[Openstack] Help with ipv6 route configuration and problem to traverse virtual router.

Brian Haley brian.haley at hpe.com
Tue Aug 30 19:32:12 UTC 2016

On 08/30/2016 02:53 PM, Jorge Luiz Correa wrote:
> Thank you Tomas and Brian!
> Here they are (just replace my ipv6 prefix with 2001:DB8). But, I think the
> problem is with firewall rules (see bellow).

> root at dataexp-network:/# ip netns exec
> qrouter-eb42f197-8969-4744-b226-49653ed2bf48 ip -6 route show
> *2001:DB8:1400:c539::/64 dev qr-1ee33f03-23*  proto kernel  metric 256  pref medium
> fe80::/64 dev qg-69fbbe1a-ee  proto kernel  metric 256  pref medium
> fe80::/64 dev qr-9f742219-78  proto kernel  metric 256  pref medium
> fe80::/64 dev qr-1ee33f03-23  proto kernel  metric 256  pref medium
> *default via fe80::215:17ff:fea0:211d* dev qg-69fbbe1a-ee  metric 1024  pref medium
> fe80::215:17ff:fea0:211d is my firewall/router and this route was learned via RA.
> At this moment my firewall/router has one route to 2001:DB8:1400::1/52 via
> fe80::f816:3eff:fed5:c5f8 (the path is firewall/router -> br-ex -> br-int ->
> qg-69fbbe1a-ee). The packets go up to qg-69fbbe1a-ee.
> I think these setting are ok!

Yes, those look good.

> Now, I found something with iptables. See the rules in qrouter namespace:

> *Chain neutron-l3-agent-scope (1 references)*
>  pkts bytes target     prot opt in     out     source
> destination
>    78  4368 *DROP*       all      *      qr-1ee33f03-23  ::/0
> ::/0                 mark match ! 0x4000000/0xffff0000
> Packets pass in chain FORWARD -> neutron-filter-top -> neutron-l3-agent-local ->
> back to FORWARD -> neutron-l3-agent-FORWARD -> neutron-l3-agent-scope -> DROP.

This looks similar to https://bugs.launchpad.net/neutron/+bug/1570122

> IPv4 rules is very similar but works. Ipv6 is blocking for some reason.

Do you have the same mark/match rules with IPv4, they're just not getting hit?


More information about the Openstack mailing list