vpp-manager: set uplink admin-up only after RA is disabled

Move InterfaceAdminUp() for the uplink interface to after
DisableIP6RouterAdvertisements(). Previously, the uplink was
brought admin-up immediately after creation and then configured
with IPv6 enable, RA suppress, CNAT, VRF, addresses, and routes.
This left a window where the interface was up with RA processing
still active, allowing VPP to process Router Advertisements from
the wire and potentially install unwanted SLAAC addresses or
default routes before the intended configuration was in place.

Signed-off-by: Aritra Basu <aritrbas@cisco.com>

Author: Aritra Basu

vpp-manager/vpp_runner.go

@@ -487,6 +487,13 @@ func (v *VppRunner) configureVppUplinkInterface(
 		return errors.Wrap(err, "Error disabling ipv6 RA on uplink interface")
 	}
 
+	// Keep the interface admin-down until RA suppression is installed, then
+	// bring it up before programming the rest of IPv6/L3 state.
+	err = v.vpp.Retry(2*time.Second, 10, v.vpp.InterfaceAdminUp, ifSpec.SwIfIndex)
+	if err != nil {
+		return errors.Wrap(err, "Error setting uplink interface up")
+	}
+
 	err = v.vpp.CnatEnableFeatures(ifSpec.SwIfIndex)
 	if err != nil {
 		return errors.Wrap(err, "Error configuring NAT on uplink interface")
@@ -1008,15 +1015,7 @@ func (v *VppRunner) runVpp() (err error) {
 			return errors.Wrap(err, "Error creating uplink interface")
 		}
 
-		// Data interface configuration
-		err = v.vpp.Retry(2*time.Second, 10, v.vpp.InterfaceAdminUp, v.params.UplinksSpecs[idx].SwIfIndex)
-		if err != nil {
-			terminateVpp("Error setting uplink interface up: %v", err)
-			v.vpp.Close()
-			<-vppDeadChan
-			return errors.Wrap(err, "Error setting uplink interface up")
-		}
-
+		// Configure uplink and only bring it up after RA suppression is set.
 		err = v.configureVppUplinkInterface(v.uplinkDriver[idx], v.conf[idx], v.params.UplinksSpecs[idx])
 
 		if err != nil {