[Bug 2046804] Re: OVN ic-route-blacklist does not work for IPv6 prefixes

Roberto Bartzen Acosta 2046804 at bugs.launchpad.net
Mon Feb 19 21:41:10 UTC 2024 

Related fix released to branch: main
https://github.com/ovn-org/ovn/commit/78750699ab195a1b2c48fbab8546ed0651b05de4

** Changed in: ovn (Ubuntu)
     Assignee: (unassigned) => Roberto Bartzen Acosta (rbartzen)

** Changed in: ovn (Ubuntu)
       Status: New => In Progress

** Changed in: ovn (Ubuntu)
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ovn in Ubuntu.
https://bugs.launchpad.net/bugs/2046804

Title:
  OVN ic-route-blacklist does not work for IPv6 prefixes

Status in ovn package in Ubuntu:
  Fix Committed

Bug description:
  The OVN interconnect introduced a new filter option in the NB_Global
  table:

  options : ic-route-blacklist: optional string
                A  string  value  contains  a  list of CIDRs delimited by ",". A
                route will not be advertised or learned if  the  route’s  prefix
                belongs to any of the CIDRs listed.

  
  There is a bug related with the ic-route-blacklist option that does not work with IPv6.
  For IPv6 to work we have to remove the IPv6 subnet from the blacklist configuration because when we add IPv6 CIDRs to the OVN IC blacklist all IPv6 prefixes stop being advertised.
  This filter option is useful for not adverting subnet of the provider's network on the Transit Switch and avoiding Network 'Tromboning' behavior, for example.

  There are no test checks in the OVN test suite for IPv6 blacklist
  (only for IPv4).

  
  How to reproduce the issue:

  1 - Create all interconnect configuration without blacklisting IPv6
  subnets.

  * cluster 1
  $ ovn-nbctl list nb_global
  _uuid               : b94434ed-3ea6-47fd-9db2-514296b8ffb7
  connections         : []
  external_ids        : {"neutron:liveness_check_at"="2023-12-17 15:44:49.200848+00:00"}
  hv_cfg              : 147
  hv_cfg_timestamp    : 1702827889216
  ipsec               : false
  name                : osp1
  nb_cfg              : 147
  nb_cfg_timestamp    : 1702827889208
  options             : {ic-route-adv="true", ic-route-blacklist="200.200.200.0/24,200.200.201.0/24", ic-route-learn="true", mac_prefix="9a:d2:ab", max_tunid="4095", northd_internal_version="23.09.0-20.29.0-71.6", svc_monitor_mac="06:4c:fb:f3:5b:e6"}
  sb_cfg              : 147
  sb_cfg_timestamp    : 1702827889219
  ssl                 : []

  * cluster 2
  ovn-nbctl list nb_global
  _uuid               : d4c2dcce-cefd-46f9-9499-fa36c6a58033
  connections         : []
  external_ids        : {"neutron:liveness_check_at"="2023-12-16 22:40:31.985612+00:00"}
  hv_cfg              : 87
  hv_cfg_timestamp    : 1702766432004
  ipsec               : false
  name                : osp2
  nb_cfg              : 87
  nb_cfg_timestamp    : 1702766431989
  options             : {ic-route-adv="true", ic-route-blacklist="200.200.200.0/24,200.200.201.0/24", ic-route-learn="true", mac_prefix="22:71:00", max_tunid="4095", northd_internal_version="23.09.0-20.29.0-71.6", svc_monitor_mac="22:74:2e:4c:d5:9b"}
  sb_cfg              : 87
  sb_cfg_timestamp    : 1702766431998
  ssl                 : []

  * cluster 3
  ovn-nbctl list nb_global
  _uuid               : cbfadb8c-dbee-4ded-97ea-6aef4b803b19
  connections         : []
  external_ids        : {"neutron:liveness_check_at"="2023-12-17 15:45:04.122119+00:00"}
  hv_cfg              : 75
  hv_cfg_timestamp    : 1702827904158
  ipsec               : false
  name                : osp3
  nb_cfg              : 75
  nb_cfg_timestamp    : 1702827904141
  options             : {ic-route-adv="true", ic-route-blacklist="200.200.200.0/24", ic-route-learn="true", mac_prefix="92:8f:66", max_tunid="4095", northd_internal_version="23.09.0-20.29.0-71.6", svc_monitor_mac="9a:16:92:67:38:83"}
  sb_cfg              : 75
  sb_cfg_timestamp    : 1702827904154
  ssl                 : []


  2. Check networks learned from remote OVN clusters

  * cluster 1, for example:

