[client] Add IPv6 support to ACL manager, USP filter, and forwarder (#5688)

client/internal/routemanager/systemops/systemops_generic.go

@@ -222,30 +222,20 @@ func (r *SysOps) genericAddVPNRoute(prefix netip.Prefix, intf *net.Interface) er
 			return err
 		}
 
-		// TODO: remove once IPv6 is supported on the interface
-		if err := r.addToRouteTable(splitDefaultv6_1, nextHop); err != nil {
-			return fmt.Errorf("add unreachable route split 1: %w", err)
-		}
-		if err := r.addToRouteTable(splitDefaultv6_2, nextHop); err != nil {
-			if err2 := r.removeFromRouteTable(splitDefaultv6_1, nextHop); err2 != nil {
-				log.Warnf("Failed to rollback route addition: %s", err2)
+		// When the interface has no v6, add v6 split-default as blackhole so
+		// unroutable v6 goes to WG (dropped, no AllowedIPs) instead of leaking
+		// to the system default route. When v6 is active, management sends ::/0
+		// as a separate route that the dedicated handler adds.
+		// Soft-fail: v6 blackhole is best-effort, don't abort v4 routing on failure.
+		if !r.wgInterface.Address().HasIPv6() {
+			if err := r.addV6SplitDefault(nextHop); err != nil {
+				log.Warnf("failed to add v6 split-default blackhole: %s", err)
 			}
-			return fmt.Errorf("add unreachable route split 2: %w", err)
 		}
 
 		return nil
 	case vars.Defaultv6:
-		if err := r.addToRouteTable(splitDefaultv6_1, nextHop); err != nil {
-			return fmt.Errorf("add unreachable route split 1: %w", err)
-		}
-		if err := r.addToRouteTable(splitDefaultv6_2, nextHop); err != nil {
-			if err2 := r.removeFromRouteTable(splitDefaultv6_1, nextHop); err2 != nil {
-				log.Warnf("Failed to rollback route addition: %s", err2)
-			}
-			return fmt.Errorf("add unreachable route split 2: %w", err)
-		}
-
-		return nil
+		return r.addV6SplitDefault(nextHop)
 	}
 
 	return r.addToRouteTable(prefix, nextHop)
@@ -266,30 +256,42 @@ func (r *SysOps) genericRemoveVPNRoute(prefix netip.Prefix, intf *net.Interface)
 			result = multierror.Append(result, err)
 		}
 
-		// TODO: remove once IPv6 is supported on the interface
-		if err := r.removeFromRouteTable(splitDefaultv6_1, nextHop); err != nil {
-			result = multierror.Append(result, err)
-		}
-		if err := r.removeFromRouteTable(splitDefaultv6_2, nextHop); err != nil {
-			result = multierror.Append(result, err)
+		if !r.wgInterface.Address().HasIPv6() {
+			result = multierror.Append(result, r.removeV6SplitDefault(nextHop))
 		}
 
 		return nberrors.FormatErrorOrNil(result)
 	case vars.Defaultv6:
-		var result *multierror.Error
-		if err := r.removeFromRouteTable(splitDefaultv6_1, nextHop); err != nil {
-			result = multierror.Append(result, err)
-		}
-		if err := r.removeFromRouteTable(splitDefaultv6_2, nextHop); err != nil {
-			result = multierror.Append(result, err)
-		}
-
-		return nberrors.FormatErrorOrNil(result)
+		return nberrors.FormatErrorOrNil(r.removeV6SplitDefault(nextHop))
 	default:
 		return r.removeFromRouteTable(prefix, nextHop)
 	}
 }
 
+func (r *SysOps) addV6SplitDefault(nextHop Nexthop) error {
+	if err := r.addToRouteTable(splitDefaultv6_1, nextHop); err != nil {
+		return fmt.Errorf("add split 1: %w", err)
+	}
+	if err := r.addToRouteTable(splitDefaultv6_2, nextHop); err != nil {
+		if err2 := r.removeFromRouteTable(splitDefaultv6_1, nextHop); err2 != nil {
+			log.Warnf("Failed to rollback v6 split-default: %s", err2)
+		}
+		return fmt.Errorf("add split 2: %w", err)
+	}
+	return nil
+}
+
+func (r *SysOps) removeV6SplitDefault(nextHop Nexthop) *multierror.Error {
+	var result *multierror.Error
+	if err := r.removeFromRouteTable(splitDefaultv6_1, nextHop); err != nil {
+		result = multierror.Append(result, err)
+	}
+	if err := r.removeFromRouteTable(splitDefaultv6_2, nextHop); err != nil {
+		result = multierror.Append(result, err)
+	}
+	return result
+}
+
 func (r *SysOps) setupHooks(initAddresses []net.IP, stateManager *statemanager.Manager) error {
 	beforeHook := func(connID hooks.ConnectionID, prefix netip.Prefix) error {
 		if _, err := r.refCounter.IncrementWithID(string(connID), prefix, struct{}{}); err != nil {