On 08/30/2016 02:53 PM, Jorge Luiz Correa wrote:
Thank you Tomas and Brian!
Here they are (just replace my ipv6 prefix with 2001:DB8). But, I think the
problem is with firewall rules (see bellow).
<snip>
root@dataexp-network:/# ip netns exec
qrouter-eb42f197-8969-4744-b226-49653ed2bf48 ip -6 route show
*2001:DB8:1400:c539::/64 dev qr-1ee33f03-23* proto kernel metric 256 pref
medium
fe80::/64 dev qg-69fbbe1a-ee proto kernel metric 256 pref medium
fe80::/64 dev qr-9f742219-78 proto kernel metric 256 pref medium
fe80::/64 dev qr-1ee33f03-23 proto kernel metric 256 pref medium
*default via fe80::215:17ff:fea0:211d* dev qg-69fbbe1a-ee metric 1024 pref
medium
fe80::215:17ff:fea0:211d is my firewall/router and this route was learned via
RA.
At this moment my firewall/router has one route to 2001:DB8:1400::1/52 via
fe80::f816:3eff:fed5:c5f8 (the path is firewall/router -> br-ex -> br-int ->
qg-69fbbe1a-ee). The packets go up to qg-69fbbe1a-ee.
I think these setting are ok!
Yes, those look good.
Now, I found something with iptables. See the rules in qrouter namespace:
<snip>
*Chain neutron-l3-agent-scope (1 references)*
pkts bytes target prot opt in out source
destination
78 4368 *DROP* all * qr-1ee33f03-23 ::/0
::/0 mark match ! 0x4000000/0xffff0000
Packets pass in chain FORWARD -> neutron-filter-top -> neutron-l3-agent-local ->
back to FORWARD -> neutron-l3-agent-FORWARD -> neutron-l3-agent-scope -> DROP.
This looks similar to https://bugs.launchpad.net/neutron/+bug/1570122
IPv4 rules is very similar but works. Ipv6 is blocking for some reason.
Do you have the same mark/match rules with IPv4, they're just not getting hit?
-Brian
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
