From ab539f8a3fb78b8b8f199570ee2f8f3f02346243 Mon Sep 17 00:00:00 2001
From: Wade Simmons <wadey@slack-corp.com>
Date: Tue, 16 Jun 2026 12:13:05 -0400
Subject: [PATCH] Add smoke test for ipv6 (#1764)

* Add smoke test for ipv6

* fix ncat listen for ipv6
---
 .github/workflows/smoke.yml      |  8 +++++
 .github/workflows/smoke/build.sh | 27 +++++++++++----
 .github/workflows/smoke/smoke.sh | 59 +++++++++++++++++++-------------
 Makefile                         |  3 ++
 4 files changed, 67 insertions(+), 30 deletions(-)

diff --git a/.github/workflows/smoke.yml b/.github/workflows/smoke.yml
index 66913326..b3c5f2d9 100644
--- a/.github/workflows/smoke.yml
+++ b/.github/workflows/smoke.yml
@@ -36,6 +36,14 @@ jobs:
       working-directory: ./.github/workflows/smoke
       run: ./smoke.sh
 
+    - name: setup docker image ipv6
+      working-directory: ./.github/workflows/smoke
+      run: SMOKE_OVERLAY_IPV6=1 ./build.sh
+
+    - name: run smoke ipv6
+      working-directory: ./.github/workflows/smoke
+      run: SMOKE_OVERLAY_IPV6=1 ./smoke.sh
+
     - name: setup relay docker image
       working-directory: ./.github/workflows/smoke
       run: ./build-relay.sh
diff --git a/.github/workflows/smoke/build.sh b/.github/workflows/smoke/build.sh
index b23516ee..fef76098 100755
--- a/.github/workflows/smoke/build.sh
+++ b/.github/workflows/smoke/build.sh
@@ -5,6 +5,19 @@ set -e -x
 rm -rf ./build
 mkdir ./build
 
+if [ "$SMOKE_OVERLAY_IPV6" ]
+then
+    LIGHTHOUSE_NIP="fd00:4242:0:0:0:ffff:c0a8:6401"
+    HOST2_NIP="fd00:4242:0:0:0:ffff:c0a8:6402"
+    HOST3_NIP="fd00:4242:0:0:0:ffff:c0a8:6403"
+    HOST4_NIP="fd00:4242:0:0:0:ffff:c0a8:6404"
+else
+    LIGHTHOUSE_NIP="192.168.100.1"
+    HOST2_NIP="192.168.100.2"
+    HOST3_NIP="192.168.100.3"
+    HOST4_NIP="192.168.100.4"
+fi
+
 # Smoke containers run on a dedicated docker network whose subnet is allocated
 # at smoke time, not known at build time. Configs are written with TEST-NET-3
 # placeholder IPs (RFC 5737) and smoke.sh / smoke-vagrant.sh / smoke-relay.sh
@@ -31,24 +44,24 @@ LIGHTHOUSE_IP="203.0.113.2"
         ../genconfig.sh >lighthouse1.yml
 
     HOST="host2" \
-        LIGHTHOUSES="192.168.100.1 $LIGHTHOUSE_IP:4242" \
+        LIGHTHOUSES="$LIGHTHOUSE_NIP $LIGHTHOUSE_IP:4242" \
         ../genconfig.sh >host2.yml
 
     HOST="host3" \
-        LIGHTHOUSES="192.168.100.1 $LIGHTHOUSE_IP:4242" \
+        LIGHTHOUSES="$LIGHTHOUSE_NIP $LIGHTHOUSE_IP:4242" \
         INBOUND='[{"port": "any", "proto": "icmp", "group": "lighthouse"}]' \
         ../genconfig.sh >host3.yml
 
     HOST="host4" \
-        LIGHTHOUSES="192.168.100.1 $LIGHTHOUSE_IP:4242" \
+        LIGHTHOUSES="$LIGHTHOUSE_NIP $LIGHTHOUSE_IP:4242" \
         OUTBOUND='[{"port": "any", "proto": "icmp", "group": "lighthouse"}]' \
         ../genconfig.sh >host4.yml
 
