OCPBUGS-62267: fix forwarded header for IPv6 on IPv4 stack

[jcmoraisjr]

Source IP on Forwarded header is built depending on the configured stack: if IPv4 or IPv6 only, no special handling is done. On dual stack, router checks if the source is IPv6 in order to properly format with brackets and double quotes.

However if a fronting load balancer has IPv6 or dual stack, a client sends a request on IPv6 and router is configured with PROXY protocol, the source IPv6 will be received on the router, but it'll be handled as IPv4, missing brackets and double quotes.

This is being changed in the following way:

• append or replace mode: using option forwarded keyword instead, which already handles IPv6 correctly
• if-none mode: option forwarded doesn't support acl, so using manual building and always checking if src is IPv6

[openshift-ci-robot]

@jcmoraisjr: This pull request references Jira Issue OCPBUGS-62267, which is invalid:

• expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Source IP on Forwarded header is built depending on the configured stack: if IPv4 or IPv6 only, no special handling is done. On dual stack, router checks if the source is IPv6 in order to properly format with brackets and double quotes.

However if a fronting load balancer has IPv6 or dual stack, a client sends a request on IPv6 and router is configured with PROXY protocol, the source IPv6 will be received on the router, but it'll be handled as IPv4, missing brackets and double quotes.

This is being changed in the following way:

• append or replace mode: using option forwarded keyword instead, which already handles IPv6 correctly
• if-none mode: option forwarded doesn't support acl, so using manual building and always checking if src is IPv6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jcmoraisjr]

/jira refresh

[openshift-ci-robot]

@jcmoraisjr: This pull request references Jira Issue OCPBUGS-62267, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @melvinjoseph86

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[melvinjoseph86]

Did primary check on the cluster created using the PR. Especially the changes can be seen on the HAproxy template.

➜  Downloads oc get clusterversion
NAME      VERSION                                                AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.19.0-0-2026-01-18-131737-test-ci-ln-02h9ckk-latest   True        False         162m    Cluster version is 4.19.0-0-2026-01-18-131737-test-ci-ln-02h9ckk-latest

➜  Downloads oc rsh  -n openshift-ingress router-default-fc4bd58bc-8kxdq 
sh-5.1$ cat haproxy-config.template 
{{/*
    haproxy-config.cfg: contains the main config with helper backends that are used to terminate
    					encryption before finally sending to a host_be which is the backend that is the final
    					backend for a route and contains all the endpoints for the service
    					
    <-----snipp---->
      http-request add-header X-Forwarded-Host %[req.hdr(host)]
  http-request add-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto http if !{ ssl_fc }
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 }
  **option forwarded for proto host-expr req.hdr(host)**
          {{- else if eq $setHeaders "replace" }}
  http-request set-header X-Forwarded-For %[src]
    http-request set-header X-Forwarded-Host %[req.hdr(host)]
    http-request set-header X-Forwarded-Port %[dst_port]
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 }
  **http-request del-header Forwarded
  option forwarded for proto host-expr req.hdr(host)**
          {{- else if eq $setHeaders "if-none" }}
            {{- /* X-Forwarded-For: is handled by "option forwardfor if-none" above.  */}}
  http-request set-header X-Forwarded-Host %[req.hdr(host)] if !{ req.hdr(X-Forwarded-Host) -m found }
  http-request set-header X-Forwarded-Port %[dst_port] if !{ req.hdr(X-Forwarded-Port) -m found }
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc } !{ req.hdr(X-Forwarded-Proto) -m found }
  http-request set-header X-Forwarded-Proto https if { ssl_fc } !{ req.hdr(X-Forwarded-Proto) -m found }
  http-request set-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 } !{ req.hdr(X-Forwarded-Proto-Version) -m found }
  # See the quoting rules in https://tools.ietf.org/html/rfc7239 for IPv6 addresses (v4 addresses get translated to v6 when in hybrid mode)
            **{{- /*
              - Adding header manually: option forwarded does not support adding header conditionally
              - Checking for IPv6 address despite of the router IP family config: an IPv6 could be in place on IPv4 stack if using PROXY protocol and behind a LB with IPv6 stack
            */}}**
  acl ipv6_addr src -m sub :
      <-----snipp---->

May check the functionality working also..

[alebedev87]

The change looks good to me, option forwarded is a nice addition to simplify the template. My only puzzle is the testing. Normally we add e2e test scenarios to the cluster ingress operator repository and there is a good one already existing: forwarded header policy. It doesn't check Forwarded headers though but it should. The most problematic thing would be to test an IPv6 client IP, we would need to create a new Prow test job which would be a duastack one and only from there we could send some curl -6 requests. I'm not sure this is worth the effort. That is, if we don't go the e2e path, we need to rely on engineering's (manual) and QE's (maybe there is some automated testing for IPv6) testing to make sure we do the fix and don't break any existing behavior.

