80::f816:3eff:fef6:833d > fe80::f816:3eff:fed7:358a: ICMP6, router advertisement, length 56
^C
[root@devstack ~]#

Tcpdump for VM's tap interface (no RA messages):

[root@devstack ~]# tcpdump -nnn -e -i tap664489d1-f1 'icmp6 && ip6[40] == 134'
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap664489d1-f1, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
[root@devstack ~]#

I guess ICMPV6_TYPE_RA is not included into ICMPV6_ALLOWED_INGRESS_TYPES after commit [1] ,
so, RA rule is not added into br-int in `_initialize_ingress_ipv6_icmp` func [2].
Also I've found that `openvswitch` driver doesn't use port['security_group_rules'] from [3] at all.
It seems to me that some logic has been lost in the code for `openvswitch` driver.

[1] https://opendev.org/openstack/neutron/commit/157c5c261d95e40f2916f0cb91f3d529f2490457
[2] https://opendev.org/openstack/neutron/src/commit/24c802711a939f532842c1d7b95a1afe004e809a/neutron/agent/linux/openvswitch_firewall/firewall.py#L1347
[3] https://opendev.org/openstack/neutron/src/commit/24c802711a939f532842c1d7b95a1afe004e809a/neutron/db/securitygroups_rpc_base.py#L360

Tags:

Oleg Bondarev (obondarev) on 2022-01-21

tags:

added: ipv6 ovs-fw

Oleg Bondarev (obondarev) on 2022-01-21

Changed in neutron:
importance:	Undecided → Medium
status:	New → Confirmed

Revision history for this message

Rodolfo Alonso (rodolfo-alonso-hernandez) wrote on 2022-01-31:

Hello:

Thanks for the detailed analysis. I think you are right: in the OVS firewall, we don't use the SG rules created by the SG handler. That was initially created for the iptables firewall, that is also used in the OVS firewall when using hybrid plug.

However, this "security_group_rules" list created in the port object is not used at all in the OVS FW using Open Flows. Instead we build the default rules (DHCP, ICMP, etc) and then apply the defined ones in the SG rules.

Just as OVN, this driver gets the SG rules and does not use the RPC SG object (we don't use this RPC anymore in OVN).

I think the easier approach here will be to just add this rule harcoded in the OVS FW, same as for IPv5 ICMP traffic. I'll push a patch.

Regards.

Rodolfo Alonso (rodolfo-alonso-hernandez) on 2022-01-31

Changed in neutron:
assignee:	nobody → Rodolfo Alonso (rodolfo-alonso-hernandez)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-01-31: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/827159

Changed in neutron:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-02-14: Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/827159
Committed: https://opendev.org/openstack/neutron/commit/0d233041206434b91e5f2d1f00593e592019a99d
Submitter: "Zuul (22348)"
Branch: master

commit 0d233041206434b91e5f2d1f00593e592019a99d
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Mon Jan 31 17:26:01 2022 +0000

[OVS] Add IPv6 ICMP RA to the default ingress rules

    "ICMPV6_TYPE_RA" was removed from "ICMPV6_ALLOWED_INGRESS_TYPES"
    because of a bug in the iptables firewall (described in the LP
    bug). This rule was added in "_add_ingress_ra_rule" to
    port["security_group_rules"]. However, the OVS firewall does not
    use this rule list but builds the default rules from scratch.

Closes-Bug: #1958643
Change-Id: I53ee3c87ab2a6306b31fc3387b706d8296031a14