From 8450e31ec749933a1cabdae4cabd1963cbee96df Mon Sep 17 00:00:00 2001 From: Aritra Basu Date: Fri, 20 Feb 2026 19:55:47 -0500 Subject: [PATCH] vpp-manager: set uplink admin-up only after RA is disabled Move InterfaceAdminUp() for the uplink interface to after DisableIP6RouterAdvertisements(). Previously, the uplink was brought admin-up immediately after creation and then configured with IPv6 enable, RA suppress, CNAT, VRF, addresses, and routes. This left a window where the interface was up with RA processing still active, allowing VPP to process Router Advertisements from the wire and potentially install unwanted SLAAC addresses or default routes before the intended configuration was in place. Signed-off-by: Aritra Basu --- vpp-manager/vpp_runner.go | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/vpp-manager/vpp_runner.go b/vpp-manager/vpp_runner.go index eec09172..93e75b12 100644 --- a/vpp-manager/vpp_runner.go +++ b/vpp-manager/vpp_runner.go @@ -487,6 +487,13 @@ func (v *VppRunner) configureVppUplinkInterface( return errors.Wrap(err, "Error disabling ipv6 RA on uplink interface") } + // Keep the interface admin-down until RA suppression is installed, then + // bring it up before programming the rest of IPv6/L3 state. + err = v.vpp.Retry(2*time.Second, 10, v.vpp.InterfaceAdminUp, ifSpec.SwIfIndex) + if err != nil { + return errors.Wrap(err, "Error setting uplink interface up") + } + err = v.vpp.CnatEnableFeatures(ifSpec.SwIfIndex) if err != nil { return errors.Wrap(err, "Error configuring NAT on uplink interface") @@ -1008,15 +1015,7 @@ func (v *VppRunner) runVpp() (err error) { return errors.Wrap(err, "Error creating uplink interface") } - // Data interface configuration - err = v.vpp.Retry(2*time.Second, 10, v.vpp.InterfaceAdminUp, v.params.UplinksSpecs[idx].SwIfIndex) - if err != nil { - terminateVpp("Error setting uplink interface up: %v", err) - v.vpp.Close() - <-vppDeadChan - return errors.Wrap(err, "Error setting uplink interface up") - } - + // Configure uplink and only bring it up after RA suppression is set. err = v.configureVppUplinkInterface(v.uplinkDriver[idx], v.conf[idx], v.params.UplinksSpecs[idx]) if err != nil {