[Bug 1570122] Re: ipv6 prefix delegated subnets are not accessable external of the router they are attached.
James Page
james.page at ubuntu.com
Fri Oct 20 11:23:55 UTC 2017
Newton UCA has 9.4.0 - Marking UCA and Ubuntu tasks fix released.
** Changed in: cloud-archive
Status: New => Fix Released
** Changed in: cloud-archive
Importance: Undecided => High
** Changed in: neutron (Ubuntu)
Importance: Undecided => High
** Changed in: neutron (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to neutron in Ubuntu.
https://bugs.launchpad.net/bugs/1570122
Title:
ipv6 prefix delegated subnets are not accessable external of the
router they are attached.
Status in Ubuntu Cloud Archive:
Fix Released
Status in neutron:
Fix Released
Status in neutron package in Ubuntu:
Fix Released
Bug description:
currently ip6tables in the qrouter namespace has the following rule.
This causes unmarked packets to drop.
-A neutron-l3-agent-scope -o qr-ca9ffa4f-fd -m mark ! --mark
0x4010000/0xffff0000 -j DROP
It seems that prefix delegated subnets don't get that mark set on
incoming trafic from the gateway port, I had to add my own rule to do
that.
ip6tables -t mangle -A neutron-l3-agent-scope -i qg-ac290c4b-4f -j
MARK --set-xmark 0x4010000/0xffff0000
At the moment that is probably too permissive, it should likely be
limited based on the prefix delegated. with a '-d dead:beef:cafe::/64'
or whatever the delegation is (tested this and it does work).
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1570122/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list