network_filter: make dual filter

Signed-off-by: Jarno Rajahalme <[email protected]>

Author: jrajahalme

WORKSPACE

@@ -37,13 +37,14 @@ git_repository(
     patch_args = ["apply"],
     patch_tool = "git",
     patches = [
-        "@//patches:0001-network-Add-callback-for-upstream-authorization.patch",
-        "@//patches:0002-listener-add-socket-options.patch",
-        "@//patches:0003-original_dst_cluster-Avoid-multiple-hosts-for-the-sa.patch",
-        "@//patches:0004-tcp_proxy-Check-for-nullptr-in-watermark-ASSERTs.patch",
-        "@//patches:0005-thread_local-reset-slot-in-worker-threads-first.patch",
-        "@//patches:0006-http-header-expose-attribute.patch",
-        "@//patches:0007-liburing-arm-build.patch",
+        "@//patches:0001-listener-add-socket-options.patch",
+        "@//patches:0002-original_dst_cluster-Avoid-multiple-hosts-for-the-sa.patch",
+        "@//patches:0003-tcp_proxy-Check-for-nullptr-in-watermark-ASSERTs.patch",
+        "@//patches:0004-thread_local-reset-slot-in-worker-threads-first.patch",
+        "@//patches:0005-Expose-HTTP-Header-matcher-attribute.patch",
+        "@//patches:0006-build-Fix-arm-build-for-liburing.patch",
+        "@//patches:0007-network-Add-filter-callback-onDestinationSelected.patch",
+        "@//patches:0008-network-Compat-for-missing-upstream-filter.patch",
     ],
     # // clang-format off: Envoy's format check: Only repository_locations.bzl may contains URL references
     remote = "https://github.com/envoyproxy/envoy.git",

cilium/filter_state_cilium_policy.cc

@@ -20,64 +20,75 @@ const std::string& CiliumPolicyFilterState::key() {
   CONSTRUCT_ON_FIRST_USE(std::string, "cilium.policy");
 }
 
-bool CiliumPolicyFilterState::enforceNetworkPolicy(const Network::Connection& conn,
-                                                   uint32_t destination_identity,
-                                                   uint16_t destination_port,
-                                                   const absl::string_view sni,
-                                                   /* OUT */ bool& use_proxy_lib,
-                                                   /* OUT */ std::string& l7_proto,
-                                                   /* INOUT */ AccessLog::Entry& log_entry) const {
+bool CiliumPolicyFilterState::enforcePodNetworkPolicy(const Network::Connection& conn,
+                                                      uint32_t destination_identity,
+                                                      uint16_t destination_port,
+                                                      const absl::string_view sni,
+                                                      /* OUT */ bool& use_proxy_lib,
+                                                      /* OUT */ std::string& l7_proto) const {
+  auto remote_id = ingress_ ? source_identity_ : destination_identity;
+  const auto& policy = policy_resolver_->getPolicy(pod_ip_);
+  auto port = ingress_ ? port_ : destination_port;
+  auto port_policy = policy.findPortPolicy(ingress_, port);
+
   use_proxy_lib = false;
   l7_proto = "";
 
-  // enforce pod policy first, if any
-  if (pod_ip_.length() > 0) {
-    const auto& policy = policy_resolver_->getPolicy(pod_ip_);
-    auto remote_id = ingress_ ? source_identity_ : destination_identity;
-    auto port = ingress_ ? port_ : destination_port;
-
-    auto port_policy = policy.findPortPolicy(ingress_, port);
-
-    if (!port_policy.allowed(proxy_id_, remote_id, sni)) {
-      ENVOY_CONN_LOG(debug, "Pod policy DENY on proxy_id: {} id: {} port: {} sni: \"{}\"", conn,
-                     proxy_id_, remote_id, port, sni);
-      return false;
-    }
-
-    // populate l7proto_ if available
-    use_proxy_lib = port_policy.useProxylib(proxy_id_, remote_id, l7_proto);
+  if (!port_policy.allowed(proxy_id_, remote_id, sni)) {
+    ENVOY_CONN_LOG(debug,
+                   "cilium.network: Pod {} network {} policy DENY on proxy_id: {} id: {} port: {} "
+                   "sni: \"{}\"",
+                   conn, pod_ip_, ingress_ ? "ingress" : "egress", proxy_id_, remote_id,
+                   destination_port, sni);
+    return false;
   }
 
-  // enforce Ingress policy 2nd, if any
-  if (ingress_policy_name_.length() > 0) {
-    log_entry.entry_.set_policy_name(ingress_policy_name_);
-    const auto& policy = policy_resolver_->getPolicy(ingress_policy_name_);
+  // populate l7proto_ if available
+  use_proxy_lib = port_policy.useProxylib(proxy_id_, remote_id, l7_proto);
 
