Description of problem: payload for icmp6 reply is not as expected when reject acl is added Version-Release number of selected component (if applicable): ovn2.13.0-27 How reproducible: Always Steps to Reproduce: 1. setup env and add acl as follows: systemctl start openvswitch systemctl start ovn-northd ovn-nbctl set-connection ptcp:6641 ovn-sbctl set-connection ptcp:6642 ovs-vsctl set open . external_ids:system-id=hv1 external_ids:ovn-remote=tcp:20.0.76.25:6642 external_ids:ovn-encap-type=geneve external_ids:ovn-encap-ip=20.0.76.25 systemctl restart ovn-controller ip netns add server0 ip link add veth0_s0 netns server0 type veth peer name veth0_s0_p ip netns exec server0 ip link set lo up ip netns exec server0 ip link set veth0_s0 up ip netns exec server0 ip link set veth0_s0 address 00:00:00:01:01:02 ip netns exec server0 ip addr add 192.168.1.1/24 dev veth0_s0 ip netns exec server0 ip -6 addr add 2001::1/64 dev veth0_s0 ip netns exec server0 ip route add default via 192.168.1.254 dev veth0_s0 ip netns exec server0 ip -6 route add default via 2001::a dev veth0_s0 ovs-vsctl add-port br-int veth0_s0_p ip link set veth0_s0_p up ovs-vsctl set interface veth0_s0_p external_ids:iface-id=ls1p1 ip netns add server1 ip link add veth0_s1 netns server1 type veth peer name veth0_s1_p ip netns exec server1 ip link set lo up ip netns exec server1 ip link set veth0_s1 up ip netns exec server1 ip link set veth0_s1 address 00:00:00:01:02:02 ip netns exec server1 ip addr add 192.168.1.2/24 dev veth0_s1 ip netns exec server1 ip -6 addr add 2001::2/64 dev veth0_s1 ip netns exec server1 ip route add default via 192.168.1.254 dev veth0_s1 ip netns exec server1 ip -6 route add default via 2001::a dev veth0_s1 ovs-vsctl add-port br-int veth0_s1_p ip link set veth0_s1_p up ovs-vsctl set interface veth0_s1_p external_ids:iface-id=ls1p2 ovn-nbctl ls-add ls1 ovn-nbctl lsp-add ls1 ls1p1 ovn-nbctl lsp-set-addresses ls1p1 "00:00:00:01:01:02 192.168.1.1 2001::1" ovn-nbctl lsp-add ls1 ls1p2 ovn-nbctl lsp-set-addresses ls1p2 "00:00:00:01:02:02 192.168.1.2 2001::2" ovn-nbctl acl-add ls1 from-lport 32767 "inport == \"ls1p1\" && ip4.dst == 192.168.1.2" reject ovn-nbctl acl-add ls1 from-lport 32767 "inport == \"ls1p1\" && ip6.dst == 2001::2" reject 2. send icmp6 on server0 with ping6 and capture packet: ip netns exec server0 ping6 2001::2 -c 1 Actual results: 02:37:37.062765 00:00:00:01:01:02 > 00:00:00:01:02:02, ethertype IPv6 (0x86dd), length 118: (flowlabel 0xa733d, hlim 64, next-header ICMPv6 (58) payload length: 64) 2001::1 > 2001::2: [icmp6 sum ok] ICMP6, echo request, seq 1 02:37:37.063962 00:00:00:01:02:02 > 00:00:00:01:01:02, ethertype IPv6 (0x86dd), length 166: (flowlabel 0xa733d, hlim 255, next-header ICMPv6 (58) payload length: 8) 2001::2 > 2001::1: [bad icmp6 cksum 0x0000 -> 0xbeb7!] ICMP6, destination unreachable[|icmp6] <=== payload is two short, and the checksum is bad Expected results: payload should be longer, and checksum should be ok Additional info: [root@hp-dl380pg8-13 test]# ip netns exec server0 ping6 2001::2 -c 1 PING 2001::2(2001::2) 56 data bytes --- 2001::2 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms [root@hp-dl380pg8-13 test]# ip netns exec server0 tcpdump -i veth0_s0 -nnle -v ip6 tcpdump: listening on veth0_s0, link-type EN10MB (Ethernet), capture size 262144 bytes 02:52:09.754150 00:00:00:01:01:02 > 00:00:00:01:02:02, ethertype IPv6 (0x86dd), length 118: (flowlabel 0xa733d, hlim 64, next-header ICMPv6 (58) payload length: 64) 2001::1 > 2001::2: [icmp6 sum ok] ICMP6, echo request, seq 1 02:52:09.755385 00:00:00:01:02:02 > 00:00:00:01:01:02, ethertype IPv6 (0x86dd), length 166: (flowlabel 