vpp-manager: disable punting NAs toward the host

vpp-manager/vpp_runner.go

@@ -152,11 +152,28 @@ func (v *VppRunner) configureGlobalPunt() (err error) {
 			return errors.Wrapf(err, "Error configuring punt redirect")
 		}
 
-		err = v.vpp.PuntAllL4(ipFamily.IsIP6)
+		err = v.vpp.SetPuntL4(types.TCP, vpplink.PuntAllPorts, ipFamily.IsIP6)
 		if err != nil {
-			return errors.Wrapf(err, "Error configuring L4 punt")
+			return errors.Wrapf(err, "Error configuring L4 TCP punt")
 		}
+		err = v.vpp.SetPuntL4(types.UDP, vpplink.PuntAllPorts, ipFamily.IsIP6)
+		if err != nil {
+			return errors.Wrapf(err, "Error configuring L4 UDP punt")
+		}
+	}
+
+	// We do not want NA we receive to be punted, as there is
+	// no reason for us to forward them to pods, or to forward
+	// them to the host as we have a ND proxy in place.
+	puntReasonID, err := v.vpp.PuntReasonGet(vpplink.PuntReasonNeighAdv)
+	if err != nil {
+		return errors.Wrapf(err, "Could not get punt reason %s", vpplink.PuntReasonNeighAdv)
+	}
+	err = v.vpp.UnsetPuntException(puntReasonID)
+	if err != nil {
+		return errors.Wrapf(err, "Could not UnsetPuntException %d", puntReasonID)
 	}
+
 	return
 }
 
@@ -254,13 +271,6 @@ found:
 			common.FullyQualified(ifState.IPv6LinkLocal.IP), ifSpec.SwIfIndex)
 	}
 
-	// Enable ND proxy for the LL address
-	err = v.vpp.EnableIP6NdProxy(ifState.TapSwIfIndex, ifState.IPv6LinkLocal.IP)
-	if err != nil {
-		return errors.Wrapf(err, "Error configuring ND proxy for LL address %s",
-			ifState.IPv6LinkLocal.IP.String())
-	}
-
 	return nil
 }
 
@@ -670,11 +680,6 @@ func (v *VppRunner) configureVppUplinkInterface(
 		return errors.Wrap(err, "Error setting tap rx placement")
 	}
 
-	err = v.vpp.SetPromiscOn(tapSwIfIndex)
-	if err != nil {
-		return errors.Wrapf(err, "Error setting vpptap0 promisc")
-	}
-
 	err = v.vpp.SetInterfaceMtu(uint32(tapSwIfIndex), vpplink.CalicoVppMaxMTu)
 	if err != nil {
 		return errors.Wrapf(err, "Error setting %d MTU on tap interface", vpplink.CalicoVppMaxMTu)
@@ -685,6 +690,10 @@ func (v *VppRunner) configureVppUplinkInterface(
 		if err != nil {
 			return errors.Wrap(err, "Error disabling ip6 RA on vpptap0")
 		}
+		err = v.vpp.EnableIP6NdProxy(tapSwIfIndex)
+		if err != nil {
+			log.WithError(err).Errorf("Error enabling ND proxy for tap %d", tapSwIfIndex)
+		}
 	}
 	err = v.configurePunt(tapSwIfIndex, *ifState)
 	if err != nil {
@@ -695,32 +704,6 @@ func (v *VppRunner) configureVppUplinkInterface(
 		return errors.Wrap(err, "Error enabling ARP proxy")
 	}
 
-	for _, addr := range ifState.GetAddresses() {
-		if addr.IP.To4() == nil {
-			log.Infof("Adding ND proxy for address %s", addr.IP)
-			err = v.vpp.EnableIP6NdProxy(tapSwIfIndex, addr.IP)
-			if err != nil {
-				log.Errorf("Error configuring nd proxy for address %s: %v", addr.IP.String(), err)
-			}
-		}
-	}
-
-	/*
-	 * Add ND proxy for IPv6 gateway addresses.
-	 * Without ND proxy for gateway, host's NS for gateway is dropped with "neighbor
-	 * solicitations for unknown targets" error because there's no /128 FIB entry.
-	 * This requires VPP patch https://gerrit.fd.io/r/c/vpp/+/44350 to fix NA loop bug.
-	 */
-	for _, route := range ifState.GetRoutes() {
-		if route.Gw != nil && route.Gw.To4() == nil {
-			log.Infof("Adding ND proxy for IPv6 gateway %s", route.Gw)
-			err = v.vpp.EnableIP6NdProxy(tapSwIfIndex, route.Gw)
-			if err != nil {
-				log.Errorf("Error configuring ND proxy for gateway %s: %v", route.Gw, err)
-			}
-		}
-	}
-
 	if *config.GetCalicoVppDebug().GSOEnabled {
 		err = v.vpp.EnableGSOFeature(tapSwIfIndex)
 		if err != nil {

