[openstack-dev] Change in openstack/neutron[master]: Permit ICMPv6 RAs only from known routers
Collins, Sean
Sean_Collins2 at cable.comcast.com
Tue Mar 4 20:25:38 UTC 2014
On Tue, Mar 04, 2014 at 02:08:03PM EST, Robert Li (baoli) wrote:
> Hi Xu Han & Sean,
>
> Is this code going to be committed as it is? Based on this morning's
> discussion, I thought that the IP address used to install the RA rule
> comes from the qr-xxx interface's LLA address. I think that I'm confused.
Xu Han has a better grasp on the query than I do, but I'm going to try
and take a crack at explaining the code as I read through it. Here's
some sample data from the Neutron database - built using
vagrant_devstack.
https://gist.github.com/sc68cal/568d6119eecad753d696
I don't have V6 addresses working in vagrant_devstack just yet, but for
the sake of discourse I'm going to use it as an example.
If you look at the queries he's building in 72252 - he's querying all
the ports on the network, that are q_const.DEVICE_OWNER_ROUTER_INTF ("network:router_interface"). The IP of those ports are added to the list of IPs.
Then a second query is done to find the port connected from the router
to the gateway, q_const.DEVICE_OWNER_ROUTER_GW
('network:router_gateway'). Those IPs are then appended to the list of
IPs.
Finally, the last query adds the IPs of the gateway for each subnet
in the network.
So, ICMPv6 traffic from ports that are either:
A) A gateway device
B) A router
C) The subnet's gateway
Will be passed through to an instance.
Now, please take note that I have *not* discussed what *kind* of IP
address will be picked up. We intend for it to be a Link Local address,
but that will be/is addressed in other patch sets.
> Also this bug: Allow LLA as router interface of IPv6 subnet
> https://review.openstack.org/76125 was created due to comments to 72252.
> If We don't need to create a new LLA for the gateway IP, is the fix still
> needed?
Yes - we still need this patch - because that code path is how we are
able to create ports on routers that are a link local address.
This is at least my understanding of our progress so far, but I'm not
perfect - Xu Han will probably have the last word.
--
Sean M. Collins
More information about the OpenStack-dev
mailing list