handle IPv6 race condition due to hairpin mode

bug 1011134 When using IPv6 an instance sees its own neighbour advertisement, because of the reflective property of the hairpin mode. Because of this the trigger-happy duplicate address detection in the instance's kernel deconfigures the IPv6 address on the interface, resulting in no IPv6 connectivity. Approach of this commit is to to add an nwfilter to libvirt which identifies this particular scenario and filters it. Change-Id: I28f9b49cee4b2ab6ff591fae4feee623955f845f
openstack · Oct 9, 2012 · 0436cbd · 0436cbd
1 parent df47379
commit 0436cbd
Showing 1 changed file with 26 additions and 9 deletions.
diff --git a/nova/virt/libvirt/firewall.py b/nova/virt/libvirt/firewall.py
@@ -57,6 +57,23 @@ def _get_connection(self):
         return self._libvirt_get_connection()
     _conn = property(_get_connection)
 
+    @staticmethod
+    def nova_no_nd_reflection_filter():
+        """
+        This filter protects false positives on IPv6 Duplicate Address
+        Detection(DAD).
+        """
+        return '''<filter name='nova-no-nd-reflection' chain='ipv6'>
+                  <!-- no nd reflection -->
+                  <!-- drop if destination mac is v6 mcast mac addr and
+                       we sent it. -->
+
+                  <rule action='drop' direction='in'>
+                      <mac dstmacaddr='33:33:00:00:00:00'
+                           dstmacmask='ff:ff:00:00:00:00' srcmacaddr='$MAC'/>
+                  </rule>
+                  </filter>'''
+
     @staticmethod
     def nova_dhcp_filter():
         """The standard allow-dhcp-server filter is an <ip> one, so it uses
@@ -122,15 +139,15 @@ def _ensure_static_filters(self):
         if self.static_filters_configured:
             return
 
-        self._define_filter(self._filter_container('nova-base',
-                                                   ['no-mac-spoofing',
-                                                    'no-ip-spoofing',
-                                                    'no-arp-spoofing',
-                                                    'allow-dhcp-server']))
-        self._define_filter(self._filter_container('nova-nodhcp',
-                                                   ['no-mac-spoofing',
-                                                    'no-ip-spoofing',
-                                                    'no-arp-spoofing']))
+        filter_set = ['no-mac-spoofing',
+                      'no-ip-spoofing',
+                      'no-arp-spoofing']
+        if FLAGS.use_ipv6:
+            self._define_filter(self.nova_no_nd_reflection_filter)
+            filter_set.append('nova-no-nd-reflection')
+        self._define_filter(self._filter_container('nova-nodhcp', filter_set))
+        filter_set.append('allow-dhcp-server')
+        self._define_filter(self._filter_container('nova-base', filter_set))
         self._define_filter(self._filter_container('nova-vpn',
                                                    ['allow-dhcp-server']))
         self._define_filter(self.nova_dhcp_filter)