     ../../../../nebula-cert ca -curve "${CURVE:-25519}" -name "Smoke Test"
-    ../../../../nebula-cert sign -name "lighthouse1" -groups "lighthouse,lighthouse1" -ip "192.168.100.1/24"
-    ../../../../nebula-cert sign -name "host2" -groups "host,host2" -ip "192.168.100.2/24"
-    ../../../../nebula-cert sign -name "host3" -groups "host,host3" -ip "192.168.100.3/24"
-    ../../../../nebula-cert sign -name "host4" -groups "host,host4" -ip "192.168.100.4/24"
+    ../../../../nebula-cert sign -name "lighthouse1" -groups "lighthouse,lighthouse1" -ip "$LIGHTHOUSE_NIP/24"
+    ../../../../nebula-cert sign -name "host2" -groups "host,host2" -ip "$HOST2_NIP/24"
+    ../../../../nebula-cert sign -name "host3" -groups "host,host3" -ip "$HOST3_NIP/24"
+    ../../../../nebula-cert sign -name "host4" -groups "host,host4" -ip "$HOST4_NIP/24"
 )
 
 docker build -t "nebula:${NAME:-smoke}" .
diff --git a/.github/workflows/smoke/smoke.sh b/.github/workflows/smoke/smoke.sh
index cad9dde7..f13ed380 100755
--- a/.github/workflows/smoke/smoke.sh
+++ b/.github/workflows/smoke/smoke.sh
@@ -47,6 +47,19 @@ HOST2_IP="$PREFIX.3"
 HOST3_IP="$PREFIX.4"
 HOST4_IP="$PREFIX.5"
 
+if [ "$SMOKE_OVERLAY_IPV6" ]
+then
+    LIGHTHOUSE_NIP="fd00:4242:0:0:0:ffff:c0a8:6401"
+    HOST2_NIP="fd00:4242:0:0:0:ffff:c0a8:6402"
+    HOST3_NIP="fd00:4242:0:0:0:ffff:c0a8:6403"
+    HOST4_NIP="fd00:4242:0:0:0:ffff:c0a8:6404"
+else
+    LIGHTHOUSE_NIP="192.168.100.1"
+    HOST2_NIP="192.168.100.2"
+    HOST3_NIP="192.168.100.3"
+    HOST4_NIP="192.168.100.4"
+fi
+
 # Sed the placeholder TEST-NET-3 IPs in the host configs to the real ones.
 # build/lighthouse1.yml has no IPs to rewrite so it's skipped.
 for f in build/host2.yml build/host3.yml build/host4.yml; do
@@ -80,28 +93,28 @@ docker exec host3 tcpdump -i eth0 -q -w - -U 2>logs/host3.outside.log >logs/host
 docker exec host4 tcpdump -i tun0 -q -w - -U 2>logs/host4.inside.log >logs/host4.inside.pcap &
 docker exec host4 tcpdump -i eth0 -q -w - -U 2>logs/host4.outside.log >logs/host4.outside.pcap &
 
-docker exec host2 ncat -nklv 0.0.0.0 2000 &
-docker exec host3 ncat -nklv 0.0.0.0 2000 &
-docker exec host4 ncat -e '/usr/bin/echo helloagainfromhost4' -nkluv 0.0.0.0 4000 &
-docker exec host2 ncat -e '/usr/bin/echo host2' -nkluv 0.0.0.0 3000 &
-docker exec host3 ncat -e '/usr/bin/echo host3' -nkluv 0.0.0.0 3000 &
+docker exec host2 ncat -nklv 2000 &
+docker exec host3 ncat -nklv 2000 &
+docker exec host4 ncat -e '/usr/bin/echo helloagainfromhost4' -nkluv 4000 &
+docker exec host2 ncat -e '/usr/bin/echo host2' -nkluv 3000 &
+docker exec host3 ncat -e '/usr/bin/echo host3' -nkluv 3000 &
 
 set +x
 echo
 echo " *** Testing ping from lighthouse1"
 echo
 set -x
-docker exec lighthouse1 ping -c1 192.168.100.2
-docker exec lighthouse1 ping -c1 192.168.100.3
+docker exec lighthouse1 ping -c1 $HOST2_NIP
+docker exec lighthouse1 ping -c1 $HOST3_NIP
 
 set +x
 echo
 echo " *** Testing ping from host2"
 echo
 set -x
-docker exec host2 ping -c1 192.168.100.1
+docker exec host2 ping -c1 $LIGHTHOUSE_NIP
 # Should fail because not allowed by host3 inbound firewall
-! docker exec host2 ping -c1 192.168.100.3 -w5 || exit 1
+! docker exec host2 ping -c1 $HOST3_NIP -w5 || exit 1
 
