Skip to content

policy/api: fix CIDRRule expansion of 0.0.0.0/0 to reserved:world #39693

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 26, 2025
Merged

policy/api: fix CIDRRule expansion of 0.0.0.0/0 to reserved:world #39693

merged 1 commit into from
May 26, 2025

Conversation

squeed
Copy link
Contributor

@squeed squeed commented May 23, 2025

When converting a CIDR match to labels, we expand the zero-prefix (0.0.0.0/0) match to both the cidr and the reserved:world label. (This is because the world identities don't have CIDR labels.) However, a refactor broke this for CIDRRule entries, which should otherwise work the same.

Fixes: 481ed87
Fixes: #39656

Fixes a bug where a CIDRRule of  0.0.0.0/0 would not select all external traffic.

@squeed squeed requested a review from a team as a code owner May 23, 2025 16:10
@squeed squeed requested a review from aanm May 23, 2025 16:10
@squeed squeed added kind/bug This is a bug in the Cilium logic. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. kind/regression This functionality worked fine before, but was broken in a newer release of Cilium. needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch labels May 23, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 23, 2025
@squeed squeed mentioned this pull request May 23, 2025
Closed
3 tasks
@squeed squeed added the release-note/bug This PR fixes an issue in a previous release of Cilium. label May 23, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 23, 2025
christarazi
christarazi approved these changes May 23, 2025
View reviewed changes
Copy link
Member

@christarazi christarazi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix, LGTM!

@squeed
Copy link
Contributor Author

squeed commented May 23, 2025

/test

@squeed
policy/api: fix CIDRRule expansion of 0.0.0.0/0 to reserved:world
42c1dab 
When converting a CIDR match to labels, we expand the zero-prefix
(0.0.0.0/0) match to both the cidr and the `reserved:world` label. (This
is because the world identities don't have CIDR labels.) However, a
refactor broke this for CIDRRule entries, which should otherwise work
the same.

Fixes: 481ed87
Fixes: cilium#39656

Signed-off-by: Casey Callendrello <cdc@isovalent.com>
@squeed squeed force-pushed the cidr-zero-prefix-select-nodes branch from d950e1a to 42c1dab Compare May 26, 2025 11:54
@squeed
Copy link
Contributor Author

squeed commented May 26, 2025

/test

@squeed squeed enabled auto-merge May 26, 2025 11:55
@squeed squeed added this pull request to the merge queue May 26, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label May 26, 2025
Merged via the queue into cilium:main with commit 9f73dd2 May 26, 2025
67 checks passed
@squeed squeed deleted the cidr-zero-prefix-select-nodes branch May 26, 2025 17:59
@viktor-kurchenko viktor-kurchenko mentioned this pull request May 28, 2025
Merged
2 tasks
@julianwiedmann julianwiedmann added backport-pending/1.17 The backport for Cilium 1.17.x for this PR is in progress. and removed needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch labels May 28, 2025
@github-actions github-actions bot added backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. and removed backport-pending/1.17 The backport for Cilium 1.17.x for this PR is in progress. labels May 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@christarazi christarazi christarazi approved these changes

@aanm aanm aanm approved these changes

Assignees
No one assigned
Labels
backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. kind/bug This is a bug in the Cilium logic. kind/regression This functionality worked fine before, but was broken in a newer release of Cilium. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

policy-cidr-match-mode: nodes broken with cilium 1.17.x and cidr 0.0.0.0/0
4 participants
@squeed @christarazi @aanm @julianwiedmann