[BPF] wg6 traffic is allowed even if blocked by policy

felix/bpf/libbpf/libbpf.go

@@ -418,6 +418,7 @@ func TcSetGlobals(
 		(*C.char)(unsafe.Pointer(&globalData.HostTunnelIPv6[0])),
 		C.uint(globalData.Flags),
 		C.ushort(globalData.WgPort),
+		C.ushort(globalData.Wg6Port),
 		C.uint(globalData.NatIn),
 		C.uint(globalData.NatOut),
 		C.uint(globalData.LogFilterJmp),

felix/bpf/libbpf/libbpf_api.h

@@ -152,6 +152,7 @@ void bpf_tc_set_globals(struct bpf_map *map,
 			char* host_tunnel_ip6,
 			uint flags,
 			ushort wg_port,
+			ushort wg6_port,
 			uint natin,
 			uint natout,
 			uint log_filter_jmp,
@@ -195,6 +196,8 @@ void bpf_tc_set_globals(struct bpf_map *map,
 		v6.jumps[i] = jumps6[i];
 	}
 
+	v6.wg_port = wg6_port;
+
 	data.v4 = v4;
 	data.v6 = v6;
 	set_errno(bpf_map__set_initial_value(map, (void*)(&data), sizeof(data)));

felix/bpf/libbpf/libbpf_common.go

@@ -26,6 +26,7 @@ type TcGlobalData struct {
 	HostTunnelIPv4 [16]byte
 	Flags          uint32
 	WgPort         uint16
+	Wg6Port        uint16
 	NatIn          uint32
 	NatOut         uint32
 	LogFilterJmp   uint32

felix/bpf/tc/attach.go

@@ -55,6 +55,7 @@ type AttachPoint struct {
 	TunnelMTU            uint16
 	VXLANPort            uint16
 	WgPort               uint16
+	Wg6Port              uint16
 	ExtToServiceConnmark uint32
 	PSNATStart           uint16
 	PSNATEnd             uint16
@@ -389,6 +390,7 @@ func (ap *AttachPoint) ConfigureProgram(m *libbpf.Map) error {
 		PSNatStart:   ap.PSNATStart,
 		PSNatLen:     ap.PSNATEnd,
 		WgPort:       ap.WgPort,
+		Wg6Port:      ap.Wg6Port,
 		NatIn:        ap.NATin,
 		NatOut:       ap.NATout,
 		LogFilterJmp: uint32(ap.LogFilterIdx),

felix/dataplane/linux/bpf_ep_mgr.go

@@ -279,6 +279,7 @@ type bpfEndpointManager struct {
 	vxlanMTU                int
 	vxlanPort               uint16
 	wgPort                  uint16
+	wg6Port                 uint16
 	dsrEnabled              bool
 	dsrOptoutCidrs          bool
 	bpfExtToServiceConnmark int
@@ -465,6 +466,7 @@ func newBPFEndpointManager(
 		vxlanMTU:                config.VXLANMTU,
 		vxlanPort:               uint16(config.VXLANPort),
 		wgPort:                  uint16(config.Wireguard.ListeningPort),
+		wg6Port:                 uint16(config.Wireguard.ListeningPortV6),
 		dsrEnabled:              config.BPFNodePortDSREnabled,
 		dsrOptoutCidrs:          len(config.BPFDSROptoutCIDRs) > 0,
 		bpfExtToServiceConnmark: config.BPFExtToServiceConnmark,
@@ -2595,6 +2597,7 @@ func (m *bpfEndpointManager) calculateTCAttachPoint(ifaceName string) *tc.Attach
 	ap.Type = endpointType
 	if ap.Type != tcdefs.EpTypeWorkload {
 		ap.WgPort = m.wgPort
+		ap.Wg6Port = m.wg6Port
 		ap.NATin = uint32(m.natInIdx)
 		ap.NATout = uint32(m.natOutIdx)
 	} else {

