docs(networking): document host firewall and node IPv6 behavior#574
docs(networking): document host firewall and node IPv6 behavior#574Aleksei Sviridkin (lexfrei) wants to merge 2 commits into
Conversation
|
Warning Review limit reached
More reviews will be available in 58 minutes and 9 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThis PR adds a new documentation section to the Cozystack networking architecture guide explaining the Cilium host firewall feature's behavior with IPv6. It describes the upstream datapath issue, the included BPF patch workaround, the resulting IPv4-only policy scope, and the configuration option to disable host firewall enforcement. ChangesCilium Host Firewall and IPv6 Documentation
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related issues
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds a new section to the networking architecture documentation explaining how Cozystack handles Cilium's host firewall and node IPv6 connectivity, including details about a custom BPF patch. The reviewer suggested a minor phrasing improvement in the documentation for better clarity and grammatical correctness.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
|
||
| In upstream Cilium this combination drops all IPv6 traffic on the node's network devices before any policy evaluation. This breaks IPv6 Neighbor Discovery and, with it, all node-level IPv6 connectivity — for example, BGP unnumbered peering over link-local addresses on L3 fabrics. A `CiliumClusterwideNetworkPolicy` cannot allow this traffic back, because the drop happens before policy enforcement. | ||
|
|
||
| The Cilium image shipped with Cozystack carries a BPF patch that passes IPv6 to the kernel stack instead, matching the behavior with the host firewall disabled. The patch is carried until an equivalent fix is available upstream. Practical consequences: |
There was a problem hiding this comment.
Improve the phrasing from 'matching the behavior with the host firewall disabled' to 'matching the behavior when the host firewall is disabled' for better clarity and grammatical correctness.
| The Cilium image shipped with Cozystack carries a BPF patch that passes IPv6 to the kernel stack instead, matching the behavior with the host firewall disabled. The patch is carried until an equivalent fix is available upstream. Practical consequences: | |
| The Cilium image shipped with Cozystack carries a BPF patch that passes IPv6 to the kernel stack instead, matching the behavior when the host firewall is disabled. The patch is carried until an equivalent fix is available upstream. Practical consequences: |
There was a problem hiding this comment.
Reworded to "matching the behavior when the host firewall is disabled". Fixed in 64547b0.
Aleksei Sviridkin (lexfrei)
requested review from
Andrei Kvapil (kvaps) and
Timofei Larkin (lllamnyp)
as code owners
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (1)
content/en/docs/next/networking/architecture.md (1)
397-408: ⚡ Quick winConsider adding a reference to the code PR.
The PR objectives mention that the BPF patch is implemented in cozystack/cozystack#2871. Adding a reference or link to that PR would help readers who want to understand the implementation details or track the status of an eventual upstream fix.
📝 Suggested addition
After line 403 or 404, consider adding:
The Cilium image shipped with Cozystack carries a BPF patch that passes IPv6 to the kernel stack instead, matching the behavior with the host firewall disabled. The patch is carried until an equivalent fix is available upstream. Practical consequences: + +(See [cozystack/cozystack#2871](https://github.com/cozystack/cozystack/pull/2871) for the patch implementation.)🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@content/en/docs/next/networking/architecture.md` around lines 397 - 408, Add a reference to the implementation PR cozystack/cozystack#2871 in the text discussing the BPF patch so readers can follow the implementation and upstream status; update the paragraph that starts "The Cilium image shipped with Cozystack carries a BPF patch..." to include a brief parenthetical or sentence linking to cozystack/cozystack#2871 (or its canonical URL) and, if useful, note the PR title or status to provide context.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@content/en/docs/next/networking/architecture.md`:
- Around line 397-408: Add a reference to the implementation PR
cozystack/cozystack#2871 in the text discussing the BPF patch so readers can
follow the implementation and upstream status; update the paragraph that starts
