Bug 1023277 - Unable to ping the guest ipv6 when the network filter is added in the guest xml
Summary: Unable to ping the guest ipv6 when the network filter is added in the guest xml
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Virtualization Tools
Classification: Community
Component: libvirt
Version: unspecified
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Libvirt Maintainers
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-25 05:45 UTC by chandrashekar shastri
Modified: 2016-05-02 14:36 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-02 14:36:34 UTC
Embargoed:

Attachments (Terms of Use)

Description chandrashekar shastri 2013-10-25 05:45:47 UTC 
Steps to reproduce the issue:

1. Create a virtual network [ipv6] as below

[root@localhost ~]# virsh net-dumpxml virbr2
<network connections='1'>
  <name>virbr2</name>
  <uuid>957b5f79-fa6a-4768-8a93-5cb55b317d7a</uuid>
  <forward mode='nat'/>
  <bridge name='virbr2' stp='on' delay='0'/>
  <mac address='52:51:00:29:1f:5e'/>
  <ip family='ipv6' address='2001:db8:ca2:2::1' prefix='64'>
    <dhcp>
      <range start='2001:db8:ca2:2:1::10' end='2001:db8:ca2:2:1::ff'/>
    </dhcp>
  </ip>
</network>
 
2. Run virsh net-list --all

[root@localhost ~]# virsh net-list --all
 Name                 State      Autostart     Persistent
----------------------------------------------------------
 default              active     no            yes
 virbr2               active     no            yes

3. Run ifconfig virbr2

[root@localhost ~]# ifconfig virbr2

virbr2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::5051:ff:fe29:1f5e  prefixlen 64  scopeid 0x20<link>
        inet6 2001:db8:ca2:2::1  prefixlen 64  scopeid 0x0<global>
        ether 52:51:00:29:1f:5e  txqueuelen 0  (Ethernet)
        RX packets 119  bytes 26948 (26.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 154  bytes 20460 (19.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

4. Attach the virtual interface to the vm:

virsh attach-interface vm2 --source virbr2 --live --mac 54:23:12:34:56:12 --type network

Note: I have booted the guest without any interfaces just to avoid confusion.
We can even edit the guest xml with the interface and destroy the guest and boot it again.

5. Login to guest :
[root@localhost ~]# virsh console vm2
Connected to domain vm2
Escape character is ^]

6. Run ifconfig 
[root@xxxxxxxx ~]# ifconfig 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::dc:63ff:fee8:44db  prefixlen 64  scopeid 0x20<link>
        ether 02:dc:63:e8:44:db  txqueuelen 1000  (Ethernet)
        RX packets 25903  bytes 1356066 (1.2 MiB)
        RX errors 0  dropped 25783  overruns 0  frame 0
        TX packets 97  bytes 9342 (9.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 33  bytes 4684 (4.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 33  bytes 4684 (4.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


7. Ping the ipv6 address from guest to host and vice versa work fine.
ping6 -I eth0 -i 3 fe80::5051:ff:fe29:1f5e

8. Create a nwfilter for ipv6 as below:

[root@localhost ~]# virsh nwfilter-dumpxml allow-ipv6
<filter name='allow-ipv6' chain='ipv6' priority='-700'>
  <uuid>e12383d0-3688-419d-8d09-d81ab1a900a7</uuid>
  <rule action='accept' direction='inout' priority='500'/>
</filter>

[root@ltczhyp8 ~]# virsh nwfilter-dumpxml allow-incoming-ipv6
<filter name='allow-incoming-ipv6' chain='ipv6' priority='-700'>
  <uuid>e12443d0-3688-419d-8d09-d81ab1a900a7</uuid>
  <rule action='accept' direction='inout' priority='500'/>
</filter>

[root@localhost ~]# virsh nwfilter-dumpxml clean-traffic 
<filter name='clean-traffic' chain='root'>
  <uuid>24e33463-fbb4-4e19-a537-0a2f08edbf8a</uuid>
  <filterref filter='no-mac-spoofing'/>
  <filterref filter='no-ip-spoofing'/>
  <filterref filter='allow-incoming-ipv6'/>
  <filterref filter='no-arp-spoofing'/>
  <rule action='accept' direction='out' priority='-650'>
    <mac protocolid='ipv6'/>
  </rule>
  <rule action='accept' direction='inout' priority='-500'>
    <mac protocolid='arp'/>
  </rule>
  <filterref filter='no-other-l2-traffic'/>
  <filterref filter='qemu-announce-self'/>
</filter>

[root@localhost ~]# 

9. Edit the filter in the guest xml for the interface attached above 

<filterref filter='clean-traffic'/>

and destroy and start the guest.

