bpf: pass through ICMP6 NS if target is node IP

Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>

bpf/lib/icmp6.h

@@ -299,6 +299,7 @@ static __always_inline int __icmp6_handle_ns(struct __ctx_buff *ctx, int nh_off)
 {
 	union v6addr target, router;
 	struct endpoint_info *ep;
+	union macaddr router_mac = NODE_MAC;
 
 	if (ctx_load_bytes(ctx, nh_off + ICMP6_ND_TARGET_OFFSET, target.addr,
 			   sizeof(((struct ipv6hdr *)NULL)->saddr)) < 0)
@@ -309,15 +310,30 @@ static __always_inline int __icmp6_handle_ns(struct __ctx_buff *ctx, int nh_off)
 	BPF_V6(router, ROUTER_IP);
 
 	if (ipv6_addr_equals(&target, &router)) {
-		union macaddr router_mac = NODE_MAC;
 
 		return send_icmp6_ndisc_adv(ctx, nh_off, &router_mac, true);
 	}
 
 	ep = __lookup_ip6_endpoint(&target);
 	if (ep) {
-		union macaddr router_mac = NODE_MAC;
-
+		if (ep->flags & ENDPOINT_F_HOST) {
+			/* If the target is a node IP (not router IP, because router IP
+			 * has been handled above), hand it over to stack. This is to
+			 * make sure:
+			 *
+			 * 1. The response NA has node IP as source address instead of
+			 * router IP, to avoid https://github.com/cilium/cilium/issues/14509
+			 * (IPV6 access to node is lost after installing cilium with
+			 * ipv6 enabled)
+			 *
+			 * 2. Kernel stack can record a neighbor entry for the
+			 * source IP, to avoid bpf_fib_lookup failure as mentioned at
+			 * https://github.com/cilium/cilium/issues/14509 (regarding
+			 * "Cilium doesn't send neighbor advertisements in response to
+			 * neighbor solicitiations for pod IPv6 IPs")
+			 */
+			return CTX_ACT_OK;
+		}
 		return send_icmp6_ndisc_adv(ctx, nh_off, &router_mac, false);
 	}