On 08/23/2018 12:53 PM, Jorge Luiz Correa wrote:
Hi all
I'm deploying a Queens on Ubuntu 18.04 with one controller, one network
controller e for now one compute node. I'm using ML2 with linuxbridge
mechanism driver and a self-service type of network. This is is a dual
stack environment (v4 and v6).
IPv4 is working fine, NATs oks and packets flowing.
With IPv6 I'm having a problem. Packets from external networks to a
project network are stopping on qrouter namespace firewall. I've a
project with one network, one v4 subnet and one v6 subnet. Adressing are
all ok, virtual machines are getting their IPs and can ping the network
gateway.
However, from external to project network, using ipv6, the packets stop
in a DROP rule inside de qrouter namespace.
This looks like the address scopes of the subnets are different, so the
rule to mark packets is not being inserted. How are you assigning the
subnet addresses on the external and internal networks? Typically you
would define a subnet pool and allocate from that, which should work.
Perhaps this guide would help with that:
https://docs.openstack.org/neutron/queens/admin/config-address-scopes.html
The last sentence there seems to describe the problem you're having:
"If the address scopes match between networks then pings and other
traffic route directly through. If the scopes do not match between
networks, the router either drops the traffic or applies NAT to cross
scope boundaries."
IPv6 in neutron does not use NAT...
-Brian
The ip6tables path is:
mangle prerouting -> neutron-l3-agent-PREROUTING ->
neutron-l3-agent-scope -> here we have a MARK rule:
pkts bytes target prot opt in out source
destination
3 296 MARK all qr-7f2944e7-cc *
::/0 ::/0 MARK xset 0x4000000/0xffff0000
qr interface is the internal network interface of the project (subnet
gateway). So, packets from this interface are marked.
But, the returning is the problem. The packets doesn't returns. I've
rules from the nexthop firewall and packets arrive on the external
bridge (network node). But, when they arrive on external interface of
the qrouter namespace, they are filtered.
Inside qrouter namespace this is the rule:
ip netns exec qrouter-5689783d-52c0-4d2f-bef5-99b111f8ef5f ip6tables -t
mangle -L -n -v
...
Chain neutron-l3-agent-scope (1 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all * qr-7f2944e7-cc
::/0 ::/0 mark match ! 0x4000000/0xffff0000
...
If I create the following rule everything works great:
ip netns exec qrouter-5689783d-52c0-4d2f-bef5-99b111f8ef5f ip6tables -t
mangle -I neutron-l3-agent-scope -i qg-b6757bfe-c1 -j MARK --set-xmark
0x4000000/0xffff0000
where qg is the external interface of virtual router. So, if I mark
packets from external interface on mangle, they are not filtered.
Is this normal? I've to manually add a rule to do that?
How to use the "external_ingress_mark" option on l3-agent.ini ? Can I
use it to mark packets using a configuration parameter instead of
manually inserted ip6tables rule?
Thanks a lot!
- JLC
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