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alebedev87

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [alebedev87]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[alebedev87]

/assign @Miciah

[lihongan]

/test list

[melvinjoseph86]

/test e2e-metal-ipi-ovn-ipv6

[melvinjoseph86]

/test e2e-metal-ipi-ovn-ipv6

[openshift-ci]

@jcmoraisjr: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-metal-ipi-ovn-ipv6	428cb51	link	false	/test e2e-metal-ipi-ovn-ipv6

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[melvinjoseph86]

/payload-job periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-serial-ovn-dualstack periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-ovn-dualstack periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-serial-ovn-ipv6-runc periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-serial-ovn-ipv6 periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-upgrade-ovn-ipv6 periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-ovn-ipv6 periodic-ci-openshift-release-master-nightly-4.22-e2e-agent-single-node-ipv6-conformance

[openshift-ci]

@melvinjoseph86: trigger 7 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-serial-ovn-dualstack
• periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-ovn-dualstack
• periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-serial-ovn-ipv6-runc
• periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-serial-ovn-ipv6
• periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-upgrade-ovn-ipv6
• periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-ovn-ipv6
• periodic-ci-openshift-release-master-nightly-4.22-e2e-agent-single-node-ipv6-conformance

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/5c848db0-f6c0-11f0-98ae-94e841c0f30a-0

[alebedev87]

/assign

[melvinjoseph86]

/test e2e-metal-ipi-ovn-ipv6
/payload-job periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-serial-ovn-dualstack periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-ovn-dualstack periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-serial-ovn-ipv6-runc periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-serial-ovn-ipv6 periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-upgrade-ovn-ipv6 periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-ovn-ipv6 periodic-ci-openshift-release-master-nightly-4.22-e2e-agent-single-node-ipv6-conformance

[openshift-ci]

@melvinjoseph86: trigger 7 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-serial-ovn-dualstack
• periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-ovn-dualstack
• periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-serial-ovn-ipv6-runc
• periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-serial-ovn-ipv6
• periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-upgrade-ovn-ipv6
• periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-ovn-ipv6
• periodic-ci-openshift-release-master-nightly-4.22-e2e-agent-single-node-ipv6-conformance

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/32d2f1c0-f876-11f0-8482-70e408e3c668-0

[melvinjoseph86]

/payload-job periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-serial-ovn-ipv6 periodic-ci-openshift-release-master-nightly-4.22-e2e-agent-single-node-ipv6-conformance:

[openshift-ci]

@melvinjoseph86: it appears that you have attempted to use some version of the payload command, but your comment was incorrectly formatted and cannot be acted upon. See the docs for usage info.

[melvinjoseph86]

/payload-job periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-serial-ovn-ipv6 periodic-ci-openshift-release-master-nightly-4.22-e2e-agent-single-node-ipv6-conformance

[openshift-ci]

@melvinjoseph86: trigger 2 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-nightly-4.22-e2e-metal-ipi-serial-ovn-ipv6
• periodic-ci-openshift-release-master-nightly-4.22-e2e-agent-single-node-ipv6-conformance

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/7e48eae0-f93b-11f0-9936-b6d18bf6dac5-0

[melvinjoseph86]

/payload-job periodic-ci-openshift-release-master-nightly-4.22-e2e-agent-single-node-ipv6-conformance

[openshift-ci]

@melvinjoseph86: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-nightly-4.22-e2e-agent-single-node-ipv6-conformance

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/4a18a140-f9cf-11f0-8a71-5172e5949f96-0

[melvinjoseph86]

/payload-job periodic-ci-openshift-release-master-nightly-4.22-e2e-agent-single-node-ipv6-conformance

[openshift-ci]

@melvinjoseph86: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-nightly-4.22-e2e-agent-single-node-ipv6-conformance

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/a6801a10-00c0-11f1-9789-acdb1a7e3a43-0

[melvinjoseph86]

/retest

[melvinjoseph86]

/payload-job periodic-ci-openshift-release-master-nightly-4.22-e2e-agent-single-node-ipv6-conformance

[openshift-ci]

@melvinjoseph86: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-nightly-4.22-e2e-agent-single-node-ipv6-conformance

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/d1a33170-01a9-11f1-9bda-e2b350bf50ad-0