[Openstack] Help with ipv6 self-service and ip6tables rule on mangle chain

Jorge Luiz Correa correajl at gmail.com
Thu Aug 23 16:53:03 UTC 2018

Hi all

I'm deploying a Queens on Ubuntu 18.04 with one controller, one network
controller e for now one compute node. I'm using ML2 with linuxbridge
mechanism driver and a self-service type of network. This is is a dual
stack environment (v4 and v6).

IPv4 is working fine, NATs oks and packets flowing.

With IPv6 I'm having a problem. Packets from external networks to a project
network are stopping on qrouter namespace firewall. I've a project with one
network, one v4 subnet and one v6 subnet. Adressing are all ok, virtual
machines are getting their IPs and can ping the network gateway.

However, from external to project network, using ipv6, the packets stop in
a DROP rule inside de qrouter namespace.

The ip6tables path is:

mangle prerouting -> neutron-l3-agent-PREROUTING -> neutron-l3-agent-scope
-> here we have a MARK rule:

pkts bytes target     prot opt in     out     source
    3   296 MARK       all      qr-7f2944e7-cc *       ::/0
::/0                 MARK xset 0x4000000/0xffff0000

qr interface is the internal network interface of the project (subnet
gateway). So, packets from this interface are marked.

But, the returning is the problem. The packets doesn't returns. I've rules
from the nexthop firewall and packets arrive on the external bridge
(network node). But, when they arrive on external interface of the qrouter
namespace, they are filtered.

Inside qrouter namespace this is the rule:

ip netns exec qrouter-5689783d-52c0-4d2f-bef5-99b111f8ef5f ip6tables -t
mangle -L -n -v

Chain neutron-l3-agent-scope (1 references)
 pkts bytes target     prot opt in     out     source
    0     0 DROP       all      *      qr-7f2944e7-cc  ::/0
::/0                 mark match ! 0x4000000/0xffff0000

If I create the following rule everything works great:

ip netns exec qrouter-5689783d-52c0-4d2f-bef5-99b111f8ef5f ip6tables -t
mangle -I neutron-l3-agent-scope -i qg-b6757bfe-c1 -j MARK --set-xmark

where qg is the external interface of virtual router. So, if I mark packets
from external interface on mangle, they are not filtered.

Is this normal? I've to manually add a rule to do that?

How to use the "external_ingress_mark" option on l3-agent.ini ? Can I use
it to mark packets using a configuration parameter instead of manually
inserted ip6tables rule?

Thanks a lot!