  $ ovn-nbctl lr-route-list 078fd69b-f4c7-4469-a900-918d0a229bd1 
  IPv4 Routes
  Route Table <main>:
                10.0.1.0/24            169.254.100.12 dst-ip (learned)
                10.0.2.0/24            169.254.100.13 dst-ip (learned)
              172.16.0.0/24              169.254.50.1 dst-ip
                  0.0.0.0/0             200.200.200.1 dst-ip

  IPv6 Routes
  Route Table <main>:
            2001:db8:1::/64                   fd00::2 dst-ip (learned)
            2001:db8:1::/64                   fd00::3 dst-ip (learned)
      2801:80:3ea0:822::/64                   fd00::2 dst-ip (learned)
      2801:80:3ea0:823::/64                   fd00::3 dst-ip (learned)
                       ::/0              2001:db8:1:: dst-ip

  
  3. Apply the provider's subnet filter

  * cluster 1
  ovn-nbctl list nb_global
  _uuid               : b94434ed-3ea6-47fd-9db2-514296b8ffb7
  connections         : []
  external_ids        : {"neutron:liveness_check_at"="2023-12-17 15:44:49.200848+00:00"}
  hv_cfg              : 147
  hv_cfg_timestamp    : 1702827889216
  ipsec               : false
  name                : osp1
  nb_cfg              : 147
  nb_cfg_timestamp    : 1702827889208
  options             : {ic-route-adv="true", ic-route-blacklist="200.200.200.0/24,200.200.201.0/24,2801:80:3ea0:821::/64", ic-route-learn="true", mac_prefix="9a:d2:ab", max_tunid="4095", northd_internal_version="23.09.0-20.29.0-71.6", svc_monitor_mac="06:4c:fb:f3:5b:e6"}
  sb_cfg              : 147
  sb_cfg_timestamp    : 1702827889219
  ssl                 : []

  
  * cluster 2
  ovn-nbctl list nb_global
  _uuid               : d4c2dcce-cefd-46f9-9499-fa36c6a58033
  connections         : []
  external_ids        : {"neutron:liveness_check_at"="2023-12-16 22:40:31.985612+00:00"}
  hv_cfg              : 87
  hv_cfg_timestamp    : 1702766432004
  ipsec               : false
  name                : osp2
  nb_cfg              : 87
  nb_cfg_timestamp    : 1702766431989
  options             : {ic-route-adv="true", ic-route-blacklist="200.200.200.0/24,200.200.201.0/24,2801:80:3ea0:822::/64", ic-route-learn="true", mac_prefix="22:71:00", max_tunid="4095", northd_internal_version="23.09.0-20.29.0-71.6", svc_monitor_mac="22:74:2e:4c:d5:9b"}
  sb_cfg              : 87
  sb_cfg_timestamp    : 1702766431998
  ssl                 : []

  * cluster 3
  ovn-nbctl list nb_global
  _uuid               : cbfadb8c-dbee-4ded-97ea-6aef4b803b19
  connections         : []
  external_ids        : {"neutron:liveness_check_at"="2023-12-17 15:45:04.122119+00:00"}
  hv_cfg              : 75
  hv_cfg_timestamp    : 1702827904158
  ipsec               : false
  name                : osp3
  nb_cfg              : 75
  nb_cfg_timestamp    : 1702827904141
  options             : {ic-route-adv="true", ic-route-blacklist="200.200.200.0/24,2801:80:3ea0:823::/64", ic-route-learn="true", mac_prefix="92:8f:66", max_tunid="4095", northd_internal_version="23.09.0-20.29.0-71.6", svc_monitor_mac="9a:16:92:67:38:83"}
  sb_cfg              : 75
  sb_cfg_timestamp    : 1702827904154
  ssl                 : []


  4. Check networks learned from remote clusters

  * cluster 1

  ovn-nbctl lr-route-list 078fd69b-f4c7-4469-a900-918d0a229bd1 
  IPv4 Routes
  Route Table <main>:
                10.0.1.0/24            169.254.100.12 dst-ip (learned)
                10.0.2.0/24            169.254.100.13 dst-ip (learned)
              172.16.0.0/24              169.254.50.1 dst-ip
                  0.0.0.0/0             200.200.200.1 dst-ip

  IPv6 Routes
  Route Table <main>:
                       ::/0              2001:db8:1:: dst-ip


  Interconnection networks that were not included in the blacklist have also been filtered !!!
  * we should have the 2001:db8:1::/64 network there

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/2046804/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list