Skip to content

datapath: move policy map value prefix length to flags #35534

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 25, 2024
Merged

datapath: move policy map value prefix length to flags #35534

merged 1 commit into from
Oct 25, 2024

Conversation

jrajahalme
Copy link
Member

Move the prefix length field in the policy map value to the flags (same byte as 'deny') to a previously unused space. This cleans up padding space for future use.

Skip map entries with inconsistent prefix length field in value vs. key so that the entry will be rewritten with the correct prefix length field in the value. This fixes a potential issue in upgrade where a policy map entry may remain with zero valued prefix length in value leading to incorrect policy enforcement.

Fixes: #35150

@jrajahalme jrajahalme requested review from a team as code owners October 25, 2024 08:11
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Oct 25, 2024
@jrajahalme jrajahalme added kind/bug This is a bug in the Cilium logic. release-note/misc This PR makes changes that have no direct user impact. release-blocker/1.17 This issue will prevent the release of the next version of Cilium. and removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Oct 25, 2024
@jrajahalme jrajahalme force-pushed the bpf-policy-entry-cleanup branch from a56d346 to 776cb22 Compare October 25, 2024 08:41
@jrajahalme
datapath: move policy map value prefix length to flags
4e23b96 
Move the prefix length field in the policy map value to the flags (same
byte as 'deny') to a previously unused space. This cleans up padding
space for future use.

Skip map entries with inconsistent prefix length field in value vs. key
so that the entry will be rewritten with the correct prefix length field
in the value. This fixes a potential issue in upgrade where a policy map
entry may remain with zero valued prefix length in value leading to
incorrect policy enforcement.

Fixes: cilium#35150

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme jrajahalme force-pushed the bpf-policy-entry-cleanup branch from 776cb22 to 4e23b96 Compare October 25, 2024 08:43
@jrajahalme
Copy link
Member Author

/test

@jrajahalme jrajahalme enabled auto-merge October 25, 2024 17:33
@jrajahalme jrajahalme added this pull request to the merge queue Oct 25, 2024
Merged via the queue into cilium:main with commit 60bc8fa Oct 25, 2024
64 checks passed
@jrajahalme jrajahalme deleted the bpf-policy-entry-cleanup branch October 25, 2024 18:35
@jrajahalme jrajahalme removed the request for review from markpash October 25, 2024 18:37
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Oct 25, 2024
@jrajahalme jrajahalme added the needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch label Oct 29, 2024
@jrajahalme jrajahalme mentioned this pull request Oct 29, 2024
Merged
2 tasks
@jrajahalme jrajahalme added backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. and removed needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch labels Oct 29, 2024
@github-actions github-actions bot added backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. and removed backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. labels Oct 30, 2024
jrajahalme added a commit to jrajahalme/cilium that referenced this pull request Nov 7, 2024
@jrajahalme
endooint: Fix syncing of invalid policymap entries on upgrade
f4e218f 
Mark policymap entries not valid explicitly when policy map entry is not
valid so that map sync will update the entry, instead just ignoring the
key, as in that case the key would remain in the map if it would have
needed to be removed instead.

Fixes: cilium#35534

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme jrajahalme mentioned this pull request Nov 7, 2024
Merged
github-merge-queue bot pushed a commit that referenced this pull request Nov 12, 2024
@jrajahalme
endooint: Fix syncing of invalid policymap entries on upgrade
7bdd7f5 
Mark policymap entries not valid explicitly when policy map entry is not
valid so that map sync will update the entry, instead just ignoring the
key, as in that case the key would remain in the map if it would have
needed to be removed instead.

Fixes: #35534

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@cilium-release-bot cilium-release-bot bot mentioned this pull request Nov 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nathanjsweet nathanjsweet nathanjsweet approved these changes

@squeed squeed squeed approved these changes

Assignees
No one assigned
Labels
backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-blocker/1.17 This issue will prevent the release of the next version of Cilium. release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jrajahalme @nathanjsweet @squeed