policy: allow neighbors with reachable state

Related to previous commit, which adds the default gateway neighbor, and that entry has the state of reachable. Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2026-04-26 10:32:28 +00:00 · 2025-08-19 16:45:47 -07:00
parent 83bbfedc08
commit f1bcfb8a62
4 changed files with 31 additions and 1 deletions
--- a/src/tools/genpolicy/genpolicy-settings.json
+++ b/src/tools/genpolicy/genpolicy-settings.json
@@ -392,6 +392,10 @@
            ],
            "forbidden_cidrs_regex": [
                "^127\\.(?:[0-9]{1,3}\\.){2}[0-9]{1,3}$"
+            ],
+            "allowed_states": [
+                2,
+                128
            ]
        },
        "CloseStdinRequest": false,
--- a/src/tools/genpolicy/rules.rego
+++ b/src/tools/genpolicy/rules.rego
@@ -1712,7 +1712,7 @@ AddARPNeighborsRequest if {
        every p_cidr in p_defaults.forbidden_cidrs_regex {
            not regex.match(p_cidr, i_neigh.toIPAddress.address)
        }
-        i_neigh.state == 128
+        i_neigh.state in p_defaults.allowed_states
        bits.or(i_neigh.flags, 136) == 136
    }

--- a/src/tools/genpolicy/src/policy.rs
+++ b/src/tools/genpolicy/src/policy.rs
@@ -374,6 +374,9 @@ pub struct AddARPNeighborsRequestDefaults {
    /// Explicitly blocked IP address ranges.
    /// Should include loopback addresses and other CIDRs that should not be routed outside the VM.
    forbidden_cidrs_regex: Vec<String>,
+
+    /// Allowed neighbor states. See https://www.man7.org/linux/man-pages/man8/ip-neighbour.8.html
+    allowed_states: Vec<u32>,
 }

 /// Settings specific to each kata agent endpoint, loaded from
--- a/src/tools/genpolicy/tests/policy/testdata/addarpneighbors/testcases.json
+++ b/src/tools/genpolicy/tests/policy/testdata/addarpneighbors/testcases.json
@@ -21,6 +21,29 @@
      }
    }
  },
+  {
+    "allowed": true,
+    "description": "allowed state: reachable",
+    "kind": "AddARPNeighborsRequest",
+    "request": {
+      "type": "AddARPNeighbors",
+      "neighbors": {
+        "ARPNeighbors": [
+          {
+            "toIPAddress": {
+              "family": 0,
+              "address": "10.0.0.1",
+              "mask": ""
+            },
+            "device": "eth0",
+            "lladdr": "00:00:5e:00:53:01",
+            "state": 2,
+            "flags": 0
+          }
+        ]
+      }
+    }
+  },
  {
    "allowed": true,
    "description": "allowed flags: NTF_PROXY",