From 15fd7b0cbfb80056733a9ed27c6d3a6d29fa4637 Mon Sep 17 00:00:00 2001
From: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
Date: Wed, 10 Apr 2024 12:59:29 +0200
Subject: [PATCH] Added default ip6tables rules to accept ipv6 neighbor
 protocol

Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
---
 pkg/controllers/netpol/pod.go | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/pkg/controllers/netpol/pod.go b/pkg/controllers/netpol/pod.go
index c2ce56dca7..cb33b315cd 100644
--- a/pkg/controllers/netpol/pod.go
+++ b/pkg/controllers/netpol/pod.go
@@ -228,6 +228,34 @@ func (npc *NetworkPolicyController) setupPodNetpolRules(pod podInfo, podFwChainN
 			filterTableRules.WriteString(strings.Join(args, " "))
 		}
 
+		if ipFamily == api.IPv6Protocol {
+			// Allow IPv6 traffic for L2 network communication needed in case Flannel is used as CNI
+			comment := "\"rule to permit the IPv6 Inverse Neighbor Discovery Advertisement \""
+			args := []string{"-I", podFwChainName, "1", "-m", "comment", "--comment", comment,
+				"-p", "icmpv6", "--icmpv6-type", "142", "-m", "hl", "--hl-eq", "255", "-j", "ACCEPT", "\n"}
+			filterTableRules.WriteString(strings.Join(args, " "))
+			comment = "\"rule to permit the IPv6 Inverse Neighbor Discovery Solicitation \""
+			args = []string{"-I", podFwChainName, "1", "-m", "comment", "--comment", comment,
+				"-p", "icmpv6", "--icmpv6-type", "141", "-m", "hl", "--hl-eq", "255", "-j", "ACCEPT", "\n"}
+			filterTableRules.WriteString(strings.Join(args, " "))
+			comment = "\"rule to permit the IPv6 neighbor-advertisement\""
+			args = []string{"-I", podFwChainName, "1", "-m", "comment", "--comment", comment,
+				"-p", "icmpv6", "--icmpv6-type", "neighbor-advertisement", "-m", "hl", "--hl-eq", "255", "-j", "ACCEPT", "\n"}
+			filterTableRules.WriteString(strings.Join(args, " "))
+			comment = "\"rule to permit the IPv6 neighbor-solicitation\""
+			args = []string{"-I", podFwChainName, "1", "-m", "comment", "--comment", comment,
+				"-p", "icmpv6", "--icmpv6-type", "neighbor-solicitation", "-m", "hl", "--hl-eq", "255", "-j", "ACCEPT", "\n"}
+			filterTableRules.WriteString(strings.Join(args, " "))
+			comment = "\"rule to permit the IPv6 router-advertisement\""
+			args = []string{"-I", podFwChainName, "1", "-m", "comment", "--comment", comment,
+				"-p", "icmpv6", "--icmpv6-type", "router-advertisement", "-m", "hl", "--hl-eq", "255", "-j", "ACCEPT", "\n"}
+			filterTableRules.WriteString(strings.Join(args, " "))
+			comment = "\"rule to permit the IPv6 router-solicitation\""
+			args = []string{"-I", podFwChainName, "1", "-m", "comment", "--comment", comment,
+				"-p", "icmpv6", "--icmpv6-type", "router-solicitation", "-m", "hl", "--hl-eq", "255", "-j", "ACCEPT", "\n"}
+			filterTableRules.WriteString(strings.Join(args, " "))
+		}
+
 		comment := "\"rule to permit the traffic traffic to pods when source is the pod's local node\""
 		args := []string{"-I", podFwChainName, "1", "-m", "comment", "--comment", comment,
 			"-m", "addrtype", "--src-type", "LOCAL", "-d", ip, "-j", "ACCEPT", "\n"}