From dd7e1038f71d6877a17d725b97c0c9135f55cb3d Mon Sep 17 00:00:00 2001 From: Jason Ball Date: Tue, 19 May 2026 17:25:46 +1000 Subject: [PATCH] =?UTF-8?q?systemvm:=20ipv6=20fw=5Finput=20=E2=80=94=20acc?= =?UTF-8?q?ept=20established/related=20return=20traffic?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The IPv6 fw_input chain currently accepts only ICMPv6 control traffic and policy=drop everything else. Return traffic for VR-initiated v6 connections (e.g. BGP SYN-ACKs from upstream peers) is silently dropped. PR #10970 added the equivalent rule to the v6 FORWARD chain but removed it from INPUT in its second commit. This restores it at chain creation, so it applies uniformly to all v6 input-hook chains (routed Isolated, non-routed Isolated, etc.). Tested on ACS 4.22.0.0 staging: - Routed Isolated v6 (IsolatedV6RoutedFiltered offering): BGP v6 sessions reach Established, tenant /64 advertised upstream. - Non-routed Isolated v6 (DualStack with VirtualRouter + SourceNat): fw_input contains the established/related accept rule and accepts return traffic. Resulting fw_input on both shapes: chain fw_input { type filter hook input priority filter; policy drop; icmpv6 type { ... } accept ct state established,related accept } Fixes: #13171 Refs: #10970 Co-authored-by: Bryan Lima <[email protected]> Signed-off-by: Jason Ball --- systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py b/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py index 93d0d0388efe..63d7724dd20a 100755 --- a/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py +++ b/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py @@ -232,7 +232,7 @@ def add_ip6_chain(self, address_family, table, chain, hook, action): if hook == "input" or hook == "output": CsHelper.execute("nft add rule %s %s %s icmpv6 type { echo-request, echo-reply, \ nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept" % (address_family, table, chain)) - elif hook == "forward": + if hook == "input" or hook == "forward": CsHelper.execute("nft add rule %s %s %s ct state established,related accept" % (address_family, table, chain)) def add_ip4_chain(self, address_family, table, chain, hook, action):