"The Cilium image shipped with Cozystack carries a BPF patch..." to include a
brief parenthetical or sentence linking to cozystack/cozystack#2871 (or its
canonical URL) and, if useful, note the PR title or status to provide context.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 0772b5f8-5b66-4ae4-b0e3-f8961c88b14a
📒 Files selected for processing (1)
content/en/docs/next/networking/architecture.md
✅ Deploy Preview for cozystack ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Cilium's host firewall combined with the disabled IPv6 datapath drops all node IPv6 pre-policy in upstream Cilium. Document the BPF patch carried in the cozystack cilium image (IPv6 passed to the kernel stack, host policies apply to IPv4 only) and the host firewall opt-out. Assisted-By: Claude <noreply@anthropic.com> Signed-off-by: Aleksei Sviridkin <f@lex.la>
Reword 'matching the behavior with the host firewall disabled' to 'matching the behavior when the host firewall is disabled' for clarity. Signed-off-by: Aleksei Sviridkin <f@lex.la>
Aleksei Sviridkin (lexfrei)
force-pushed
the
docs/cilium-hostfw-ipv6-passthrough
branch
from
b3e22a5 to
64547b0
Compare
…#2871) ## What this PR does Cozystack enables Cilium's host firewall by default while the Cilium IPv6 datapath stays disabled (`ipv6.enabled=false`). In upstream Cilium this combination drops all node IPv6 on managed devices as "Unsupported L3 protocol" (`DROP_UNKNOWN_L3` in `bpf_host.c`) before any policy evaluation, in both directions. This breaks ICMPv6 Neighbor Discovery — and with it all node-level IPv6, e.g. BGP unnumbered over link-local addresses on L3 fabrics. No `CiliumClusterwideNetworkPolicy` can allow this traffic, because the drop happens before policy enforcement (upstream report: cilium/cilium#33155, closed stale). The cozystack cilium image now carries a minimal BPF patch that passes IPv6 to the kernel stack instead, mirroring the behavior with the host firewall disabled: - `packages/system/cilium/images/cilium/patches/` — three `ETH_P_IPV6` passthrough cases under `#ifndef ENABLE_IPV6` in `bpf_host.c`. The fourth `DROP_UNKNOWN_L3` site (`from_host_to_lxc`) is intentionally not covered: bpf_lxc drops IPv6 without the v6 datapath regardless, so a passthrough there restores nothing. - The multi-stage Dockerfile applies the patch with `patch --fuzz=0` plus a marker-count check, so upstream drift fails the image build loudly. - `make update` dry-runs the patch against the freshly vendored upstream tag, so a cilium version bump surfaces drift immediately. - `values.yaml` documents the consequence: Cilium host policies apply to IPv4 only; node IPv6 is not filtered by Cilium. The same fix was submitted upstream: cilium/cilium#46473. The local patch is carried until it lands in a release Cozystack ships. Verification: the image builds and contains the patched source; a corrupted patch context fails the build with a clear error; the upstream variant of this change passes new BPF unit tests that fail without the fix with exactly the "Unsupported L3 protocol" drop from the field report; existing host-firewall and IPv6 BPF tests still compile. PR e2e exercises runtime BPF compilation of the patched source, since the agent compiles `bpf_host.c` at startup. Docs: cozystack/website#574 Closes #2806 ### Screenshots Not a UI change. ### Release note ```release-note fix(cilium): node IPv6 (ICMPv6 Neighbor Discovery, BGP unnumbered over link-local) now works with the host firewall enabled; Cilium host policies apply to IPv4 only, node IPv6 is not filtered by Cilium ``` <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Pass IPv6 traffic to the kernel stack when the Cilium IPv6 datapath is disabled, preventing it from being treated as an unknown L3 protocol. * **Documentation** * Added clarification on host firewall behavior: with hostFirewall enabled and IPv6 datapath disabled, policies apply to IPv4 only. * **Chores** * Improved the Cilium image build/update flow by validating the IPv6 patch against the upstream Cilium version to ensure compatibility. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
1 participant
What this PR does
Documents the interaction between Cilium's host firewall (enabled by default) and node IPv6 in the networking architecture page: upstream Cilium drops all node IPv6 before policy evaluation when the IPv6 datapath is disabled; the Cilium image shipped with Cozystack carries a BPF patch that passes IPv6 to the kernel stack instead; Cilium host policies apply to IPv4 only; the host firewall can be disabled via
cilium.hostFirewall.enabled: false.Code PR: cozystack/cozystack#2871
Summary by CodeRabbit