diff --git a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py index bde4a976e31c..004c86276aa6 100755 --- a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py +++ b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py @@ -326,6 +326,7 @@ def __init__(self, dev, config): self.config = config self.nft_ipv4_fw = config.get_nft_ipv4_fw() self.nft_ipv4_acl = config.get_nft_ipv4_acl() + self.nft_ipv6_fw = config.get_ipv6_fw() def setAddress(self, address): self.address = address @@ -714,6 +715,22 @@ def fw_router_routing(self): self.nft_ipv4_fw.append({'type': "", 'chain': 'INPUT', 'rule': "iifname %s ip saddr %s tcp dport 8080 ct state new counter accept" % (self.dev, guestNetworkCidr)}) + def fw_router_routing_v6(self): + if self.config.is_vpc() or not self.config.is_routed(): + return + # IPv6 INPUT chain defaults — mirror of fw_router_routing() for v4. + # Without these, return traffic for VR-initiated v6 connections (e.g. + # BGP SYN-ACKs to upstream PE peers) is silently dropped by the + # default-DROP policy on fw_input. PR #10970 added the equivalent + # rule to fw_forward only; this completes that fix for INPUT. + self.nft_ipv6_fw.append({'type': "", 'chain': 'fw_input', + 'rule': "iifname lo counter accept"}) + self.nft_ipv6_fw.append({'type': "", 'chain': 'fw_input', + 'rule': "iifname eth2 ct state established,related counter accept"}) + if self.get_type() in ["guest"]: + self.nft_ipv6_fw.append({'type': "", 'chain': 'fw_input', + 'rule': "iifname %s ct state established,related counter accept" % self.dev}) + def fw_vpcrouter_routing(self): if not self.config.is_vpc() or not self.config.is_routed(): return @@ -839,6 +856,7 @@ def post_config_change(self, method): self.fw_vpcrouter() self.fw_router_routing() self.fw_vpcrouter_routing() + self.fw_router_routing_v6() self.fw_dhcpserver() cmdline = self.config.cmdline()