1848398 – IPv6 RA packets are getting dropped when ACLs are enabled

The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 1848398 - IPv6 RA packets are getting dropped when ACLs are enabled

Summary: IPv6 RA packets are getting dropped when ACLs are enabled

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux Fast Datapath
Classification:	Red Hat
Component:	ovn2.13
Sub Component:
Version:	FDP 20.C
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Numan Siddique
QA Contact:	ying xu
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1854333 (view as bug list)
Depends On:
Blocks:	1848401 1854334
TreeView+	depends on / blocked

Reported:	2020-06-18 09:54 UTC by Numan Siddique
Modified:	2020-07-15 13:01 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1848401 (view as bug list)
Environment:
Last Closed:	2020-07-15 13:00:54 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	ovn-org/ovn/commit/90e5971018277ab0f383a56f59ffcfe17466a2c6	0	None	None	None	2020-09-23 06:56:08 UTC
Red Hat Product Errata	RHBA-2020:2941	0	None	None	None	2020-07-15 13:01:30 UTC

Description Numan Siddique 2020-06-18 09:54:01 UTC

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Numan Siddique 2020-06-18 10:01:08 UTC

When a VM with IPv6 configured comes up and when it sends Router solicitation packet, ovn-controller
responds to it, but it gets dropped if the logical switch pipeline of the VM has ACLs with allow-related
configured.

Comment 5 ying xu 2020-06-30 01:19:10 UTC

My script :
ovn-nbctl lr-add rtr
                ovn-nbctl lrp-add rtr rtr-ls 00:00:00:00:01:00 42.42.42.1/24 2000::1/64
                ovn-nbctl lrp-add rtr rtr-ls2 00:00:00:00:02:00 77.77.77.1/24 2002::1/64
                ovn-nbctl lrp-add rtr rtr-ls3 00:00:00:00:03:00 66.66.66.1/24 2003::1/64

                ovn-nbctl ls-add ls
                ovn-nbctl lsp-add ls ls-rtr
                ovn-nbctl lsp-set-addresses ls-rtr 00:00:00:00:01:00
                ovn-nbctl lsp-set-type ls-rtr router
                ovn-nbctl lsp-set-options ls-rtr router-port=rtr-ls
                ovn-nbctl lsp-add ls vm1
                ovn-nbctl lsp-set-addresses vm1 00:00:00:00:00:01
ip netns add vm1
                ovs-vsctl add-port br-int vm1 -- set interface vm1 type=internal
                ip link set vm1 netns vm1
                ip netns exec vm1 ip link set vm1 address 00:00:00:00:00:01
                ip netns exec vm1 ip addr add 42.42.42.2/24 dev vm1
                ip netns exec vm1 ip -6 addr add 2000::2/64 dev vm1
                ip netns exec vm1 ip link set vm1 up
                ip netns exec vm1 ip r a default via 42.42.42.1
                ip netns exec vm1 ip -6 route add default via 2000::1
                ovs-vsctl set Interface vm1 external_ids:iface-id=vm1
                ovs-vsctl set open . external_ids:system-id=local
ovn-nbctl set Logical_Router_Port rtr-ls ipv6_ra_configs:send_periodic=true
                ovn-nbctl set Logical_Router_Port rtr-ls ipv6_ra_configs:address_mode=slaac
                ovn-nbctl set Logical_Router_Port rtr-ls ipv6_ra_configs:max_interval=10
                ovn-nbctl set Logical_Router_Port rtr-ls ipv6_ra_configs:min_interval=5
                ovn-nbctl acl-add ls from-lport 900 "ip" allow-related
                ip netns exec vm1 ip link set vm1 down
                ip netns exec vm1 tcpdump -U -i any -nn -v -w ra1.pcap&
                sleep 2
                ip netns exec vm1 ip link set vm1 up
                sleep 20
                pkill tcpdump

I talked with numan, acl rules with any but action allow-related is nesessary.

But I run the script on the earlier version,I couldn't reproduce it.  
vm1 can recieve the ra packets and get dynamic address.

of course,I run it on the latest version,it works right too.

so I  verify this bug as RA is received with ACLs with allow-related added

Comment 6 Jakub Libosvar 2020-07-07 10:14:02 UTC

*** Bug 1854334 has been marked as a duplicate of this bug. ***

Comment 7 Jakub Libosvar 2020-07-07 10:14:54 UTC

*** Bug 1854333 has been marked as a duplicate of this bug. ***

Comment 9 errata-xmlrpc 2020-07-15 13:00:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2941

Note You need to log in before you can comment on or make changes to this bug.