1834655 – payload for icmp6 reply is not as expected when reject acl is added

The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 1834655 - payload for icmp6 reply is not as expected when reject acl is added

Summary: payload for icmp6 reply is not as expected when reject acl is added

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux Fast Datapath
Classification:	Red Hat
Component:	ovn2.13
Sub Component:
Version:	FDP 20.D
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Numan Siddique
QA Contact:	ying xu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-05-12 06:53 UTC by Jianlin Shi
Modified:	2020-05-26 14:07 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-05-26 14:07:18 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:2317	0	None	None	None	2020-05-26 14:07:35 UTC

Description Jianlin Shi 2020-05-12 06:53:18 UTC

Description of problem:
payload for icmp6 reply is not as expected when reject acl is added

Version-Release number of selected component (if applicable):
ovn2.13.0-27

How reproducible:
Always

Steps to Reproduce:
1. setup env and add acl as follows:

systemctl start openvswitch
systemctl start ovn-northd
ovn-nbctl set-connection ptcp:6641
ovn-sbctl set-connection ptcp:6642
ovs-vsctl set open . external_ids:system-id=hv1 external_ids:ovn-remote=tcp:20.0.76.25:6642 external_ids:ovn-encap-type=geneve external_ids:ovn-encap-ip=20.0.76.25
systemctl restart ovn-controller
ip netns add server0
ip link add veth0_s0 netns server0 type veth peer name veth0_s0_p
ip netns exec server0 ip link set lo up
ip netns exec server0 ip link set veth0_s0 up
ip netns exec server0 ip link set veth0_s0 address 00:00:00:01:01:02
ip netns exec server0 ip addr add 192.168.1.1/24 dev veth0_s0
ip netns exec server0 ip -6 addr add 2001::1/64 dev veth0_s0
ip netns exec server0 ip route add default via 192.168.1.254 dev veth0_s0
ip netns exec server0 ip -6 route add default via 2001::a dev veth0_s0
ovs-vsctl add-port br-int veth0_s0_p
ip link set veth0_s0_p up
ovs-vsctl set interface veth0_s0_p external_ids:iface-id=ls1p1


ip netns add server1
ip link add veth0_s1 netns server1 type veth peer name veth0_s1_p
ip netns exec server1 ip link set lo up
ip netns exec server1 ip link set veth0_s1 up
ip netns exec server1 ip link set veth0_s1 address 00:00:00:01:02:02
ip netns exec server1 ip addr add 192.168.1.2/24 dev veth0_s1
ip netns exec server1 ip -6 addr add 2001::2/64 dev veth0_s1
ip netns exec server1 ip route add default via 192.168.1.254 dev veth0_s1
ip netns exec server1 ip -6 route add default via 2001::a dev veth0_s1

ovs-vsctl add-port br-int veth0_s1_p
ip link set veth0_s1_p up
ovs-vsctl set interface veth0_s1_p external_ids:iface-id=ls1p2

ovn-nbctl ls-add ls1
ovn-nbctl lsp-add ls1 ls1p1
ovn-nbctl lsp-set-addresses ls1p1 "00:00:00:01:01:02 192.168.1.1 2001::1"
ovn-nbctl lsp-add ls1 ls1p2
ovn-nbctl lsp-set-addresses ls1p2 "00:00:00:01:02:02 192.168.1.2 2001::2"

ovn-nbctl acl-add ls1 from-lport 32767 "inport == \"ls1p1\" && ip4.dst == 192.168.1.2" reject
ovn-nbctl acl-add ls1 from-lport 32767 "inport == \"ls1p1\" && ip6.dst == 2001::2" reject


2. send icmp6 on server0 with ping6 and capture packet: ip netns exec server0 ping6 2001::2 -c 1


Actual results:
02:37:37.062765 00:00:00:01:01:02 > 00:00:00:01:02:02, ethertype IPv6 (0x86dd), length 118: (flowlabel 0xa733d, hlim 64, next-header ICMPv6 (58) payload length: 64) 2001::1 > 2001::2: [icmp6 sum ok] ICMP6, echo request, seq 1
02:37:37.063962 00:00:00:01:02:02 > 00:00:00:01:01:02, ethertype IPv6 (0x86dd), length 166: (flowlabel 0xa733d, hlim 255, next-header ICMPv6 (58) payload length: 8) 2001::2 > 2001::1: [bad icmp6 cksum 0x0000 -> 0xbeb7!] ICMP6, destination unreachable[|icmp6]

<=== payload is two short, and the checksum is bad

Expected results:
payload should be longer, and checksum should be ok

Additional info:

[root@hp-dl380pg8-13 test]# ip netns exec server0 ping6 2001::2 -c 1
PING 2001::2(2001::2) 56 data bytes

--- 2001::2 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

[root@hp-dl380pg8-13 test]# ip netns exec server0 tcpdump -i veth0_s0 -nnle -v ip6
tcpdump: listening on veth0_s0, link-type EN10MB (Ethernet), capture size 262144 bytes
02:52:09.754150 00:00:00:01:01:02 > 00:00:00:01:02:02, ethertype IPv6 (0x86dd), length 118: (flowlabel 0xa733d, hlim 64, next-header ICMPv6 (58) payload length: 64) 2001::1 > 2001::2: [icmp6 sum ok] ICMP6, echo request, seq 1
02:52:09.755385 00:00:00:01:02:02 > 00:00:00:01:01:02, ethertype IPv6 (0x86dd), length 166: (flowlabel 0xa733d, hlim 255, next-header ICMPv6 (58) payload length: 8) 2001::2 > 2001::1: [bad icmp6 cksum 0x0000 -> 0xbeb7!] ICMP6, destination unreachable[|icmp6]