0xa733d, hlim 255, next-header ICMPv6 (58) payload length: 8) 2001::2 > 2001::1: [bad icmp6 cksum 0x0000 -> 0xbeb7!] ICMP6, destination unreachable[|icmp6] [root@hp-dl380pg8-13 test]# rpm -qa | grep -E "openvswitch|ovn" kernel-kernel-networking-openvswitch-ovn-common-1.0-7.noarch openvswitch-selinux-extra-policy-1.0-23.el8fdp.noarch kernel-kernel-networking-openvswitch-ovn-basic-1.0-24.noarch openvswitch2.13-2.13.0-18.el8fdp.x86_64 ovn2.13-central-2.13.0-27.el8fdp.x86_64 python3-openvswitch2.13-2.13.0-18.el8fdp.x86_64 ovn2.13-host-2.13.0-27.el8fdp.x86_64 ovn2.13-2.13.0-27.el8fdp.x86_64
the reply packet on ovn2.13.0-21: 02:13:15.427723 00:00:00:01:01:02 > 00:00:00:01:02:02, ethertype IPv6 (0x86dd), length 118: (flowlabel 0xa733d, hlim 64, next-header ICMPv6 (58) payload length: 64) 2001::1 > 2001::2: [icmp6 sum ok] ICMP6, echo request, seq 1 02:13:15.428397 00:00:00:01:02:02 > 00:00:00:01:01:02, ethertype IPv6 (0x86dd), length 102: (flowlabel 0xa733d, hlim 255, next-header ICMPv6 (58) payload length: 48) 2001::2 > 2001::1: [icmp6 sum ok] ICMP6, destination unreachable, unreachable prohibited 2001::2 <=== which seems to be ok set regression
Verified on ovn2.13.0-30.el8: [root@kvm-04-guest09 bz1834655]# ip netns exec server0 ping6 2001::2 -c 1 PING 2001::2(2001::2) 56 data bytes From 2001::2: icmp_seq=1 Destination unreachable: Administratively prohibited --- 2001::2 ping statistics --- 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms [root@kvm-04-guest09 ~]# ip netns exec server0 tcpdump -i veth0_s0 -nnle -v tcpdump: listening on veth0_s0, link-type EN10MB (Ethernet), capture size 262144 bytes 22:14:27.973758 00:00:00:01:02:02 > 00:00:00:01:01:02, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) 2001::2 > 2001::1: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is 2001::2, Flags [solicited, override] destination link-address option (2), length 8 (1): 00:00:00:01:02:02 22:14:27.973773 00:00:00:01:01:02 > 00:00:00:01:02:02, ethertype IPv6 (0x86dd), length 118: (flowlabel 0x17322, hlim 64, next-header ICMPv6 (58) payload length: 64) 2001::1 > 2001::2: [icmp6 sum ok] ICMP6, echo request, seq 1 22:14:27.974042 00:00:00:01:02:02 > 00:00:00:01:01:02, ethertype IPv6 (0x86dd), length 166: (flowlabel 0x17322, hlim 255, next-header ICMPv6 (58) payload length: 112) 2001::2 > 2001::1: [icmp6 sum ok] ICMP6, destination unreachable, unreachable prohibited 2001::2 <=== the length is as expected [root@kvm-04-guest09 bz1834655]# rpm -qa | grep -E "openvswitch|ovn" openvswitch-selinux-extra-policy-1.0-23.el8fdp.noarch ovn2.13-2.13.0-30.el8fdp.x86_64 ovn2.13-host-2.13.0-30.el8fdp.x86_64 openvswitch2.13-2.13.0-18.el8fdp.x86_64 ovn2.13-central-2.13.0-30.el8fdp.x86_64
verified on # rpm -qa|grep ovn ovn2.13-central-2.13.0-30.el7fdp.x86_64 ovn2.13-2.13.0-30.el7fdp.x86_64 ovn2.13-host-2.13.0-30.el7fdp.x86_64 03:33:58.603229 00:de:ad:00:01:01 > 00:de:ad:01:00:01, ethertype IPv6 (0x86dd), length 166: (hlim 255, next-header ICMPv6 (58) payload length: 112) 2001:db8:102::22 > 2001:db8:102::11: [icmp6 sum ok] ICMP6, destination unreachable, unreachable prohibited 2001:db8:102::22 03:33:59.602925 00:de:ad:01:00:01 > 00:de:ad:00:01:01, ethertype IPv6 (0x86dd), length 118: (hlim 64, next-header ICMPv6 (58) payload length: 64) 2001:db8:102::11 > 2001:db8:102::22: [icmp6 sum ok] ICMP6, echo request, seq 3 03:33:59.603164 00:de:ad:00:01:01 > 00:de:ad:01:00:01, ethertype IPv6 (0x86dd), length 166: (hlim 255, next-header ICMPv6 (58) payload length: 112) 2001:db8:102::22 > 2001:db8:102::11: [icmp6 sum ok] ICMP6, destination unreachable, unreachable prohibited 2001:db8:102::22
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2317