Skip to content

docs(networking): document host firewall and node IPv6 behavior#574

Open
Aleksei Sviridkin (lexfrei) wants to merge 3 commits into
mainfrom
docs/cilium-hostfw-ipv6-passthrough
Open

docs(networking): document host firewall and node IPv6 behavior#574
Aleksei Sviridkin (lexfrei) wants to merge 3 commits into
mainfrom
docs/cilium-hostfw-ipv6-passthrough

Conversation

@lexfrei

@lexfrei Aleksei Sviridkin (lexfrei) commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

What this PR does

Documents the interaction between Cilium's host firewall (enabled by default) and node IPv6 in the networking architecture page: upstream Cilium drops all node IPv6 before policy evaluation when the IPv6 datapath is disabled; the Cilium image shipped with Cozystack carries a BPF patch that passes IPv6 to the kernel stack instead; Cilium host policies apply to IPv4 only; the host firewall can be disabled via cilium.hostFirewall.enabled: false.

Code PR: cozystack/cozystack#2871

Summary by CodeRabbit

  • Documentation
    • Added clarification on host firewall behavior when enabled, including how it affects system-port restrictions and policy enforcement scope.
    • Documented the interaction with node IPv6 connectivity and the available opt-out configuration to disable IPv4 host policy enforcement.

@coderabbitai

coderabbitai Bot commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@lexfrei, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 11 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c316240d-c705-4665-b186-6304592172b4

📥 Commits

Reviewing files that changed from the base of the PR and between a349444 and 4eb9d4c.

📒 Files selected for processing (1)
  • content/en/docs/next/networking/architecture.md
📝 Walkthrough

Walkthrough

This PR adds documentation explaining Cozystack’s Cilium host firewall behavior with IPv6, including the upstream IPv6 datapath limitation, the BPF patch workaround, the IPv4-only host policy scope, and the opt-out configuration.

Changes

Cilium Host Firewall and IPv6 Documentation

Layer / File(s) Summary
Host Firewall and Node IPv6 Documentation
content/en/docs/next/networking/architecture.md
Adds a new section describing host firewall enforcement, the IPv6 node connectivity issue, the included BPF patch workaround, the IPv4-only policy scope, and the cilium.hostFirewall.enabled: false opt-out.

Estimated code review effort: 1 (Trivial) | ~5 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the documentation update about host firewall behavior and node IPv6 handling.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch docs/cilium-hostfw-ipv6-passthrough

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds a new section to the networking architecture documentation explaining how Cozystack handles Cilium's host firewall and node IPv6 connectivity, including details about a custom BPF patch. The reviewer suggested a minor phrasing improvement in the documentation for better clarity and grammatical correctness.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.


In upstream Cilium this combination drops all IPv6 traffic on the node's network devices before any policy evaluation. This breaks IPv6 Neighbor Discovery and, with it, all node-level IPv6 connectivity — for example, BGP unnumbered peering over link-local addresses on L3 fabrics. A `CiliumClusterwideNetworkPolicy` cannot allow this traffic back, because the drop happens before policy enforcement.

The Cilium image shipped with Cozystack carries a BPF patch that passes IPv6 to the kernel stack instead, matching the behavior with the host firewall disabled. The patch is carried until an equivalent fix is available upstream. Practical consequences:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Improve the phrasing from 'matching the behavior with the host firewall disabled' to 'matching the behavior when the host firewall is disabled' for better clarity and grammatical correctness.

Suggested change
The Cilium image shipped with Cozystack carries a BPF patch that passes IPv6 to the kernel stack instead, matching the behavior with the host firewall disabled. The patch is carried until an equivalent fix is available upstream. Practical consequences:
The Cilium image shipped with Cozystack carries a BPF patch that passes IPv6 to the kernel stack instead, matching the behavior when the host firewall is disabled. The patch is carried until an equivalent fix is available upstream. Practical consequences:

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reworded to "matching the behavior when the host firewall is disabled". Fixed in 64547b0.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
content/en/docs/next/networking/architecture.md (1)

397-408: ⚡ Quick win

Consider adding a reference to the code PR.

The PR objectives mention that the BPF patch is implemented in cozystack/cozystack#2871. Adding a reference or link to that PR would help readers who want to understand the implementation details or track the status of an eventual upstream fix.

📝 Suggested addition

After line 403 or 404, consider adding:

 The Cilium image shipped with Cozystack carries a BPF patch that passes IPv6 to the kernel stack instead, matching the behavior with the host firewall disabled. The patch is carried until an equivalent fix is available upstream. Practical consequences:
+
+(See [cozystack/cozystack#2871](https://github.com/cozystack/cozystack/pull/2871) for the patch implementation.)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/next/networking/architecture.md` around lines 397 - 408, Add
a reference to the implementation PR cozystack/cozystack#2871 in the text
discussing the BPF patch so readers can follow the implementation and upstream
status; update the paragraph that starts "The Cilium image shipped with
Cozystack carries a BPF patch..." to include a brief parenthetical or sentence
linking to cozystack/cozystack#2871 (or its canonical URL) and, if useful, note
the PR title or status to provide context.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@content/en/docs/next/networking/architecture.md`:
- Around line 397-408: Add a reference to the implementation PR
cozystack/cozystack#2871 in the text discussing the BPF patch so readers can
follow the implementation and upstream status; update the paragraph that starts
"The Cilium image shipped with Cozystack carries a BPF patch..." to include a
brief parenthetical or sentence linking to cozystack/cozystack#2871 (or its
canonical URL) and, if useful, note the PR title or status to provide context.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0772b5f8-5b66-4ae4-b0e3-f8961c88b14a

📥 Commits

Reviewing files that changed from the base of the PR and between 7a5ab3c and b3e22a5.

