IPv6 firewall: accept packets from related and established connections

[winterhazel]

Description

The VR's firewall service automatically accepts packets from related and established connections when using IPv4. However, it does not for IPv6. Due to this, even if the egress rules allow a VM to send requests to a machine from outside the isolated network, it will not receive the response unless operators have allowed all ingress for the (sometimes dynamically allocated) port.

This PR adds a rule to the VR's IPv6 forward chain accepting response traffic (ingress from related and established connections), even if the operator has not explicitly allowed all ingress for the ports, thus matching the IPv4 firewall's behavior.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

How Has This Been Tested?

1. I introduced an IPv6 range to my environment.

2. I created a network offering for IPv6.

3. I created an isolated network with the network offering.

4. I added a VM to the network.

Then, I performed the following tests:

1. I validated that the VR had nftables rules in the forward and input chains allowing the ingress of related packets and packets from established connections.

2. Inside the VM, I tried to download a file from a machine outside the isolated network using IPv6. I validated that the download did not begin, because the egress traffic was not allowed.

3. I allowed the egress for ports 80 and 443.

4. Inside the VM, I tried to download a file from a machine outside the isolated network using IPv6 again. This time, the file was download successfully. Before the changes, the file would not be downloaded, because the VR was rejecting the response traffic.

5. I tried to login into the VM using SSH and IPv6. I validated that it was not possible because the ingress traffic for port 22 was not allowed.

6. I allowed ingress for port 22, and tried to login into the VM using SSH and IPv6 one more time. This time, I was able to access the VM successfully.

[winterhazel]

@blueorangutan package

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 16.15%. Comparing base (823080c) to head (145f4fe).
⚠️ Report is 130 commits behind head on 4.20.

Additional details and impacted files

@@            Coverage Diff             @@
##               4.20   #10970    +/-   ##
==========================================
  Coverage     16.14%   16.15%            
- Complexity    13253    13269    +16     
==========================================
  Files          5656     5657     +1     
  Lines        497893   497772   -121     
  Branches      60374    60364    -10     
==========================================
+ Hits          80405    80408     +3     
+ Misses       408529   408413   -116     
+ Partials       8959     8951     -8     

Flag	Coverage Δ
uitests	4.00% <ø> (-0.01%)	⬇️
unittests	17.00% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[weizhouapache]

oh, I remember this issue, I had a fix more than one year ago.
I thought I have created a PR for it 🤦‍♂️

good finding @winterhazel
the code is different from mine (4 lines), but the idea is the same

[DaanHoogland]

@weizhouapache , does that mean lgty?

[JoaoJandre]

@blueorangutan package

[blueorangutan]

@JoaoJandre a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 14043

[winterhazel]

@blueorangutan package

[blueorangutan]

@winterhazel a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 14105

[weizhouapache]

code lgtm

Not tested it yet

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-13739)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 55694 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr10970-t13739-kvm-ol8.zip
Smoke tests completed. 141 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[shwstppr]

code lgtm

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✖️ el9 ✔️ debian ✖️ suse15. SL-JID 14852

[weizhouapache]

@blueorangutan test

[blueorangutan]

@weizhouapache a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian Build Failed (tid-14212)

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 14868

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[weizhouapache]

Tested with Ipv6 network and VPC

SSH did not work prior to this change, it worked with this change

an example of nft rules

        chain fw_forward {
                type filter hook forward priority filter; policy accept;
                ct state established,related accept
                ip6 saddr 2025:9:10:e::/64 jump fw_chain_egress
                ip6 daddr 2025:9:10:e::/64 jump fw_chain_ingress
        }