vpplink/generated/generate.log

@@ -1,16 +1,17 @@
-VPP Version                 : 26.06-rc0~198-gaaa992d1f
+VPP Version                 : 26.06-rc0~258-ge8b69f3f8
 Binapi-generator version    : v0.11.0
-VPP Base commit             : 2e62e9b6b gerrit:34726/3 interface: add buffer stats api
+VPP Base commit             : 461470599 gerrit:34726/3 interface: add buffer stats api
 ------------------ Cherry picked commits --------------------
 ip-neighbor: preserve interface LL receive DPO for self link-local
 acl: acl-plugin custom policies
 cnat: [WIP] no k8s maglev from pods
 pbl: Port based balancer
+gerrit:45046/4 ip6-nd: add punt reason for neigh advs
+gerrit:45099/2 ip6-nd: add nd-proxy all dst
 gerrit:44966/5 ip-neighbor: fix missing solicited-node multicast MAC
 gerrit:44903/1 vxlan: reset next_dpo on delete
 gerrit:44350/3 vnet: fix unicast NA handling in ND proxy
 gerrit:43369/21 cnat: converge new cnat implementation to support encaps (calico)
-gerrit:41089/34 cnat: combine multiple changes
 gerrit:revert:39675/5 Revert "ip-neighbor: do not use sas to determine NS source address"
 gerrit:42343/2 vcl: LDP default to regular option
 gerrit:34726/3 interface: add buffer stats api

vpplink/generated/vpp_clone_current.sh

@@ -123,7 +123,8 @@ git_cherry_pick refs/changes/69/43369/21 # 43369: cnat: converge new cnat implem
 git_cherry_pick refs/changes/50/44350/3 # 44350: vnet: fix unicast NA handling in ND proxy | https://gerrit.fd.io/r/c/vpp/+/44350
 git_cherry_pick refs/changes/03/44903/1 # 44903: vxlan: reset next_dpo on delete | https://gerrit.fd.io/r/c/vpp/+/44903
 git_cherry_pick refs/changes/66/44966/5 # 44966: ip-neighbor: fix missing solicited-node multicast MAC | https://gerrit.fd.io/r/c/vpp/+/44966
-
+git_cherry_pick refs/changes/99/45099/2 # 45099: ip6-nd: add nd-proxy all dst | https://gerrit.fd.io/r/c/vpp/+/45099
+git_cherry_pick refs/changes/46/45046/4 # 45046: ip6-nd: add punt reason for neigh advs | https://gerrit.fd.io/r/c/vpp/+/45046
 
 # --------------- private plugins ---------------
 # Generated with 'git format-patch --zero-commit -o ./patches/ HEAD^^^'

vpplink/ip.go

@@ -137,8 +137,10 @@ func (v *VppLink) PuntRedirectList(swIfIndex uint32, isIP6 bool) (punts []types.
 	return punts, nil
 }
 
+const PuntAllPorts = ^uint16(0)
+
 // PuntL4 configures L4 punt for a given address family and protocol. port = ~0 means all ports
-func (v *VppLink) PuntL4(proto types.IPProto, port uint16, isIPv6 bool) error {
+func (v *VppLink) SetPuntL4(proto types.IPProto, port uint16, isIPv6 bool) error {
 	client := punt.NewServiceClient(v.GetConnection())
 
 	_, err := client.SetPunt(v.GetContext(), &punt.SetPunt{
@@ -158,14 +160,57 @@ func (v *VppLink) PuntL4(proto types.IPProto, port uint16, isIPv6 bool) error {
 	return nil
 }
 
