Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

handle IPv6 race condition due to hairpin mode

bug 1011134

When using IPv6 an instance sees its own neighbour advertisement,
because of the reflective property of the hairpin mode.

Because of this the trigger-happy duplicate address detection in
the instance's kernel deconfigures the IPv6 address on the interface,
resulting in no IPv6 connectivity.

Approach of this commit is to to add an nwfilter to libvirt which
identifies this particular scenario and filters it.

Change-Id: I28f9b49cee4b2ab6ff591fae4feee623955f845f
  • Loading branch information...
commit 0436cbdb882b532f0d01c41108508c6d4da3544e 1 parent df47379
Takashi Sogabe sogabe authored

Showing 1 changed file with 26 additions and 9 deletions. Show diff stats Hide diff stats

  1. +26 9 nova/virt/libvirt/firewall.py
35 nova/virt/libvirt/firewall.py
@@ -58,6 +58,23 @@ def _get_connection(self):
58 58 _conn = property(_get_connection)
59 59
60 60 @staticmethod
  61 + def nova_no_nd_reflection_filter():
  62 + """
  63 + This filter protects false positives on IPv6 Duplicate Address
  64 + Detection(DAD).
  65 + """
  66 + return '''<filter name='nova-no-nd-reflection' chain='ipv6'>
  67 + <!-- no nd reflection -->
  68 + <!-- drop if destination mac is v6 mcast mac addr and
  69 + we sent it. -->
  70 +
  71 + <rule action='drop' direction='in'>
  72 + <mac dstmacaddr='33:33:00:00:00:00'
  73 + dstmacmask='ff:ff:00:00:00:00' srcmacaddr='$MAC'/>
  74 + </rule>
  75 + </filter>'''
  76 +
  77 + @staticmethod
61 78 def nova_dhcp_filter():
62 79 """The standard allow-dhcp-server filter is an <ip> one, so it uses
63 80 ebtables to allow traffic through. Without a corresponding rule in
@@ -122,15 +139,15 @@ def _ensure_static_filters(self):
122 139 if self.static_filters_configured:
123 140 return
124 141
125   - self._define_filter(self._filter_container('nova-base',
126   - ['no-mac-spoofing',
127   - 'no-ip-spoofing',
128   - 'no-arp-spoofing',
129   - 'allow-dhcp-server']))
130   - self._define_filter(self._filter_container('nova-nodhcp',
131   - ['no-mac-spoofing',
132   - 'no-ip-spoofing',
133   - 'no-arp-spoofing']))
  142 + filter_set = ['no-mac-spoofing',
  143 + 'no-ip-spoofing',
  144 + 'no-arp-spoofing']
  145 + if FLAGS.use_ipv6:
  146 + self._define_filter(self.nova_no_nd_reflection_filter)
  147 + filter_set.append('nova-no-nd-reflection')
  148 + self._define_filter(self._filter_container('nova-nodhcp', filter_set))
  149 + filter_set.append('allow-dhcp-server')
  150 + self._define_filter(self._filter_container('nova-base', filter_set))
134 151 self._define_filter(self._filter_container('nova-vpn',
135 152 ['allow-dhcp-server']))
136 153 self._define_filter(self.nova_dhcp_filter)

Git Notes

review

Verified+2: Jenkins
Approved+1: Vish Ishaya <vishvananda@gmail.com>
Code-Review+2: Vish Ishaya <vishvananda@gmail.com>
Code-Review+2: Yun Mao <yunmao@gmail.com>
Verified+1: SmokeStack
Submitted-by: Jenkins
Submitted-at: Wed, 10 Oct 2012 21:08:18 +0000
Reviewed-on: https://review.openstack.org/14017
Project: openstack/nova
Branch: refs/heads/master

0 comments on commit 0436cbd

Please sign in to comment.
Something went wrong with that request. Please try again.