Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: None
Affects Version/s: None
Component/s: OVN Kubernetes
Labels:
- cnv-netsdn-wg
- migrated-from-sdn

Activity Type:
Product / Portfolio Work
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Epic Link:
CORENET-5649

Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
None
Release Note Type:
Bug Fix
Release Note Text:

Hide
This fix filter out the router advertisements from remote nodes to prevent VMs to end up with multipath ipv6 default gw.

In case the live migration is not automatically issued by the upgrade when rebooting nodes, a live upgrade need to be done to install the nftables that filter out the unwanted router advertisements at the new network namespace.

Show
This fix filter out the router advertisements from remote nodes to prevent VMs to end up with multipath ipv6 default gw. In case the live migration is not automatically issued by the upgrade when rebooting nodes, a live upgrade need to be done to install the nftables that filter out the unwanted router advertisements at the new network namespace.

Per the design , the logical switch that implements the layer2 network will have LSPs representing both the local GW router as well as the remote GW routers (in order to implement features like services / egress IPs).

For IPv6 to work properly, we need to ensure these "remote" GW routers do not advertise their RAs outside the node they run on - thus we need to install ACLs applying to the logical switch that would drop RAs belonging to these "remote" GW routers.

matching expression

"allow locally generated RAs": acl1: from-lport, prio 2000, match: "inport == <local-GR-port> && nd_ra" then allow
"drop all other RAs": acl2: from-lport, prio 1000, match: "nd_ra" then drop

Also take into account that the proper solution is the future "transit router" topology feature from OVN that is in progress:

https://issues.redhat.com/browse/FDP-872

Upstream PR:

https://github.com/ovn-kubernetes/ovn-kubernetes/pull/4852

is related to

FDP-872 [ovn-ic] Add support for transit routers.

Verified

CNV-60575 IPv6 does not work properly on dual-stack clusters with layer primary UDN

Closed

Assignee:: Or Shoval

Reporter:: Miguel Duarte de Mora Barroso

Need Info From:: None

Contributors:: None

Architect:: None

QA Contact:: None

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2024/10/30 10:48 AM

Updated:: 2025/06/27 11:58 AM

Resolved:: 2025/04/16 9:14 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

PagerDuty

Hide