Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing IPv6 neighbors in VPP #864

Closed
zolug opened this issue May 3, 2023 · 2 comments
Closed

Missing IPv6 neighbors in VPP #864

zolug opened this issue May 3, 2023 · 2 comments
Assignees
@zolug
Labels
bug Something isn't working

Comments

@zolug
Copy link
Contributor

zolug commented May 3, 2023

In case of an IPv6 cluster dynamic neighbor address resolution does not work, because ingress ACL rules drop ICMPv6 Neighbor Advertisement messages.
This for example might lead to non-working remote VxLAN xconnects. (In case a VPP instance started by the forwarder was not informed about a certain neighbor at start, or a new node is added to the cluster.)

Trace in vppctl:

Packet 41

06:31:58:815638: af-packet-input
  af_packet: hw_if_index 2 next-index 4
    tpacket2_hdr:
      status 0x20000005 len 86 snaplen 86 mac 66 net 80
      sec 0x645130d0 nsec 0x12f3d524 vlan 0 vlan_tpid 0
06:31:58:815641: ethernet-input
  IP6: fa:16:3e:a9:a5:9f -> fa:16:3e:d7:89:d1
06:31:58:815642: ip6-input
  ICMP6: fd08::d -> fd08::21
    tos 0x00, flow label 0x0, hop limit 255, payload length 32
06:31:58:815643: acl-plugin-in-ip6-fa
  acl-plugin: lc_index: 1, sw_if_index 2, next index 0, action: 0, match: acl 0 rule 3 trace_bits 00000000
  pkt info 00000000000008fd 0d00000000000000 00000000000008fd 2100000000000000 0002033a00000088 0a00ffff00000001
   lc_index 1 l3 ip6 fd08::d -> fd08::21 l4 lsb_of_sw_if_index 2 proto 58 l4_is_input 1 l4_slow_path 1 l4_flags 0x03
port 136 -> 0 tcp flags (invalid) 00 rsvd 0
06:31:58:815646: error-drop
  rx:host-eth0
06:31:58:815647: drop
  acl-plugin-in-ip6-fa: ACL deny packets

vpp# show acl-plugin acl
acl-index 0 count 4 tag {nsm-vppinit-denyall-ingress}
          0: ipv6 permit src ::/0 dst ::/0 proto 58 sport 0 dport 134
          1: ipv6 permit src ::/0 dst ::/0 proto 58 sport 0 dport 136
          2: ipv4 deny src 0.0.0.0/0 dst 0.0.0.0/0 proto 0 sport 0 dport 0
          3: ipv6 deny src ::/0 dst ::/0 proto 0 sport 0 dport 0
  applied inbound on sw_if_index: 2
  applied outbound on sw_if_index:
  used in lookup context index: 1
acl-index 1 count 4 tag {nsm-vppinit-denyall-egress}
          0: ipv4 permit src 0.0.0.0/0 dst 0.0.0.0/0 proto 58 sport 133 dport 0
          1: ipv6 permit src ::/0 dst ::/0 proto 58 sport 135 dport 0
          2: ipv4 deny src 0.0.0.0/0 dst 0.0.0.0/0 proto 0 sport 0 dport 0
          3: ipv4 deny src 0.0.0.0/0 dst 0.0.0.0/0 proto 0 sport 0 dport 0
  applied inbound on sw_if_index:
  applied outbound on sw_if_index: 2
  used in lookup context index: 0
acl-index 2 count 1 tag {nsm-pinhole port 4789}
          0: ipv6 permit src ::/0 dst fd08::21/128 proto 17 sport 0-65535 dport 4789
  applied inbound on sw_if_index: 2
  applied outbound on sw_if_index:
  used in lookup context index: 1
acl-index 3 count 1 tag {nsm-pinhole port 4789}
          0: ipv6 permit src fd08::21/128 dst ::/0 proto 17 sport 0-65535 dport 4789
  applied outbound on sw_if_index: 2
  used in lookup context index: 0
@zolug zolug added the bug Something isn't working label May 3, 2023
@zolug zolug mentioned this issue May 3, 2023
Merged
@glazychev-art
Copy link
Contributor

Hi @zolug ,
It's great that you fixed it! Thanks

Can we close the issue?

@zolug
Copy link
Contributor Author

zolug commented May 4, 2023

Hi @zolug , It's great that you fixed it! Thanks

Can we close the issue?

Hi @glazychev-art,

Yes, feel free to close the issue. Thanks.

@LionelJouin LionelJouin moved this to ✅ Done in Meridio May 5, 2023
nsmbot pushed a commit that referenced this issue Oct 17, 2024
Update go.mod and go.sum to latest version from networkservicemesh/sd…
af22eb7 
…k-vpp@main

PR link: networkservicemesh/sdk-vpp#864

Commit: f8b5d51
Author: Network Service Mesh Bot
Date: 2024-10-17 18:48:40 -0500
Message:
  - Update go.mod and go.sum to latest version from networkservicemesh/sdk-kernel@main (#864)
PR link: networkservicemesh/sdk-kernel#692
Commit: 4f9e691
Author: Network Service Mesh Bot
Date: 2024-10-17 18:45:10 -0500
Message:
    - Update go.mod and go.sum to latest version from networkservicemesh/sdk@main (#692)
PR link: networkservicemesh/sdk#1686
Commit: 9a6b64b
Author: dependabot[bot]
Date: 2024-10-17 19:42:57 -0400
Message:
        - Bump github.com/nats-io/nkeys from 0.4.4 to 0.4.6 (#1686)
Bumps [github.com/nats-io/nkeys](https://github.com/nats-io/nkeys) from 0.4.4 to 0.4.6.
- [Release notes](https://github.com/nats-io/nkeys/releases)
- [Changelog](https://github.com/nats-io/nkeys/blob/main/.goreleaser.yml)
- [Commits](nats-io/nkeys@v0.4.4...v0.4.6)
---
updated-dependencies:
- dependency-name: github.com/nats-io/nkeys
  dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: NSMBot <nsmbot@networkservicmesh.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zolug zolug

Labels
bug Something isn't working
Projects
Release v1.9.0
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@glazychev-art @zolug