-func (v *VppLink) PuntAllL4(isIPv6 bool) (err error) {
-	err = v.PuntL4(types.TCP, 0xffff, isIPv6)
+func (v *VppLink) SetPuntException(id uint32) error {
+	return v.setUnsetPuntException(id, true)
+}
+func (v *VppLink) UnsetPuntException(id uint32) error {
+	return v.setUnsetPuntException(id, false)
+}
+
+func (v *VppLink) setUnsetPuntException(id uint32, isAdd bool) error {
+	client := punt.NewServiceClient(v.GetConnection())
+	_, err := client.SetPunt(v.GetContext(), &punt.SetPunt{
+		IsAdd: isAdd,
+		Punt: punt.Punt{
+			Type: punt.PUNT_API_TYPE_EXCEPTION,
+			Punt: punt.PuntUnionException(punt.PuntException{
+				ID: id,
+			}),
+		},
+	})
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to set/unset punt exception %d in VPP: %v", id, err)
 	}
-	err = v.PuntL4(types.UDP, 0xffff, isIPv6)
+	return nil
+}
+
+const (
+	// PuntReasonNeighAdv is set when VPP punts Neighbor
+	// advertisements after processing them
+	PuntReasonNeighAdv = "ip6-nd-neigh-adv"
+)
+
+func (v *VppLink) PuntReasonGet(name string) (id uint32, err error) {
+	client := punt.NewServiceClient(v.GetConnection())
+
+	stream, err := client.PuntReasonDump(v.GetContext(), &punt.PuntReasonDump{
+		Reason: punt.PuntReason{
+			Name: name,
+		},
+	})
 	if err != nil {
-		return err
+		return ^uint32(0), fmt.Errorf("failed to dump punt reasons: %w", err)
 	}
-	return nil
+	for {
+		response, err := stream.Recv()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return ^uint32(0), fmt.Errorf("failed to dump punt reasons: %w", err)
+		} else {
+			return response.Reason.ID, nil
+		}
+	}
+	return ^uint32(0), fmt.Errorf("no reason found for %s", name)
 }

vpplink/ip6_nd.go

@@ -17,11 +17,9 @@ package vpplink
 
 import (
 	"fmt"
-	"net"
 
 	"github.com/projectcalico/vpp-dataplane/v3/vpplink/generated/bindings/interface_types"
 	"github.com/projectcalico/vpp-dataplane/v3/vpplink/generated/bindings/ip6_nd"
-	"github.com/projectcalico/vpp-dataplane/v3/vpplink/types"
 )
 
 func (v *VppLink) DisableIP6RouterAdvertisements(swIfIndex uint32) error {
@@ -37,22 +35,13 @@ func (v *VppLink) DisableIP6RouterAdvertisements(swIfIndex uint32) error {
 	return nil
 }
 
-func (v *VppLink) EnableIP6NdProxy(swIfIndex uint32, address net.IP) error {
+func (v *VppLink) EnableIP6NdProxy(swIfIndex uint32) error {
 	client := ip6_nd.NewServiceClient(v.GetConnection())
 
-	_, err := client.IP6ndProxyAddDel(v.GetContext(), &ip6_nd.IP6ndProxyAddDel{
-		IsAdd:     true,
-		IP:        types.ToVppIP6Address(address),
-		SwIfIndex: interface_types.InterfaceIndex(swIfIndex),
-	})
-	if err != nil {
-		return fmt.Errorf("failed to add IP6 ND Proxy address %v (swif %d): %w", address, swIfIndex, err)
-	}
-
-	// now disable source / dest checks for nd proxy
-	_, err = client.IP6ndProxyEnableDisable(v.GetContext(), &ip6_nd.IP6ndProxyEnableDisable{
+	_, err := client.IP6ndProxyEnableDisableV2(v.GetContext(), &ip6_nd.IP6ndProxyEnableDisableV2{
 		IsEnable:  true,
 		SwIfIndex: interface_types.InterfaceIndex(swIfIndex),
+		Flags:     1, // IP6_ND_PROXY_IF_FLAG_NO_DST_FILTER
 	})
 	if err != nil {
 		return fmt.Errorf("failed to enable IP6 ND Proxy (swif %d): %w", swIfIndex, err)