Bug 1848398
| Summary: | IPv6 RA packets are getting dropped when ACLs are enabled | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux Fast Datapath | Reporter: | Numan Siddique <nusiddiq> | |
| Component: | ovn2.13 | Assignee: | Numan Siddique <nusiddiq> | |
| Status: | CLOSED ERRATA | QA Contact: | ying xu <yinxu> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | FDP 20.C | CC: | ctrautma, jishi, jlibosva, ralongi | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1848401 (view as bug list) | Environment: | ||
| Last Closed: | 2020-07-15 13:00:54 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1848401, 1854334 | |||
|
Description
Numan Siddique
2020-06-18 09:54:01 UTC
When a VM with IPv6 configured comes up and when it sends Router solicitation packet, ovn-controller responds to it, but it gets dropped if the logical switch pipeline of the VM has ACLs with allow-related configured. My script :
ovn-nbctl lr-add rtr
ovn-nbctl lrp-add rtr rtr-ls 00:00:00:00:01:00 42.42.42.1/24 2000::1/64
ovn-nbctl lrp-add rtr rtr-ls2 00:00:00:00:02:00 77.77.77.1/24 2002::1/64
ovn-nbctl lrp-add rtr rtr-ls3 00:00:00:00:03:00 66.66.66.1/24 2003::1/64
ovn-nbctl ls-add ls
ovn-nbctl lsp-add ls ls-rtr
ovn-nbctl lsp-set-addresses ls-rtr 00:00:00:00:01:00
ovn-nbctl lsp-set-type ls-rtr router
ovn-nbctl lsp-set-options ls-rtr router-port=rtr-ls
ovn-nbctl lsp-add ls vm1
ovn-nbctl lsp-set-addresses vm1 00:00:00:00:00:01
ip netns add vm1
ovs-vsctl add-port br-int vm1 -- set interface vm1 type=internal
ip link set vm1 netns vm1
ip netns exec vm1 ip link set vm1 address 00:00:00:00:00:01
ip netns exec vm1 ip addr add 42.42.42.2/24 dev vm1
ip netns exec vm1 ip -6 addr add 2000::2/64 dev vm1
ip netns exec vm1 ip link set vm1 up
ip netns exec vm1 ip r a default via 42.42.42.1
ip netns exec vm1 ip -6 route add default via 2000::1
ovs-vsctl set Interface vm1 external_ids:iface-id=vm1
ovs-vsctl set open . external_ids:system-id=local
ovn-nbctl set Logical_Router_Port rtr-ls ipv6_ra_configs:send_periodic=true
ovn-nbctl set Logical_Router_Port rtr-ls ipv6_ra_configs:address_mode=slaac
ovn-nbctl set Logical_Router_Port rtr-ls ipv6_ra_configs:max_interval=10
ovn-nbctl set Logical_Router_Port rtr-ls ipv6_ra_configs:min_interval=5
ovn-nbctl acl-add ls from-lport 900 "ip" allow-related
ip netns exec vm1 ip link set vm1 down
ip netns exec vm1 tcpdump -U -i any -nn -v -w ra1.pcap&
sleep 2
ip netns exec vm1 ip link set vm1 up
sleep 20
pkill tcpdump
I talked with numan, acl rules with any but action allow-related is nesessary.
But I run the script on the earlier version,I couldn't reproduce it.
vm1 can recieve the ra packets and get dynamic address.
of course,I run it on the latest version,it works right too.
so I verify this bug as RA is received with ACLs with allow-related added
*** Bug 1854334 has been marked as a duplicate of this bug. *** *** Bug 1854333 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2941 |