IPv6 fragmentation/mtu issue on IceHouse/Ubuntu 14.04

asked 2014-07-18 15:35:24 -0600

neb-m gravatar image

updated 2014-07-18 15:36:15 -0600

I am seeing a strange IPv6 fragmentation issue which I am not sure if it is Openstack/Neutron issue or base kernel issue. Doing ping6 from external network toward Openstack VM.

ping6 -s 1600 XXXX:0:60:102a:f816:3eff:fe56:6033

Incoming fragmented IPv6 packet reaches "qvb" interface as shown by tcpdump below:

16:17:20.050062 IP6 XXXX:0:60:1034:250:56ff:fe9d:b80 > XXXX:0:60:102a:f816:3eff:fe56:6033: frag (0|1448) ICMP6, echo request, seq 4837, length 1448 16:17:20.050065 IP6 XXXX:0:60:1034:250:56ff:fe9d:b80 > XXXX:0:60:102a:f816:3eff:fe56:6033: frag (1448|160)

But, it appears that packet gets reassembled into a large packet inside "qbr" interface as shown by tcpdump below:

16:19:39.090039 IP6 XXXX:0:60:1034:250:56ff:fe9d:b80 > XXXX:0:60:102a:f816:3eff:fe56:6033: ICMP6, echo request, seq 4976, length 1608

Then, that same packet cannot be seen entering the "tap" interface.

It should not be getting lost in security rules since "all icmpv6" rule counter for the incoming chain keeps going up.

ip6tables -L neutron-openvswi-i240cac09-e -v -n

53 25776 RETURN icmpv6 * * ::/0 ::/0

edit retag flag offensive close merge delete

Comments

One more bit of information. By setting net.bridge.bridge-nf-call-ip6tables=0 the fragmentation issue goes away. The packets are correctly sent through the qbr bridge fragmented and can enter the tap interface. This proves that packet re-assembly took place in net-filter/iptables. However, by setting "bridge-nf-call-ip6tables" to 0, all Openstack ip6table security rules are disabled.

neb-m gravatar imageneb-m ( 2014-07-21 16:02:52 -0600 )edit

1 answer

Sort by ยป oldest newest most voted
0

answered 2015-02-02 22:08:37 -0600

afranc gravatar image

Currently IPv6 fragmented packets are not forwarded on an ethernet bridge with netfilter ip6_tables loaded. More info - http://patchwork.ozlabs.org/patch/434957/ (http://patchwork.ozlabs.org/patch/434...)

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2014-07-18 15:35:24 -0600

Seen: 1,235 times

Last updated: Jul 18 '14