+++ This bug was initially created as a clone of Bug #1848398 +++ Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: --- Additional comment from Numan Siddique on 2020-06-18 10:01:08 UTC --- When a VM with IPv6 configured comes up and when it sends Router solicitation packet, ovn-controller responds to it, but it gets dropped if the logical switch pipeline of the VM has ACLs with allow-related configured.
verified on version: # rpm -qa|grep ovn ovn2.11-host-2.11.1-53.el8fdp.x86_64 ovn2.11-central-2.11.1-53.el8fdp.x86_64 ovn2.11-2.11.1-53.el8fdp.x86_64 ovn-nbctl lr-add rtr ovn-nbctl lrp-add rtr rtr-ls 00:00:00:00:01:00 42.42.42.1/24 2000::1/64 ovn-nbctl lrp-add rtr rtr-ls2 00:00:00:00:02:00 77.77.77.1/24 2002::1/64 ovn-nbctl lrp-add rtr rtr-ls3 00:00:00:00:03:00 66.66.66.1/24 2003::1/64 ovn-nbctl ls-add ls ovn-nbctl lsp-add ls ls-rtr ovn-nbctl lsp-set-addresses ls-rtr 00:00:00:00:01:00 ovn-nbctl lsp-set-type ls-rtr router ovn-nbctl lsp-set-options ls-rtr router-port=rtr-ls ovn-nbctl lsp-add ls vm1 ovn-nbctl lsp-set-addresses vm1 00:00:00:00:00:01 ip netns add vm1 ovs-vsctl add-port br-int vm1 -- set interface vm1 type=internal ip link set vm1 netns vm1 ip netns exec vm1 ip link set vm1 address 00:00:00:00:00:01 ip netns exec vm1 ip addr add 42.42.42.2/24 dev vm1 ip netns exec vm1 ip -6 addr add 2000::2/64 dev vm1 ip netns exec vm1 ip link set vm1 up ip netns exec vm1 ip r a default via 42.42.42.1 ip netns exec vm1 ip -6 route add default via 2000::1 ovs-vsctl set Interface vm1 external_ids:iface-id=vm1 ovs-vsctl set open . external_ids:system-id=local ovn-nbctl set Logical_Router_Port rtr-ls ipv6_ra_configs:send_periodic=true ovn-nbctl set Logical_Router_Port rtr-ls ipv6_ra_configs:address_mode=slaac ovn-nbctl set Logical_Router_Port rtr-ls ipv6_ra_configs:max_interval=10 ovn-nbctl set Logical_Router_Port rtr-ls ipv6_ra_configs:min_interval=5 ovn-nbctl acl-add ls from-lport 900 "ip" allow-related ip netns exec vm1 ip link set vm1 down ip netns exec vm1 tcpdump -U -i any -nn -v -w ra1.pcap& sleep 2 ip netns exec vm1 ip link set vm1 up sleep 20 pkill tcpdump tcpdump -r ra1.pcap |grep router.*s reading from file ra1.pcap, link-type LINUX_SLL (Linux cooked) 22:34:28.868332 IP6 fe80::200:ff:fe00:2 > ff02::2: ICMP6, router solicitation, length 16 ------send rs 22:34:28.868917 IP6 fe80::200:ff:fe00:200 > fe80::200:ff:fe00:2: ICMP6, router advertisement, length 56 ----------recieved ra 22:34:32.376624 IP6 fe80::200:ff:fe00:200 > ff02::1: ICMP6, router advertisement, length 56 22:34:40.193651 IP6 fe80::200:ff:fe00:200 > ff02::1: ICMP6, router advertisement, length 56 ip netns exec vm2 ip a|grep inet6.*2002:: inet6 2002::200:ff:fe00:2/64 scope global dynamic mngtmpaddr --------------------vm2 got the addr
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ovn2.11 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:3487