-    // Enforce ingress policy for Ingress, on the original destination port
-    if (ingress_source_identity_ != 0) {
-      auto ingress_port_policy = policy.findPortPolicy(true, port_);
-      if (!ingress_port_policy.allowed(proxy_id_, ingress_source_identity_, sni)) {
-        ENVOY_CONN_LOG(debug,
-                       "Ingress network policy {} DROP for source identity and destination "
-                       "reserved ingress identity: {} proxy_id: {} port: {} sni: \"{}\"",
-                       conn, ingress_policy_name_, ingress_source_identity_, proxy_id_, port_, sni);
-        return false;
-      }
-    }
+  ENVOY_CONN_LOG(debug,
+                 "cilium.network: Pod {} network {} policy ALLOW on proxy_id: {} id: {} port: {} "
+                 "sni: \"{}\"",
+                 conn, pod_ip_, ingress_ ? "ingress" : "egress", proxy_id_, remote_id,
+                 destination_port, sni);
+  return true;
+}
 
-    // Enforce egress policy for Ingress
-    auto egress_port_policy = policy.findPortPolicy(false, destination_port);
-    if (!egress_port_policy.allowed(proxy_id_, destination_identity, sni)) {
-      ENVOY_CONN_LOG(debug,
-                     "Egress network policy {} DROP for reserved ingress identity and destination "
-                     "identity: {} proxy_id: {} port: {} sni: \"{}\"",
-                     conn, ingress_policy_name_, destination_identity, proxy_id_, destination_port,
-                     sni);
+bool CiliumPolicyFilterState::enforceIngressNetworkPolicy(const Network::Connection& conn,
+                                                          uint32_t destination_identity,
+                                                          uint16_t destination_port,
+                                                          const absl::string_view sni) const {
+  const auto& policy = policy_resolver_->getPolicy(ingress_policy_name_);
+
+  // Enforce ingress policy for Ingress, on the original destination port
+  if (ingress_source_identity_ != 0) {
+    auto ingress_port_policy = policy.findPortPolicy(true, port_);
+    if (!ingress_port_policy.allowed(proxy_id_, ingress_source_identity_, sni)) {
+      ENVOY_CONN_LOG(
+          debug,
+          "cilium.network: Ingress {} network ingress policy DENY on proxy_id: {} id: {} "
+          "port: {} sni: \"{}\"",
+          conn, ingress_policy_name_, proxy_id_, ingress_source_identity_, port_, sni);
       return false;
     }
   }
 
-  // Connection allowed by policy
+  // Enforce egress policy for Ingress
+  auto egress_port_policy = policy.findPortPolicy(false, destination_port);
+  if (!egress_port_policy.allowed(proxy_id_, destination_identity, sni)) {
+    ENVOY_CONN_LOG(debug,
+                   "cilium.network: Ingress {} network egress policy DENY on proxy_id: {} "
+                   "id: {} port: {} sni: \"{}\"",
+                   conn, ingress_policy_name_, proxy_id_, destination_identity, destination_port,
+                   sni);
+    return false;
+  }
+
+  ENVOY_CONN_LOG(debug,
+                 "cilium.network: Ingress {} network policy ALLOW on proxy_id: {} id: {} port: {} "
+                 "sni: \"{}\"",
+                 conn, ingress_policy_name_, proxy_id_, destination_identity, destination_port,
+                 sni);
   return true;
 }
 

cilium/filter_state_cilium_policy.h

@@ -80,11 +80,13 @@ class CiliumPolicyFilterState : public StreamInfo::FilterState::Object,
 
   const PolicyInstance& getPolicy() const { return policy_resolver_->getPolicy(pod_ip_); }
 
-  bool enforceNetworkPolicy(const Network::Connection& conn, uint32_t destination_identity,
-                            uint16_t destination_port, const absl::string_view sni,
-                            /* OUT */ bool& use_proxy_lib,
-                            /* OUT */ std::string& l7_proto,
-                            /* INOUT */ AccessLog::Entry& log_entry) const;
+  bool enforcePodNetworkPolicy(const Network::Connection& conn, uint32_t destination_identity,
+                               uint16_t destination_port, const absl::string_view sni,
+                               /* OUT */ bool& use_proxy_lib,
+                               /* OUT */ std::string& l7_proto) const;
+
+  bool enforceIngressNetworkPolicy(const Network::Connection& conn, uint32_t destination_identity,
+                                   uint16_t destination_port, const absl::string_view sni) const;
 
   bool enforcePodHTTPPolicy(const Network::Connection& conn, uint32_t destination_identity,
                             uint16_t destination_port,