Public bug reported: Hi,
Running rocky on Ubuntu 18.04 deployed by juju, using ML2, ovs, iptables. IPv6 appears to be broken because of missing MARK-related rules in the qrouter netns. The iptables and ip6tables rules generated by neutron are https://pastebin.ubuntu.com/p/S32TQcmTzX/ For egress (traffic leaving an instance) to work, the following additional rule is needed : sudo ip6tables -t mangle -I neutron-l3-agent-POSTROUTING -o qg-45ba891c-4c -m connmark --mark 0x0/0xffff0000 -j CONNMARK --save-mark --nfmask 0xffff0000 --ctmask 0xffff0000 The following patch should fix the problem : https://pastebin.ubuntu.com/p/RpbYBjCVnp/ (sorry, I don't have time right now to update the tests for a proper merge request) For ingress, the following is needed : sudo ip6tables -t mangle -A neutron-l3-agent-scope -i qg-45ba891c-4c -j MARK --set-xmark 0x4000000/0xffff0000 Haven't had the time to dig out in the code where exactly the bug is. Is IPv6 working for anyone with this setup ? Are these commands the right fix ? (I'm just mimicking what IPv4 does) I've looked at unit tests for my patch above, and IPv6 testing is extremely limited. My IPv6 subnet got created with : $ openstack subnet create --network net_instances --ip-version 6 --ipv6-address-mode=slaac --ipv6-ra-mode=slaac --allocation-pool start=<ipv6start>,end=<ipv6end> --subnet-range <ipv6net>::/64 --gateway <ipv6gateway> subnet_instances_v6 Thanks ** Affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1818960 Title: IPv6 not working with iptables Status in neutron: New Bug description: Hi, Running rocky on Ubuntu 18.04 deployed by juju, using ML2, ovs, iptables. IPv6 appears to be broken because of missing MARK-related rules in the qrouter netns. The iptables and ip6tables rules generated by neutron are https://pastebin.ubuntu.com/p/S32TQcmTzX/ For egress (traffic leaving an instance) to work, the following additional rule is needed : sudo ip6tables -t mangle -I neutron-l3-agent-POSTROUTING -o qg-45ba891c-4c -m connmark --mark 0x0/0xffff0000 -j CONNMARK --save-mark --nfmask 0xffff0000 --ctmask 0xffff0000 The following patch should fix the problem : https://pastebin.ubuntu.com/p/RpbYBjCVnp/ (sorry, I don't have time right now to update the tests for a proper merge request) For ingress, the following is needed : sudo ip6tables -t mangle -A neutron-l3-agent-scope -i qg-45ba891c-4c -j MARK --set-xmark 0x4000000/0xffff0000 Haven't had the time to dig out in the code where exactly the bug is. Is IPv6 working for anyone with this setup ? Are these commands the right fix ? (I'm just mimicking what IPv4 does) I've looked at unit tests for my patch above, and IPv6 testing is extremely limited. My IPv6 subnet got created with : $ openstack subnet create --network net_instances --ip-version 6 --ipv6-address-mode=slaac --ipv6-ra-mode=slaac --allocation-pool start=<ipv6start>,end=<ipv6end> --subnet-range <ipv6net>::/64 --gateway <ipv6gateway> subnet_instances_v6 Thanks To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1818960/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp