bpf: skip policy check for IPv6 NDP traffic

Previously, our policy check for IPv6 NDP traffic caused issues such as cilium#23852 and cilium#23910 because this traffic was identified as WORLD_ID, which would be given a verdict of drop when CiliumNetworkPolicy is applied for per-endpoint routing. To resolve this issue, we pass all IPv6 NDP traffic to the stack without policy check. This change aligns with how we handle IPv4 ARP: the cilium bpf never performs policy check for ARP, regardless of whether we enable `ENABLE_ARP_PASSTHROUGH` or `ENABLE_ARP_RESPONDER`. Fixes: cilium#23852 Fixes: cilium#23910 Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
romanspb80 · Jun 22, 2023 · 6a5c7e1 · 6a5c7e1
1 parent bfcd7a8
commit 6a5c7e1
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c
@@ -743,19 +743,15 @@ static __always_inline int __tail_handle_ipv6(struct __ctx_buff *ctx,
 {
 	void *data, *data_end;
 	struct ipv6hdr *ip6;
-	int ret;
 
 	if (!revalidate_data_pull(ctx, &data, &data_end, &ip6))
 		return DROP_INVALID;
 
 	/* Handle special ICMPv6 NDP messages, and all remaining packets
 	 * are subjected to forwarding into the container.
 	 */
-	if (unlikely(is_icmp6_ndp(ctx, ip6, ETH_HLEN))) {
-		ret = icmp6_ndp_handle(ctx, ETH_HLEN, METRIC_EGRESS);
-		if (IS_ERR(ret))
-			return ret;
-	}
+	if (unlikely(is_icmp6_ndp(ctx, ip6, ETH_HLEN)))
+		return icmp6_ndp_handle(ctx, ETH_HLEN, METRIC_EGRESS);
 
 	if (unlikely(!is_valid_lxc_src_ip(ip6)))
 		return DROP_INVALID_SIP;
@@ -1639,6 +1635,11 @@ int tail_ipv6_to_endpoint(struct __ctx_buff *ctx)
 		goto out;
 	}
 
+	if (unlikely(is_icmp6_ndp(ctx, ip6, ETH_HLEN))) {
+		ret = CTX_ACT_OK;
+		goto out;
+	}
+
 	/* Packets from the proxy will already have a real identity. */
 	if (identity_is_reserved(src_sec_identity)) {
 		union v6addr *src = (union v6addr *)&ip6->saddr;