This PR adds the IPv6 equivalent of fw_router_routing() to the systemvm Virtual Router's network configuration, so that return traffic for VR-initiated IPv6 connections (BGP to upstream PE peers, NTP, DNS lookups, etc.) is allowed back through the ip6_firewall fw_input chain.

Problem

The systemvm VR's nftables ip6 ip6_firewall fw_input chain is created with policy=drop and only ICMPv6 accept rules. The IPv4 INPUT chain has the equivalent iifname "eth2" ct state established,related accept rule (added by fw_router_routing() in CsAddress.py); the IPv6 path has no such rule.

Effect: any v6 connection the VR itself initiates outbound has its return traffic silently dropped at the v6 INPUT hook before TCP processes it. For Isolated IPv6 ROUTED networks this is fatal — BGP IPv6 sessions cannot reach Established, tenant /64 prefixes are never advertised upstream, and VMs in the network are unreachable from the IPv6 internet.

#10970 added the equivalent rule to the FORWARD chain (covering tenant VM return traffic) but explicitly removed it from the INPUT chain in its second commit. This PR completes that fix for VR-originated traffic.

Behavioural change

Before this PR, IPv6 BGP sessions from VRs in IsolatedV6RoutedFiltered (and similar Routed v6) network offerings stay in Connect state indefinitely. After this PR, sessions reach Established within seconds of VR start and prefix advertisements work normally.

The change is additive and behind the existing is_routed() / is_vpc() gating — only routed, non-VPC networks see new INPUT rules. No change for existing v4 paths, v4 NATted networks, or VPC networks.

Fixes: #13171

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• Build/CI
• Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Justifying Major: any operator wanting to ship the IsolatedV6RoutedFiltered offering (or any v6 Routed isolated network with Firewall service) for production tenant workloads is blocked. Workaround requires per-VR nft injection that wipes on every tenant FW rule change, making the offering unusable as a customer product without a downstream patch like this one.

Screenshots (if appropriate)

N/A — kernel-level firewall change.

How Has This Been Tested?

Verified end-to-end on Apache CloudStack 4.22.0.0, KVM hypervisor (Ubuntu 24.04 hosts), with:

• Zone configured for BGP Routed networks (ASN range, BGP peers, IPv6 guest prefix /48)
• Tenant network using IsolatedV6RoutedFiltered offering
• Two independent fresh VRs in two different tenant networks

Before the patch:

vtysh -c "show bgp ipv6 unicast summary"
Neighbor State/PfxRcd
2400:88e0:ffff:258::2 Connect 0
2400:88e0:ffff:258::3 Connect 0

Hypervisor-side packet capture on the underlay confirms PE responds with SYN-ACK, but the VR's TCP stack never delivers it to FRR. Kernel TCPMD5* counters stay at zero — drop happens at netfilter before TCP processes the segment. Inside the VR:

$ nft list table ip6 ip6_firewall
table ip6 ip6_firewall {
chain fw_input {
type filter hook input priority filter; policy drop;
icmpv6 type { ... } accept
}
...
}

No ct state established,related accept rule.

After the patch:

vtysh -c "show bgp ipv6 unicast summary"
Neighbor State/PfxRcd
2400:88e0:ffff:258::2 Established 1
2400:88e0:ffff:258::3 Established 1

fw_input now includes the new rule with active counters:

iifname "eth2" ct state established,related counter packets ... bytes ... accept

Verified end-to-end: SSH from public IPv6 internet to a VM inside the v6-routed network succeeds. Reachability survives subsequent tenant firewall rule updates (the rule is rebuilt from nft_ipv6_fw on every IpTablesExecutor.process() cycle).

How did you try to break this feature and the system with this change?

• Tenant firewall rule churn: added/removed tenant ingress rules via cmk createIpv6FirewallRule / deleteIpv6FirewallRule repeatedly after the patch. IpTablesExecutor.process() flushes and rebuilds the v6 table each time; the new INPUT rule is re-emitted on every cycle because it's now in nft_ipv6_fw. Counters resume; BGP stays Established.
• VR reboot: rebooted the VR (cmk rebootRouter). After the reboot pulls fresh cloud-scripts.tgz, the patched CsAddress.py runs in the rebuilt VR and the rule is in place from boot. BGP establishes within ~30s of VR ready.
• Non-routed networks: confirmed is_routed() gating means standard Isolated v4 networks and VPC networks see no new rules in either chain — no behaviour change for them.
• Cross-account / cross-domain: verified the rule fires per-VR (each tenant network's VR gets its own rule with its own eth2 reference and per-VR counter), with no cross-tenant traffic leakage.

Tested with both single-tenant and multi-tenant network deployments. Validated the substrate change on ACS 4.22.0.0; same code path exists in 4.20 branch HEAD per inspection.