From e923609ba81527b6dd00771fbc19cb0ed3de620f Mon Sep 17 00:00:00 2001
From: Aritra Basu <aritrbas@cisco.com>
Date: Thu, 11 Dec 2025 18:47:50 -0500
Subject: [PATCH] fix IPv6 gateway reachability with ND proxy

IPv6 gateway traffic (DHCPv6/ICMPv6) fails when VPP takes over the uplink.
- Without gateway ND proxy, host NS for the default gateway is dropped by
  VPP with "neighbor solicitations for unknown targets" error due to
  missing /128 target entry in the tap FIB.

Fix:
- Enable ND proxy for the gateway on the tap so that the host can
  resolve the gateway via VPP.

This requires VPP patch https://gerrit.fd.io/r/c/vpp/+/44350 to fix
unicast NA handling in ND proxy which was leading to a NA loop bug.

Signed-off-by: Aritra Basu <aritrbas@cisco.com>
---
 vpp-manager/vpp_runner.go              | 16 ++++++++++++++++
 vpplink/generated/vpp_clone_current.sh |  3 +++
 2 files changed, 19 insertions(+)

diff --git a/vpp-manager/vpp_runner.go b/vpp-manager/vpp_runner.go
index 555884d9..4a1b9430 100644
--- a/vpp-manager/vpp_runner.go
+++ b/vpp-manager/vpp_runner.go
@@ -664,6 +664,22 @@ func (v *VppRunner) configureVppUplinkInterface(
 		}
 	}
 
+	/*
+	 * Add ND proxy for IPv6 gateway addresses.
+	 * Without ND proxy for gateway, host's NS for gateway is dropped with "neighbor
+	 * solicitations for unknown targets" error because there's no /128 FIB entry.
+	 * This requires VPP patch https://gerrit.fd.io/r/c/vpp/+/44350 to fix NA loop bug.
+	 */
+	for _, route := range ifState.Routes {
+		if route.Gw != nil && route.Gw.To4() == nil {
+			log.Infof("Adding ND proxy for IPv6 gateway %s", route.Gw)
+			err = v.vpp.EnableIP6NdProxy(tapSwIfIndex, route.Gw)
+			if err != nil {
+				log.Errorf("Error configuring ND proxy for gateway %s: %v", route.Gw, err)
+			}
+		}
+	}
+
 	if *config.GetCalicoVppDebug().GSOEnabled {
 		err = v.vpp.EnableGSOFeature(tapSwIfIndex)
 		if err != nil {
diff --git a/vpplink/generated/vpp_clone_current.sh b/vpplink/generated/vpp_clone_current.sh
index 23a4dcd3..35905e47 100755
--- a/vpplink/generated/vpp_clone_current.sh
+++ b/vpplink/generated/vpp_clone_current.sh
@@ -124,6 +124,9 @@ git_cherry_pick refs/changes/69/43369/16 # https://gerrit.fd.io/r/c/vpp/+/43369
 git_cherry_pick refs/changes/64/44464/9 # 44464: dispatch-trace: add filter support for pcap dispatch trace | https://gerrit.fd.io/r/c/vpp/+/44464
 git_cherry_pick refs/changes/67/44467/7 # 44467: bpf_trace_filter: add raw IP packet support | https://gerrit.fd.io/r/c/vpp/+/44467
 
+# fix unicast NA handling in VPP ND proxy
+git_cherry_pick refs/changes/50/44350/3 # 44350: vnet: fix unicast NA handling in ND proxy | https://gerrit.fd.io/r/c/vpp/+/44350
+
 # --------------- private plugins ---------------
 # Generated with 'git format-patch --zero-commit -o ./patches/ HEAD^^^'
 git_apply_private 0001-pbl-Port-based-balancer.patch