[root@hp-dl380pg8-13 test]# rpm -qa | grep -E "openvswitch|ovn"
kernel-kernel-networking-openvswitch-ovn-common-1.0-7.noarch
openvswitch-selinux-extra-policy-1.0-23.el8fdp.noarch
kernel-kernel-networking-openvswitch-ovn-basic-1.0-24.noarch
openvswitch2.13-2.13.0-18.el8fdp.x86_64
ovn2.13-central-2.13.0-27.el8fdp.x86_64
python3-openvswitch2.13-2.13.0-18.el8fdp.x86_64
ovn2.13-host-2.13.0-27.el8fdp.x86_64
ovn2.13-2.13.0-27.el8fdp.x86_64

Comment 1 Jianlin Shi 2020-05-12 06:54:45 UTC

the reply packet on ovn2.13.0-21:

02:13:15.427723 00:00:00:01:01:02 > 00:00:00:01:02:02, ethertype IPv6 (0x86dd), length 118: (flowlabel 0xa733d, hlim 64, next-header ICMPv6 (58) payload length: 64) 2001::1 > 2001::2: [icmp6 sum ok] ICMP6, echo request, seq 1
02:13:15.428397 00:00:00:01:02:02 > 00:00:00:01:01:02, ethertype IPv6 (0x86dd), length 102: (flowlabel 0xa733d, hlim 255, next-header ICMPv6 (58) payload length: 48) 2001::2 > 2001::1: [icmp6 sum ok] ICMP6, destination unreachable,  unreachable prohibited 2001::2

<=== which seems to be ok

set regression

Comment 6 Jianlin Shi 2020-05-13 02:15:52 UTC

Verified on ovn2.13.0-30.el8:

[root@kvm-04-guest09 bz1834655]# ip netns exec server0 ping6 2001::2 -c 1
PING 2001::2(2001::2) 56 data bytes
From 2001::2: icmp_seq=1 Destination unreachable: Administratively prohibited

--- 2001::2 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

[root@kvm-04-guest09 ~]# ip netns exec server0 tcpdump -i veth0_s0 -nnle -v
tcpdump: listening on veth0_s0, link-type EN10MB (Ethernet), capture size 262144 bytes

22:14:27.973758 00:00:00:01:02:02 > 00:00:00:01:01:02, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) 2001::2 > 2001::1: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is 2001::2, Flags [solicited, override]
          destination link-address option (2), length 8 (1): 00:00:00:01:02:02
22:14:27.973773 00:00:00:01:01:02 > 00:00:00:01:02:02, ethertype IPv6 (0x86dd), length 118: (flowlabel 0x17322, hlim 64, next-header ICMPv6 (58) payload length: 64) 2001::1 > 2001::2: [icmp6 sum ok] ICMP6, echo request, seq 1
22:14:27.974042 00:00:00:01:02:02 > 00:00:00:01:01:02, ethertype IPv6 (0x86dd), length 166: (flowlabel 0x17322, hlim 255, next-header ICMPv6 (58) payload length: 112) 2001::2 > 2001::1: [icmp6 sum ok] ICMP6, destination unreachable,  unreachable prohibited 2001::2

<=== the length is as expected

[root@kvm-04-guest09 bz1834655]# rpm -qa | grep -E "openvswitch|ovn"
openvswitch-selinux-extra-policy-1.0-23.el8fdp.noarch
ovn2.13-2.13.0-30.el8fdp.x86_64
ovn2.13-host-2.13.0-30.el8fdp.x86_64
openvswitch2.13-2.13.0-18.el8fdp.x86_64
ovn2.13-central-2.13.0-30.el8fdp.x86_64

Comment 7 ying xu 2020-05-13 08:56:46 UTC

verified on 
# rpm -qa|grep ovn
ovn2.13-central-2.13.0-30.el7fdp.x86_64
ovn2.13-2.13.0-30.el7fdp.x86_64
ovn2.13-host-2.13.0-30.el7fdp.x86_64


03:33:58.603229 00:de:ad:00:01:01 > 00:de:ad:01:00:01, ethertype IPv6 (0x86dd), length 166: (hlim 255, next-header ICMPv6 (58) payload length: 112) 2001:db8:102::22 > 2001:db8:102::11: [icmp6 sum ok] ICMP6, destination unreachable,  unreachable prohibited 2001:db8:102::22
03:33:59.602925 00:de:ad:01:00:01 > 00:de:ad:00:01:01, ethertype IPv6 (0x86dd), length 118: (hlim 64, next-header ICMPv6 (58) payload length: 64) 2001:db8:102::11 > 2001:db8:102::22: [icmp6 sum ok] ICMP6, echo request, seq 3
03:33:59.603164 00:de:ad:00:01:01 > 00:de:ad:01:00:01, ethertype IPv6 (0x86dd), length 166: (hlim 255, next-header ICMPv6 (58) payload length: 112) 2001:db8:102::22 > 2001:db8:102::11: [icmp6 sum ok] ICMP6, destination unreachable,  unreachable prohibited 2001:db8:102::22

Comment 11 errata-xmlrpc 2020-05-26 14:07:18 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2317

Note You need to log in before you can comment on or make changes to this bug.