10. Login to the guest, check ifconfig and try to ping the ipv6 address from host to guest and vice versa won't work:

[root@xxxxxxxx ~]# ping6 -I eth0 -i 3 fe80::5051:ff:fe29:1f5e
PING fe80::5051:ff:fe29:1f5e(fe80::5051:ff:fe29:1f5e) from fe80::dc:63ff:fee8:44db eth0: 56 data bytes
From fe80::dc:63ff:fee8:44db icmp_seq=4 Destination unreachable: Address unreachable
From fe80::dc:63ff:fee8:44db icmp_seq=5 Destination unreachable: Address unreachable
From fe80::dc:63ff:fee8:44db icmp_seq=6 Destination unreachable: Address unreachable

--- fe80::5051:ff:fe29:1f5e ping statistics ---
6 packets transmitted, 0 received, +3 errors, 100% packet loss, time 15028ms

[root@xxxxxxxx ~]# 


[root@localhost ~]# virsh dumpxml vm2
<domain type='kvm' id='53'>
  <name>vm2</name>
  <uuid>3d0448e4-2efe-4138-ad20-7b2583cd8c5c</uuid>
  <memory unit='KiB'>524288</memory>
  <currentMemory unit='KiB'>524288</currentMemory>
  <vcpu placement='static'>2</vcpu>
  <resource>
    <partition>/machine</partition>
  </resource>
  <os>
    <type arch='s390x' machine='s390-ccw-virtio'>hvm</type>
    <boot dev='hd'/>
  </os>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <emulator>/usr/bin/qemu-kvm</emulator>
    <disk type='block' device='disk'>
      <driver name='qemu' type='raw' cache='none'/>
      <source dev='/dev/mapper/36005076303ffc52a0000000000001316'/>
      <target dev='vda' bus='virtio'/>
      <alias name='virtio-disk0'/>
      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0001'/>
    </disk>
    <disk type='block' device='disk'>
      <driver name='qemu' type='raw' cache='none'/>
      <source dev='/dev/mapper/36005076303ffc52a0000000000001319'/>
      <target dev='vdb' bus='virtio'/>
      <alias name='virtio-disk1'/>
      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0002'/>
    </disk>
    <controller type='usb' index='0'>
      <alias name='usb0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
    </controller>
    <interface type='network'>
      <mac address='02:dc:63:e8:44:db'/>
      <source network='virbr2'/>
      <target dev='vnet0'/>
      <model type='virtio'/>
      <filterref filter='clean-traffic'/>
      <alias name='net0'/>
      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0000'/>
    </interface>
    <console type='pty' tty='/dev/pts/0'>
      <source path='/dev/pts/0'/>
      <target type='sclp' port='0'/>
      <alias name='console0'/>
    </console>
    <memballoon model='virtio'>
      <alias name='balloon0'/>
      <address type='ccw' cssid='0xfe' ssid='0x3' devno='0xffba'/>
    </memballoon>
  </devices>
  <seclabel type='none'/>
</domain>


Note: 

The filter that I have added is not to drop the incoming packets.
This issue is not seen with IPV4 address it works fine when a add a filte to accept the ipv4 packets.
Comment 1 Cole Robinson 2016-04-19 20:48:12 UTC 
Sorry for the delayed response. I don't really have an ipv6 setup to test this... are you still seeing this issue with newer libvirt?
Comment 2 Cole Robinson 2016-05-02 14:36:34 UTC 
Since there's no response, closing as DEFERRED. But if anyone is still affected with newer libvirt versions, please re-open and we can triage from there
Note You need to log in before you can comment on or make changes to this bug.