felix/dataplane/linux/int_dataplane.go

@@ -1511,7 +1511,7 @@ func (d *InternalDataplane) setUpIptablesBPF() {
 				// only go to the host. Make sure that they are not forwarded.
 				fwdRules = append(fwdRules, rules.ICMPv6Filter(d.ruleRenderer.IptablesFilterDenyAction())...)
 			}
-		} else if (t.IPVersion == 6) == (d.config.BPFIpv6Enabled) /* XXX remove condition for dual stack */ {
+		} else {
 			// Let the BPF programs know if Linux conntrack knows about the flow.
 			fwdRules = append(fwdRules, bpfMarkPreestablishedFlowsRules()...)
 			// The packet may be about to go to a local workload.  However, the local workload may not have a BPF

felix/fv/wireguard_test.go

@@ -104,11 +104,6 @@ var _ = infrastructure.DatastoreDescribe("_BPF-SAFE_ WireGuard-Supported", []api
 					Skip("Skipping Wireguard supported tests.")
 				}
 
-				// IPv6 Wireguard is not supported on BPF dataplane, so skip in this case
-				if wireguardEnabledV6 && os.Getenv("FELIX_FV_ENABLE_BPF") == "true" {
-					Skip("Skipping IPv6 Wireguard testing on BPF dataplane")
-				}
-
 				// Enable Wireguard module debugging.
 				utils.Run("sudo", "sh", "-c", "echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control")
 
@@ -123,8 +118,9 @@ var _ = infrastructure.DatastoreDescribe("_BPF-SAFE_ WireGuard-Supported", []api
 				log.Info("Started dmesg log capture")
 
 				infra = getInfra()
+				ipipEnabled := !BPFMode() || !wireguardEnabledV6
 				topologyOptions := wireguardTopologyOptions(
-					"CalicoIPAM", true, wireguardEnabledV4, wireguardEnabledV6,
+					"CalicoIPAM", ipipEnabled, wireguardEnabledV4, wireguardEnabledV6,
 					map[string]string{
 						"FELIX_DebugDisableLogDropping": "true",
 						"FELIX_DBG_WGBOOTSTRAP":         "true",
@@ -203,6 +199,10 @@ var _ = infrastructure.DatastoreDescribe("_BPF-SAFE_ WireGuard-Supported", []api
 						felix.Exec("ip", "route", "show", "cached")
 						felix.Exec("wg")
 						felix.Exec("wg", "show", "all", "private-key")
+						if BPFMode() {
+							felix.Exec("calico-bpf", "policy", "dump", "eth0", "all", "--asm")
+							felix.Exec("calico-bpf", "policy", "-6", "dump", "eth0", "all", "--asm")
+						}
 					}
 				}
 
@@ -1062,16 +1062,12 @@ var _ = infrastructure.DatastoreDescribe("WireGuard-Unsupported", []apiconfig.Da
 					Skip("Skipping Wireguard unsupported tests.")
 				}
 
-				// IPv6 Wireguard is not supported on BPF dataplane, so skip in this case
-				if wireguardEnabledV6 && os.Getenv("FELIX_FV_ENABLE_BPF") == "true" {
-					Skip("Skipping IPv6 Wireguard testing on BPF dataplane")
-				}
-
 				// Setup a single node cluster.
 				const nodeCount = 1
 
 				infra = getInfra()
-				tc, _ = infrastructure.StartNNodeTopology(nodeCount, wireguardTopologyOptions("CalicoIPAM", true, wireguardEnabledV4, wireguardEnabledV6), infra)
+				ipipEnabled := !BPFMode() || !wireguardEnabledV6
+				tc, _ = infrastructure.StartNNodeTopology(nodeCount, wireguardTopologyOptions("CalicoIPAM", ipipEnabled, wireguardEnabledV4, wireguardEnabledV6), infra)
 
 				// Install a default profile that allows all ingress and egress, in the absence of any Policy.
 				infra.AddDefaultAllow()