From 9cf643f126d4c1aebf4606236d91b19c7d39ed47 Mon Sep 17 00:00:00 2001
From: sridhar <sridhar@tigera.io>
Date: Mon, 1 Apr 2024 15:40:42 -0700
Subject: [PATCH 1/2] Do wep rpf check for icmpv6 if src is not link local

---
 felix/bpf-gpl/ip_addr.h | 2 +-
 felix/bpf-gpl/tc.c      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/felix/bpf-gpl/ip_addr.h b/felix/bpf-gpl/ip_addr.h
index 04004d1e12a..582c7b8ca62 100644
--- a/felix/bpf-gpl/ip_addr.h
+++ b/felix/bpf-gpl/ip_addr.h
@@ -47,7 +47,7 @@ static CALI_BPF_INLINE int ipv6_addr_t_cmp(ipv6_addr_t *x, ipv6_addr_t *y)
 }
 
 #define ip_void(ip)	((ip).a == 0 && (ip).b == 0 && (ip).c == 0 && (ip).d == 0)
-#define ip_link_local(ip)	(bpf_htonl((ip).a) == 0xfe800000)
+#define ip_link_local(ip)	((bpf_htonl((ip).a) & (0xffc00000)) == 0xfe800000)
 #define VOID_IP		({ipv6_addr_t x = {}; x;})
 #define ip_set_void(ip)	do {	\
 	(ip).a = 0;		\
diff --git a/felix/bpf-gpl/tc.c b/felix/bpf-gpl/tc.c
index 750be3abbc5..8fcf1f0bf91 100644
--- a/felix/bpf-gpl/tc.c
+++ b/felix/bpf-gpl/tc.c
@@ -456,7 +456,7 @@ static CALI_BPF_INLINE void calico_tc_process_ct_lookup(struct cali_tc_ctx *ctx)
 
 	if (CALI_F_FROM_WEP
 #ifdef IPVER6
-			&& ctx->state->ip_proto != IPPROTO_ICMPV6
+			&& !(ctx->state->ip_proto == IPPROTO_ICMPV6 && ip_link_local(ctx->state->ip_src))
 #endif
 		) {
 		struct cali_rt *r = cali_rt_lookup(&ctx->state->ip_src);

From 9555d018c64ae9cef139fe43b252a66cc06204fc Mon Sep 17 00:00:00 2001
From: sridhar <sridhar@tigera.io>
Date: Tue, 2 Apr 2024 07:47:05 -0700
Subject: [PATCH 2/2] Add FV test

---
 felix/fv/bpf_dual_stack_test.go | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/felix/fv/bpf_dual_stack_test.go b/felix/fv/bpf_dual_stack_test.go
index f4ae72f6145..512020b648f 100644
--- a/felix/fv/bpf_dual_stack_test.go
+++ b/felix/fv/bpf_dual_stack_test.go
@@ -23,6 +23,7 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"regexp"
 	"strconv"
 
 	v1 "k8s.io/api/core/v1"
@@ -377,6 +378,30 @@ func describeBPFDualStackTests(ctlbEnabled, ipv6Dataplane bool) bool {
 					cc.Expect(Some, w[1][1], w[0][0], ExpectWithIPVersion(6))
 					cc.CheckConnectivity()
 				})
+
+				It("should be able to ping external client from w[0][0]", func() {
+					tc.TriggerDelayedStart()
+					externalClient := infrastructure.RunExtClient("ext-client")
+					_ = externalClient
+					ensureRightIFStateFlags(tc.Felixes[0], ifstate.FlgIPv4Ready|ifstate.FlgIPv6Ready)
+					ensureRightIFStateFlags(tc.Felixes[1], ifstate.FlgIPv4Ready|ifstate.FlgIPv6Ready)
+
+					tcpdump := externalClient.AttachTCPDump("any")
+					tcpdump.SetLogEnabled(true)
+					matcher := fmt.Sprintf("IP6 %s > %s: ICMP6, echo request",
+						felixIP6(0), externalClient.IPv6)
+
+					tcpdump.AddMatcher("ICMP", regexp.MustCompile(matcher))
+					tcpdump.Start()
+					defer tcpdump.Stop()
+
+					_, err := w[0][0].ExecCombinedOutput("ping6", "-c", "2", externalClient.IPv6)
+					Expect(err).NotTo(HaveOccurred())
+					Eventually(func() int { return tcpdump.MatchCount("ICMP") }).
+						Should(BeNumerically(">", 0), matcher)
+					externalClient.Stop()
+
+				})
 			}
 		} else {
 			JustBeforeEach(func() {