Skip to content

systemvm: ipv6 fw_input — accept return traffic from established,rela… #13173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
agronaught wants to merge 1 commit into
base: 4.22
Choose a base branch
from
+18 −0
Open

systemvm: ipv6 fw_input — accept return traffic from established,rela… #13173

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions systemvm/debian/opt/cloud/bin/cs/CsAddress.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -326,6 +326,7 @@ def __init__(self, dev, config):
self.config = config
self.nft_ipv4_fw = config.get_nft_ipv4_fw()
self.nft_ipv4_acl = config.get_nft_ipv4_acl()
self.nft_ipv6_fw = config.get_ipv6_fw()

def setAddress(self, address):
self.address = address
Expand Down Expand Up @@ -714,6 +715,22 @@ def fw_router_routing(self):
self.nft_ipv4_fw.append({'type': "", 'chain': 'INPUT',
'rule': "iifname %s ip saddr %s tcp dport 8080 ct state new counter accept" % (self.dev, guestNetworkCidr)})

def fw_router_routing_v6(self):
if self.config.is_vpc() or not self.config.is_routed():
return
# IPv6 INPUT chain defaults — mirror of fw_router_routing() for v4.
# Without these, return traffic for VR-initiated v6 connections (e.g.
# BGP SYN-ACKs to upstream PE peers) is silently dropped by the
# default-DROP policy on fw_input. PR #10970 added the equivalent
# rule to fw_forward only; this completes that fix for INPUT.
self.nft_ipv6_fw.append({'type': "", 'chain': 'fw_input',
'rule': "iifname lo counter accept"})
self.nft_ipv6_fw.append({'type': "", 'chain': 'fw_input',
'rule': "iifname eth2 ct state established,related counter accept"})
if self.get_type() in ["guest"]:
self.nft_ipv6_fw.append({'type': "", 'chain': 'fw_input',
'rule': "iifname %s ct state established,related counter accept" % self.dev})

def fw_vpcrouter_routing(self):
if not self.config.is_vpc() or not self.config.is_routed():
return
Expand Down Expand Up @@ -839,6 +856,7 @@ def post_config_change(self, method):
self.fw_vpcrouter()
self.fw_router_routing()
self.fw_vpcrouter_routing()
self.fw_router_routing_v6()
self.fw_dhcpserver()

cmdline = self.config.cmdline()
Expand Down
Loading