📒 Files selected for processing (1)
  • content/en/docs/next/networking/architecture.md

@netlify

netlify Bot commented Jun 10, 2026

Copy link
Copy Markdown

Deploy Preview for cozystack ready!

Name Link
🔨 Latest commit 4eb9d4c
🔍 Latest deploy log https://app.netlify.com/projects/cozystack/deploys/6a44fb1480bf1f0008c2cfcb
😎 Deploy Preview https://deploy-preview-574--cozystack.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@lexfrei Aleksei Sviridkin (lexfrei) force-pushed the docs/cilium-hostfw-ipv6-passthrough branch from b3e22a5 to 64547b0 Compare June 22, 2026 12:24
Aleksei Sviridkin (lexfrei) added a commit to cozystack/cozystack that referenced this pull request Jun 23, 2026
…#2871)

## What this PR does

Cozystack enables Cilium's host firewall by default while the Cilium
IPv6 datapath stays disabled (`ipv6.enabled=false`). In upstream Cilium
this combination drops all node IPv6 on managed devices as "Unsupported
L3 protocol" (`DROP_UNKNOWN_L3` in `bpf_host.c`) before any policy
evaluation, in both directions. This breaks ICMPv6 Neighbor Discovery —
and with it all node-level IPv6, e.g. BGP unnumbered over link-local
addresses on L3 fabrics. No `CiliumClusterwideNetworkPolicy` can allow
this traffic, because the drop happens before policy enforcement
(upstream report: cilium/cilium#33155, closed stale).

The cozystack cilium image now carries a minimal BPF patch that passes
IPv6 to the kernel stack instead, mirroring the behavior with the host
firewall disabled:

- `packages/system/cilium/images/cilium/patches/` — three `ETH_P_IPV6`
passthrough cases under `#ifndef ENABLE_IPV6` in `bpf_host.c`. The
fourth `DROP_UNKNOWN_L3` site (`from_host_to_lxc`) is intentionally not
covered: bpf_lxc drops IPv6 without the v6 datapath regardless, so a
passthrough there restores nothing.
- The multi-stage Dockerfile applies the patch with `patch --fuzz=0`
plus a marker-count check, so upstream drift fails the image build
loudly.
- `make update` dry-runs the patch against the freshly vendored upstream
tag, so a cilium version bump surfaces drift immediately.
- `values.yaml` documents the consequence: Cilium host policies apply to
IPv4 only; node IPv6 is not filtered by Cilium.

The same fix was submitted upstream: cilium/cilium#46473. The local
patch is carried until it lands in a release Cozystack ships.

Verification: the image builds and contains the patched source; a
corrupted patch context fails the build with a clear error; the upstream
variant of this change passes new BPF unit tests that fail without the
fix with exactly the "Unsupported L3 protocol" drop from the field
report; existing host-firewall and IPv6 BPF tests still compile. PR e2e
exercises runtime BPF compilation of the patched source, since the agent
compiles `bpf_host.c` at startup.

Docs: cozystack/website#574

Closes #2806

### Screenshots

Not a UI change.

### Release note

```release-note
fix(cilium): node IPv6 (ICMPv6 Neighbor Discovery, BGP unnumbered over link-local) now works with the host firewall enabled; Cilium host policies apply to IPv4 only, node IPv6 is not filtered by Cilium
```


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Pass IPv6 traffic to the kernel stack when the Cilium IPv6 datapath is
disabled, preventing it from being treated as an unknown L3 protocol.
* **Documentation**
* Added clarification on host firewall behavior: with hostFirewall
enabled and IPv6 datapath disabled, policies apply to IPv4 only.
* **Chores**
* Improved the Cilium image build/update flow by validating the IPv6
patch against the upstream Cilium version to ensure compatibility.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Cilium's host firewall combined with the disabled IPv6 datapath drops
all node IPv6 pre-policy in upstream Cilium. Document the BPF patch
carried in the cozystack cilium image (IPv6 passed to the kernel stack,
host policies apply to IPv4 only) and the host firewall opt-out.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
Reword 'matching the behavior with the host firewall disabled' to
'matching the behavior when the host firewall is disabled' for clarity.

Signed-off-by: Aleksei Sviridkin <f@lex.la>
@lexfrei Aleksei Sviridkin (lexfrei) force-pushed the docs/cilium-hostfw-ipv6-passthrough branch from 64547b0 to a349444 Compare July 1, 2026 10:45
…ntation

Point readers at the upstream implementation of the BPF patch that
passes node IPv6 to the kernel stack when Cilium's host firewall is
enabled, so the provenance of the carried patch is traceable.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
@lexfrei

Copy link
Copy Markdown
Contributor Author

Applied the nitpick — linked the BPF patch paragraph to its implementation in cozystack/cozystack#2871.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant