Skip to content

policy: return ICMPv6 "Destination unreachable" on IPv6 egress policy denials#44234

Merged
julianwiedmann merged 4 commits intocilium:mainfrom
Andreagit97:icmpv6-policy-drop-final
Mar 16, 2026
Merged

policy: return ICMPv6 "Destination unreachable" on IPv6 egress policy denials#44234
julianwiedmann merged 4 commits intocilium:mainfrom
Andreagit97:icmpv6-policy-drop-final

Conversation

@Andreagit97
Copy link
Copy Markdown
Contributor

@Andreagit97 Andreagit97 commented Feb 7, 2026

This PR implements ICMPv6 responses for IPv6 egress traffic (part of #41859)

The approach is very similar to the one used here #41406; the only real difference is that ICMPv6 requires rate-limiting.

@Andreagit97 Andreagit97 requested review from a team as code owners February 7, 2026 17:38
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 7, 2026
@Andreagit97 Andreagit97 marked this pull request as draft February 7, 2026 17:38
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Feb 7, 2026
@Andreagit97
Copy link
Copy Markdown
Contributor Author

Andreagit97 commented Feb 7, 2026
edited
Loading

This PR is still in draft because it depends on #44086 (the first 4 commits belong to #44086)

I would like to change the title to policy: return ICMPv6 "Destination unreachable" on IPv6 egress policy denials, but it seems I don't have enough privileges to do that

@Andreagit97 Andreagit97 force-pushed the icmpv6-policy-drop-final branch 3 times, most recently from 0b859f6 to e5c1918 Compare February 10, 2026 11:15
@Andreagit97 Andreagit97 marked this pull request as ready for review February 10, 2026 11:47
@Andreagit97 Andreagit97 requested review from a team as code owners February 10, 2026 11:47
@Andreagit97
Copy link
Copy Markdown
Contributor Author

Andreagit97 commented Feb 10, 2026

I rebased this now that #44086 is merged

@cilium/sig-datapath PTAL when you get a chance

I would like to change the title of the PR to policy: return ICMPv6 "Destination unreachable" on IPv6 egress policy denials, but it seems I don't have enough privileges to do that

@joestringer joestringer changed the title Icmpv6 policy drop final policy: Support ICMPv6 "destination unreachable" rejections for traffic that is denied by egress policy Feb 10, 2026
@joestringer joestringer added the release-note/major This PR introduces major new functionality to Cilium. label Feb 10, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 10, 2026
@joestringer
Copy link
Copy Markdown
Member

joestringer commented Feb 10, 2026

/test

@dylandreimerink dylandreimerink changed the title policy: Support ICMPv6 "destination unreachable" rejections for traffic that is denied by egress policy policy: return ICMPv6 "Destination unreachable" on IPv6 egress policy denials Feb 16, 2026
@dylandreimerink dylandreimerink changed the title policy: return ICMPv6 "Destination unreachable" on IPv6 egress policy denials Icmpv6 policy drop final policy: Support ICMPv6 "destination unreachable" rejections for traffic that is denied by egress policy Feb 16, 2026
dylandreimerink
dylandreimerink approved these changes Feb 16, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@dylandreimerink dylandreimerink left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes look good to me! Nicely done

@julianwiedmann julianwiedmann self-requested a review February 18, 2026 08:04
julianwiedmann
julianwiedmann reviewed Feb 19, 2026
View reviewed changes
joestringer
joestringer reviewed Feb 19, 2026
View reviewed changes
@Andreagit97
Copy link
Copy Markdown
Contributor Author

Andreagit97 commented Feb 27, 2026

@joestringer PTAL when you get a chance

@youngnick
Copy link
Copy Markdown
Contributor

youngnick commented Mar 5, 2026

Looks like the metrics documentation is out of sync @Andreagit97, that's why the Smoke Test is failing.

@Andreagit97
refactor: extend __tail_no_service_ipv6 implementation and rename
c0585f3 
Rename `__tail_no_service_ipv6` into `generate_icmp6_reply`. Now
`generate_icmp6_reply` can generate a generic ICMPv6 packet with type
and code.

Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
@Andreagit97 Andreagit97 force-pushed the icmpv6-policy-drop-final branch from 8789e1e to 91270de Compare March 6, 2026 09:47
@Andreagit97
Copy link
Copy Markdown
Contributor Author

Andreagit97 commented Mar 6, 2026

Thank you @youngnick! I didn't touch any metric, so I suppose a rebase on main should be enough.

@cilium/sig-datapath, I should have addressed all comments. Let me know if there is something else to do

@Andreagit97 Andreagit97 force-pushed the icmpv6-policy-drop-final branch from 91270de to 64bc05e Compare March 6, 2026 10:31
@julianwiedmann julianwiedmann self-requested a review March 10, 2026 11:43
christarazi
christarazi approved these changes Mar 10, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@christarazi christarazi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@julianwiedmann
Copy link
Copy Markdown
Member

julianwiedmann commented Mar 11, 2026

I should have addressed all comments. Let me know if there is something else to do

The last two patches in this series are just fix-ups for previous changes in this PR, right? Could you please squash those fix-ups into the corresponding patches?

@Andreagit97
feat(bpf): return ICMPv6 "Dest unreachable" on policy denials
df7bbc4 
This changes the datapath code to add support for returning an ICMPv6
"Destination Unreachable" / "Administratively Prohibited" response for
policy denials, instead of silently dropping traffic.

Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
@Andreagit97
refactor(bpf): use new icmp helper validate_icmpv6_reply
5f3ee99 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
@Andreagit97
docs: update policy-deny-response feature doc
8a49d56 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
@Andreagit97 Andreagit97 force-pushed the icmpv6-policy-drop-final branch from 64bc05e to 8a49d56 Compare March 11, 2026 14:15
@Andreagit97
Copy link
Copy Markdown
Contributor Author

Andreagit97 commented Mar 11, 2026

Sure! Done :)

@julianwiedmann julianwiedmann added area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. feature/ipv6 Relates to IPv6 protocol support labels Mar 12, 2026
@julianwiedmann julianwiedmann changed the title Icmpv6 policy drop final policy: Support ICMPv6 "destination unreachable" rejections for traffic that is denied by egress policy policy: return ICMPv6 "Destination unreachable" on IPv6 egress policy denials Mar 12, 2026
@julianwiedmann
Copy link
Copy Markdown
Member

julianwiedmann commented Mar 12, 2026

/test

julianwiedmann
julianwiedmann approved these changes Mar 12, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@julianwiedmann julianwiedmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thank you!

@julianwiedmann julianwiedmann added this pull request to the merge queue Mar 16, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 16, 2026
Merged via the queue into cilium:main with commit 644ae64 Mar 16, 2026
88 of 95 checks passed
@Andreagit97 Andreagit97 mentioned this pull request Mar 22, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joestringer joestringer joestringer left review comments

@dylandreimerink dylandreimerink dylandreimerink approved these changes

@julianwiedmann julianwiedmann julianwiedmann approved these changes

@christarazi christarazi christarazi approved these changes

Assignees

No one assigned

Labels

area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. feature/ipv6 Relates to IPv6 protocol support kind/community-contribution This was a contribution made by a community member. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/major This PR introduces major new functionality to Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@Andreagit97 @joestringer @youngnick @julianwiedmann @dylandreimerink @christarazi