datapath: Per endpoint routes broken for IPv6 traffic between (remote) node to pod when netpol is applied #23910
Description
The ICMPv6 neighbor resolution is striking us again (#23852). When sending a request from a remote node / a local node to the echo pod, the ICMPv6 NS is using the echo's pod veth iface in the host netns IPv6 addr:
7: lxc75bc3f9009e7 inet6 fe80::ec8b:fdff:fe18:6632/64 scope link
And of course, it's not recognized by the to-container @ lxc75bc3f9009e7:
CPU 07: MARK 0x0 FROM 1192 DEBUG: Inheriting identity=1 from stack
<- stack flow 0x0 , identity host->unknown state unknown ifindex 0 orig-ip 0.0.0.0: fe80::ec8b:fdff:fe18:6632 -> ff02::1:ff00:3816 NeighborSolicitation
CPU 07: MARK 0x0 FROM 1192 DEBUG: Conntrack lookup 1/2: src=[::fe18:6632]:0 dst=[::ff00:3816]:0
CPU 07: MARK 0x0 FROM 1192 DEBUG: Conntrack lookup 2/2: nexthdr=58 flags=0
CPU 07: MARK 0x0 FROM 1192 DEBUG: CT verdict: New, revnat=0
CPU 07: MARK 0x0 FROM 1192 DEBUG: Successfully mapped addr.p4=[::fe18:6632] to identity=2
CPU 07: MARK 0x0 FROM 1192 DEBUG: Attempting local delivery for container id 1192 from seclabel 44107
CPU 07: MARK 0x0 FROM 1192 DEBUG: Policy evaluation would deny packet from 2 to 44107
Policy verdict log: flow 0x0 local EP ID 1192, remote ID world, proto 58, ingress, action deny, match none, fe80::ec8b:fdff:fe18:6632 -> ff02::1:ff00:3816 NeighborSolicitation
xx drop (Policy denied) flow 0x0 to endpoint 1192, ifindex 7, file 2:1604, , identity world->44107: fe80::ec8b:fdff:fe18:6632 -> ff02::1:ff00:3816 NeighborSolicitation
A few possible fixes:
- Add the IPv6 local scope addr of a pod into the IPCache, so that the non-world sec ID is used.
- Respect the
HOST_IDskb mark in theto-containersection.