 set +x
 echo
@@ -109,34 +122,34 @@ echo " *** Testing ncat from host2"
 echo
 set -x
 # Should fail because not allowed by host3 inbound firewall
-! docker exec host2 ncat -nzv -w5 192.168.100.3 2000 || exit 1
-! docker exec host2 ncat -nzuv -w5 192.168.100.3 3000 | grep -q host3 || exit 1
+! docker exec host2 ncat -nzv -w5 $HOST3_NIP 2000 || exit 1
+! docker exec host2 ncat -nzuv -w5 $HOST3_NIP 3000 | grep -q host3 || exit 1
 
 set +x
 echo
 echo " *** Testing ping from host3"
 echo
 set -x
-docker exec host3 ping -c1 192.168.100.1
-docker exec host3 ping -c1 192.168.100.2
+docker exec host3 ping -c1 $LIGHTHOUSE_NIP
+docker exec host3 ping -c1 $HOST2_NIP
 
 set +x
 echo
 echo " *** Testing ncat from host3"
 echo
 set -x
-docker exec host3 ncat -nzv -w5 192.168.100.2 2000
-docker exec host3 ncat -nzuv -w5 192.168.100.2 3000 | grep -q host2
+docker exec host3 ncat -nzv -w5 $HOST2_NIP 2000
+docker exec host3 ncat -nzuv -w5 $HOST2_NIP 3000 | grep -q host2
 
 set +x
 echo
 echo " *** Testing ping from host4"
 echo
 set -x
-docker exec host4 ping -c1 192.168.100.1
+docker exec host4 ping -c1 $LIGHTHOUSE_NIP
 # Should fail because not allowed by host4 outbound firewall
-! docker exec host4 ping -c1 192.168.100.2 -w5 || exit 1
-! docker exec host4 ping -c1 192.168.100.3 -w5 || exit 1
+! docker exec host4 ping -c1 $HOST2_NIP -w5 || exit 1
+! docker exec host4 ping -c1 $HOST3_NIP -w5 || exit 1
 
 set +x
 echo
@@ -144,10 +157,10 @@ echo " *** Testing ncat from host4"
 echo
 set -x
 # Should fail because not allowed by host4 outbound firewall
-! docker exec host4 ncat -nzv -w5 192.168.100.2 2000 || exit 1
-! docker exec host4 ncat -nzv -w5 192.168.100.3 2000 || exit 1
-! docker exec host4 ncat -nzuv -w5 192.168.100.2 3000 | grep -q host2 || exit 1
-! docker exec host4 ncat -nzuv -w5 192.168.100.3 3000 | grep -q host3 || exit 1
+! docker exec host4 ncat -nzv -w5 $HOST2_NIP 2000 || exit 1
+! docker exec host4 ncat -nzv -w5 $HOST3_NIP 2000 || exit 1
+! docker exec host4 ncat -nzuv -w5 $HOST2_NIP 3000 | grep -q host2 || exit 1
+! docker exec host4 ncat -nzuv -w5 $HOST3_NIP 3000 | grep -q host3 || exit 1
 
 set +x
 echo
@@ -159,7 +172,7 @@ set -x
 # cannot initiate UDP to host2. Once host2 initiates a flow to host4:4000,
 # conntrack must let host4's listener reply on that flow. If it doesn't,
 # the echo back from host4 never reaches host2.
-docker exec host2 sh -c "(/usr/bin/echo host2; sleep 2) | ncat -nuv 192.168.100.4 4000" | grep -q helloagainfromhost4
+docker exec host2 sh -c "(/usr/bin/echo host2; sleep 2) | ncat -nuv $HOST4_NIP 4000" | grep -q helloagainfromhost4
 
 docker exec host4 sh -c 'kill 1'
 docker exec host3 sh -c 'kill 1'
diff --git a/Makefile b/Makefile
index 892c8eb0..24c71459 100644
--- a/Makefile
+++ b/Makefile
@@ -268,6 +268,9 @@ smoke-relay-docker: bin-docker
 	cd .github/workflows/smoke/ && ./build-relay.sh
 	cd .github/workflows/smoke/ && ./smoke-relay.sh
 
+smoke-docker-ipv6: export SMOKE_OVERLAY_IPV6 = 1
+smoke-docker-ipv6: smoke-docker
+
 smoke-docker-race: BUILD_ARGS = -race
 smoke-docker-race: CGO_ENABLED = 1
 smoke-docker-race: smoke-docker