fix IPv6 ND proxy gateway address handling

ND proxy FIB lookups occur in the receiving interface's VRF. Gateway
addresses must be registered to tap interface so NS lookups in the
host-tap VRF succeed.

Signed-off-by: Aritra Basu <[email protected]>

Author: Aritra Basu

vpp-manager/vpp_runner.go

@@ -644,16 +644,51 @@ func (v *VppRunner) configureVppUplinkInterface(
 		return errors.Wrap(err, "Error enabling ARP proxy")
 	}
 
+	// Configure ND proxy for IPv6 - ND proxy allows VPP to respond to Neighbor Solicitations
+	// ND proxy FIB lookups happen in the receiving interface's VRF, so add both cases to tap:
+	// 1. Host's own addresses: Add to ND proxy table on tap, so VPP responds to NS for host addresses
+	// 2. Gateway addresses: Add to ND proxy table on tap, so VPP proxies NS arriving from the host
+	//    (VPP responds with NA using its own MAC, then routes traffic to real gateway via uplink)
+	// The ND proxy feature must be enabled on tap0 (where NS arrives from the host).
+
+	hasIPv6 := false
+
+	// Add host's own IPv6 addresses to ND proxy on tap interface
 	for _, addr := range ifState.Addresses {
 		if addr.IP.To4() == nil {
-			log.Infof("Adding ND proxy for address %s", addr.IP)
-			err = v.vpp.EnableIP6NdProxy(tapSwIfIndex, addr.IP)
+			hasIPv6 = true
+			log.Infof("Adding ND proxy for host address %s on tap", addr.IP)
+			err = v.vpp.AddIP6NdProxyAddress(tapSwIfIndex, addr.IP)
+			if err != nil {
+				log.Errorf("Error adding ND proxy address %s on tap: %v", addr.IP.String(), err)
+			}
+		}
+	}
+
+	// Add gateway addresses to ND proxy on TAP interface
+	// The ND proxy FIB lookup happens in the interface's VRF, so we must add gateway
+	// addresses to the tap interface for VPP to respond to NS from the host
+	// VPP will respond with NA using its own MAC - acting as a proxy for the gateway
+	for _, route := range ifState.Routes {
+		if route.Gw != nil && route.Gw.To4() == nil {
+			hasIPv6 = true
+			log.Infof("Adding ND proxy for gateway %s on tap (for host NS)", route.Gw)
+			err = v.vpp.AddIP6NdProxyAddress(tapSwIfIndex, route.Gw)
 			if err != nil {
-				log.Errorf("Error configuring nd proxy for address %s: %v", addr.IP.String(), err)
+				log.Errorf("Error adding ND proxy for gateway %s on tap: %v", route.Gw.String(), err)
 			}
 		}
 	}
 
+	// Enable ND proxy feature on tap if we have any IPv6 addresses to proxy
+	if hasIPv6 {
+		log.Infof("Enabling ND proxy feature on tap interface")
+		err = v.vpp.EnableIP6NdProxyFeature(tapSwIfIndex)
+		if err != nil {
+			log.Errorf("Error enabling ND proxy feature on tap: %v", err)
+		}
+	}
+
 	if *config.GetCalicoVppDebug().GSOEnabled {
 		err = v.vpp.EnableGSOFeature(tapSwIfIndex)
 		if err != nil {

vpplink/ip6_nd.go

@@ -60,3 +60,35 @@ func (v *VppLink) EnableIP6NdProxy(swIfIndex uint32, address net.IP) error {
 
 	return nil
 }
+
+// AddIP6NdProxyAddress adds an address to the ND proxy table for the specified interface.
+// This tells VPP to forward NS for this address out the specified interface.
+// Note: This does NOT enable ND proxy on the interface - use EnableIP6NdProxyFeature for that.
+func (v *VppLink) AddIP6NdProxyAddress(swIfIndex uint32, address net.IP) error {
+	client := ip6_nd.NewServiceClient(v.GetConnection())
+
+	_, err := client.IP6ndProxyAddDel(v.GetContext(), &ip6_nd.IP6ndProxyAddDel{
+		IsAdd:     true,
+		IP:        types.ToVppIP6Address(address),
+		SwIfIndex: interface_types.InterfaceIndex(swIfIndex),
+	})
+	if err != nil {
+		return fmt.Errorf("failed to add IP6 ND Proxy address %v (swif %d): %w", address, swIfIndex, err)
+	}
+	return nil
+}
+
+// EnableIP6NdProxyFeature enables the ND proxy feature on an interface.
+// Once enabled, VPP will intercept all NDP traffic on this interface and handle it.
+func (v *VppLink) EnableIP6NdProxyFeature(swIfIndex uint32) error {
+	client := ip6_nd.NewServiceClient(v.GetConnection())
+
+	_, err := client.IP6ndProxyEnableDisable(v.GetContext(), &ip6_nd.IP6ndProxyEnableDisable{
+		IsEnable:  true,
+		SwIfIndex: interface_types.InterfaceIndex(swIfIndex),
+	})
+	if err != nil {
+		return fmt.Errorf("failed to enable IP6 ND Proxy feature (swif %d): %w", swIfIndex, err)
+	}
+	return nil
+}