L4 policies stay in bpf map after policy change

[joestringer]

General Information

• Cilium 0.13.90 a1b0d89ec858 Tue, 5 Dec 2017 18:05:34 -0800 go version go1.9.2 linux/amd64
• Linux cilium-master 4.9.17-040917-generic #201703220831 SMP Wed Mar 22 12:33:05 UTC 2017 x86_64 x86_64 x86_64GNU/Linux
• No orchestration layer (Just running the regular development VM with docker commands)
• Policies:

$  cat l3l4.json
[{
    "endpointSelector": {"matchLabels":{"id":"app1"}},
    "ingress": [{
        "fromEndpoints": [
            {"matchLabels":{"id":"app2"}}
        ],
        "toPorts": [{
            "ports": [{"port": "80", "protocol": "TCP"}]
        }]
    }]
}]

$ cat l3.json
[{
    "endpointSelector": {"matchLabels":{"id":"app1"}},
    "ingress": [{
        "fromEndpoints": [
            {"matchLabels":{"id":"app2"}}
        ]
    }]
}]

How to reproduce the issue

1. docker run -d --name "app1" --net cilium-net -l "id=app1" cilium/demo-httpd
2. cilium policy import l3l4.json
3. docker run --rm -ti --net cilium-net -l "id=app2" cilium/demo-client curl 'http://app1/public'
4. cilium policy delete --all
5. cilium policy import l3.json
6. docker run --rm -ti --net cilium-net -l "id=app2" cilium/demo-client curl 'http://app1/public'
7. cilium bpf policy get <choose app1 epid>

$ cilium bpf policy get 173   
Was impossible to retrieve label ID 260: [GET /identity/{id}][404] getIdentityIdNotFound
Was impossible to retrieve label ID 258: [GET /identity/{id}][404] getIdentityIdNotFound
LABELS (source:key[=value])   PORT   ACTION    BYTES   PACKETS
260                           any    allowed   0       0
258                           80     allowed   0       0

The IDs are different, but we can see that the old policy entry which filtered on specific L4 ports is still available, even though we deleted the cilium policy.

Final policy:

$ cilium policy get
[
  {
    "endpointSelector": {
      "matchLabels": {
        "any:id": "app1"
      }
    },
    "ingress": [
      {
        "fromEndpoints": [
          {
            "matchLabels": {
              "any:id": "app2"
            }
          }
        ]
      }
    ]
  }
]
Revision: 17

[aanm]

I was trying to get the reason behind this, I know that

cilium/pkg/endpoint/policy.go

Lines 128 to 145 in 22d4ac1

	func (e *Endpoint) removeOldFilter(owner Owner, labelsMap *LabelsMap,
	filter *policy.L4Filter) policy.RuleContexts {
	fromEndpointsSrcIDs := policy.RuleContexts{}
	port := uint16(filter.Port)
	proto := uint8(filter.U8Proto)
	for _, sel := range filter.FromEndpoints {
	for _, id := range getSecurityIdentities(labelsMap, &sel) {
	srcID := id.Uint32()
	ruleCtx := policy.RuleContext{
	SecID: id,
	Port: byteorder.HostToNetwork(port).(uint16),
	Proto: proto,
	L7RedirectPort: byteorder.HostToNetwork(uint16(filter.L7RedirectPort)).(uint16),
	IsRedirect: filter.IsRedirect(),
	}
	if err := e.PolicyMap.DeleteL4(srcID, port, proto); err != nil {

Is not being executed because the security id 258 no longer exists on the daemon's labels cache. For this reason the labelsMap won't contain id 258

I'm not fixing this bug, I was just making sure it was not related with other bug I was seeing

[joestringer]

I can no longer reproduce this bug, seems like it was already fixed.