Commit b89599b
Jason Ball
systemvm: ipv6 fw_input — expand established/related to non-routed Isolated
Per upstream review feedback on #13173: drop the is_routed() guard on
fw_router_routing_v6() so non-routed Isolated v6 networks also accept
established/related return traffic to the VR.
Keep the is_vpc() guard (VPC has its own firewall path via
fw_vpcrouter_routing).
Scope stays narrow: only the established/related rules. v4's service-port
rules (tcp/3922, tcp/8080) are not mirrored into the v6 INPUT chain.
Tested on staging (4.22.0.0):
- Routed Isolated v6 (Filtered offering): BGP v6 sessions reach
Established, eth2 established/related rule counter active
(81 packets / 9893 bytes).
- Non-routed Isolated v6 (DualStack offering with VirtualRouter +
SourceNat): fw_input contains lo/eth2/eth0 established/related rules
identical to the routed case; counter activity on eth2
(66 packets / 8369 bytes) confirms the rule is reached.
Signed-off-by: Jason Ball <jball@resetdata.com>1 parent 8dcc070 commit b89599b
1 file changed
Lines changed: 4 additions & 6 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
716 | 716 | | |
717 | 717 | | |
718 | 718 | | |
719 | | - | |
| 719 | + | |
720 | 720 | | |
721 | | - | |
722 | | - | |
723 | | - | |
724 | | - | |
725 | | - | |
| 721 | + | |
| 722 | + | |
| 723 | + | |
726 | 724 | | |
727 | 725 | | |
728 | 726 | | |
| |||
0 commit comments