From f1bcfb8a62f1bc378647223598bf29ce4e6b2cf8 Mon Sep 17 00:00:00 2001
From: Saul Paredes <saulparedes@microsoft.com>
Date: Tue, 19 Aug 2025 16:45:47 -0700
Subject: [PATCH] policy: allow neighbors with reachable state

Related to previous commit, which adds the default gateway neighbor, and that
entry has the state of reachable.

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
---
 src/tools/genpolicy/genpolicy-settings.json   |  4 ++++
 src/tools/genpolicy/rules.rego                |  2 +-
 src/tools/genpolicy/src/policy.rs             |  3 +++
 .../testdata/addarpneighbors/testcases.json   | 23 +++++++++++++++++++
 4 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json
index f606685f91..91dc3c5146 100644
--- a/src/tools/genpolicy/genpolicy-settings.json
+++ b/src/tools/genpolicy/genpolicy-settings.json
@@ -392,6 +392,10 @@
             ],
             "forbidden_cidrs_regex": [
                 "^127\\.(?:[0-9]{1,3}\\.){2}[0-9]{1,3}$"
+            ],
+            "allowed_states": [
+                2,
+                128
             ]
         },
         "CloseStdinRequest": false,
diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
index b1ef962908..50ced9add1 100644
--- a/src/tools/genpolicy/rules.rego
+++ b/src/tools/genpolicy/rules.rego
@@ -1712,7 +1712,7 @@ AddARPNeighborsRequest if {
         every p_cidr in p_defaults.forbidden_cidrs_regex {
             not regex.match(p_cidr, i_neigh.toIPAddress.address)
         }
-        i_neigh.state == 128
+        i_neigh.state in p_defaults.allowed_states
         bits.or(i_neigh.flags, 136) == 136
     }
 
diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs
index 7c94949bce..878e81dff2 100644
--- a/src/tools/genpolicy/src/policy.rs
+++ b/src/tools/genpolicy/src/policy.rs
@@ -374,6 +374,9 @@ pub struct AddARPNeighborsRequestDefaults {
     /// Explicitly blocked IP address ranges.
     /// Should include loopback addresses and other CIDRs that should not be routed outside the VM.
     forbidden_cidrs_regex: Vec<String>,
+
+    /// Allowed neighbor states. See https://www.man7.org/linux/man-pages/man8/ip-neighbour.8.html
+    allowed_states: Vec<u32>,
 }
 
 /// Settings specific to each kata agent endpoint, loaded from
diff --git a/src/tools/genpolicy/tests/policy/testdata/addarpneighbors/testcases.json b/src/tools/genpolicy/tests/policy/testdata/addarpneighbors/testcases.json
index cd4f9aaed3..838b6e43e3 100644
--- a/src/tools/genpolicy/tests/policy/testdata/addarpneighbors/testcases.json
+++ b/src/tools/genpolicy/tests/policy/testdata/addarpneighbors/testcases.json
@@ -21,6 +21,29 @@
       }
     }
   },
+  {
+    "allowed": true,
+    "description": "allowed state: reachable",
+    "kind": "AddARPNeighborsRequest",
+    "request": {
+      "type": "AddARPNeighbors",
+      "neighbors": {
+        "ARPNeighbors": [
+          {
+            "toIPAddress": {
+              "family": 0,
+              "address": "10.0.0.1",
+              "mask": ""
+            },
+            "device": "eth0",
+            "lladdr": "00:00:5e:00:53:01",
+            "state": 2,
+            "flags": 0
+          }
+        ]
+      }
+    }
+  },
   {
     "allowed": true,
     "description": "allowed flags: NTF_PROXY",