git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack] Help with ipv6 self-service and ip6tables rule on mangle chain


Thank you so much Brian.

I was not using "address scope". After your indication I've read about this
feature working together with "subnet pool". However the official
documentation is not so clear. For those looking for something else about
usage of address scope and subnet pool, I recommend this tutorial:

https://cloudbau.github.io/openstack/neutron/networking/ipv6/2017/09/11/neutron-pike-ipv6.html

Now I have 3 address scopes: 1 for IPv6 (this has 2 subnet pools, one for
provider network and one for projects networks, so IPv6 is routed), 1 for
IPv4 provider subnet and 1 for IPv4 projects networks (so, IPv4 has 2
address scopes and are NATed).

One thing I've noticed is that when creating subnets using openstack
command line client, using a subnet pool, I can't specify allocation pools
neither gateway. I've CARP and my gateway address is not the first IP, so
I've to change that. But, using Horizon web interface I can change these
configurations.

Now the environment is dual stack.

Thank you!

- JLC


On Mon, Aug 27, 2018 at 3:33 PM Brian Haley <haleyb.dev at gmail.com> wrote:

> On 08/23/2018 12:53 PM, Jorge Luiz Correa wrote:
> > Hi all
> >
> > I'm deploying a Queens on Ubuntu 18.04 with one controller, one network
> > controller e for now one compute node. I'm using ML2 with linuxbridge
> > mechanism driver and a self-service type of network. This is is a dual
> > stack environment (v4 and v6).
> >
> > IPv4 is working fine, NATs oks and packets flowing.
> >
> > With IPv6 I'm having a problem. Packets from external networks to a
> > project network are stopping on qrouter namespace firewall. I've a
> > project with one network, one v4 subnet and one v6 subnet. Adressing are
> > all ok, virtual machines are getting their IPs and can ping the network
> > gateway.
> >
> > However, from external to project network, using ipv6, the packets stop
> > in a DROP rule inside de qrouter namespace.
>
> This looks like the address scopes of the subnets are different, so the
> rule to mark packets is not being inserted.  How are you assigning the
> subnet addresses on the external and internal networks?  Typically you
> would define a subnet pool and allocate from that, which should work.
> Perhaps this guide would help with that:
>
> https://docs.openstack.org/neutron/queens/admin/config-address-scopes.html
>
> The last sentence there seems to describe the problem you're having:
>
> "If the address scopes match between networks then pings and other
> traffic route directly through. If the scopes do not match between
> networks, the router either drops the traffic or applies NAT to cross
> scope boundaries."
>
> IPv6 in neutron does not use NAT...
>
> -Brian
>
>
> > The ip6tables path is:
> >
> > mangle prerouting -> neutron-l3-agent-PREROUTING ->
> > neutron-l3-agent-scope -> here we have a MARK rule:
> >
> > pkts bytes target     prot opt in     out     source
> > destination
> >      3   296 MARK       all      qr-7f2944e7-cc *
> > ::/0                 ::/0                 MARK xset 0x4000000/0xffff0000
> >
> > qr interface is the internal network interface of the project (subnet
> > gateway). So, packets from this interface are marked.
> >
> > But, the returning is the problem. The packets doesn't returns. I've
> > rules from the nexthop firewall and packets arrive on the external
> > bridge (network node). But, when they arrive on external interface of
> > the qrouter namespace, they are filtered.
> >
> > Inside qrouter namespace this is the rule:
> >
> > ip netns exec qrouter-5689783d-52c0-4d2f-bef5-99b111f8ef5f ip6tables -t
> > mangle -L -n -v
> >
> > ...
> > Chain neutron-l3-agent-scope (1 references)
> >   pkts bytes target     prot opt in     out     source
> > destination
> >      0     0 DROP       all      *      qr-7f2944e7-cc
> > ::/0                 ::/0                 mark match !
> 0x4000000/0xffff0000
> > ...
> >
> > If I create the following rule everything works great:
> >
> > ip netns exec qrouter-5689783d-52c0-4d2f-bef5-99b111f8ef5f ip6tables -t
> > mangle -I neutron-l3-agent-scope -i qg-b6757bfe-c1 -j MARK --set-xmark
> > 0x4000000/0xffff0000
> >
> > where qg is the external interface of virtual router. So, if I mark
> > packets from external interface on mangle, they are not filtered.
> >
> > Is this normal? I've to manually add a rule to do that?
> >
> > How to use the "external_ingress_mark" option on l3-agent.ini ? Can I
> > use it to mark packets using a configuration parameter instead of
> > manually inserted ip6tables rule?
> >
> > Thanks a lot!
> >
> > - JLC
> >
> >
> > _______________________________________________
> > Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> > Post to     : openstack at lists.openstack.org
> > Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20180830/d7fbeed7/attachment.html>