Public bug reported: currently ip6tables in the qrouter namespace has the following rule. This causes unmarked packets to drop.
-A neutron-l3-agent-scope -o qr-ca9ffa4f-fd -m mark ! --mark 0x4010000/0xffff0000 -j DROP It seems that prefix delegated subnets don't get that mark set on incoming trafic from the gateway port, I had to add my own rule to do that. ip6tables -t mangle -A neutron-l3-agent-scope -i qg-ac290c4b-4f -j MARK --set-xmark 0x4010000/0xffff0000 At the moment that is probably too permissive, it should likely be limited based on the prefix delegated. with a '-d dead:beef:cafe::/64' or whatever the delegation is (tested this and it does work). ** Affects: neutron Importance: Undecided Status: Confirmed ** Tags: ipv6 l3-ipam-dhcp -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1570122 Title: ipv6 prefix delegated subnets are not accessable external of the router they are attached. Status in neutron: Confirmed Bug description: currently ip6tables in the qrouter namespace has the following rule. This causes unmarked packets to drop. -A neutron-l3-agent-scope -o qr-ca9ffa4f-fd -m mark ! --mark 0x4010000/0xffff0000 -j DROP It seems that prefix delegated subnets don't get that mark set on incoming trafic from the gateway port, I had to add my own rule to do that. ip6tables -t mangle -A neutron-l3-agent-scope -i qg-ac290c4b-4f -j MARK --set-xmark 0x4010000/0xffff0000 At the moment that is probably too permissive, it should likely be limited based on the prefix delegated. with a '-d dead:beef:cafe::/64' or whatever the delegation is (tested this and it does work). To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1570122/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp