Since commit 1481216, L3-dependent L4 policies (ie, policies requiring both a label and a port/protocol) are implemented in the bpf policymap. However, L4-only policies are still implemented as BPF code as per the below.
|
func (e *Endpoint) writeL4Policy(fw *bufio.Writer, owner Owner) error { |
|
if e.Consumable == nil { |
|
return nil |
|
} |
|
e.Consumable.Mutex.RLock() |
|
defer e.Consumable.Mutex.RUnlock() |
|
if e.Consumable.L4Policy == nil { |
|
return nil |
|
} |
|
|
|
l4policy := e.Consumable.L4Policy |
|
|
|
fmt.Fprintf(fw, "#define HAVE_L4_POLICY\n") |
|
|
|
if err := e.writeL4Map(fw, owner, l4policy.Ingress, "CFG_L4_INGRESS"); err != nil { |
|
return err |
|
} |
|
|
|
return e.writeL4Map(fw, owner, l4policy.Egress, "CFG_L4_EGRESS") |
|
} |
For consistency, should we attempt to unify these by shifting l4-only policies into the same map?
Subquestion: Do L3+L4 policies generate CFG_L4_INGRESS entries in the BPF here as well as the policymap entries, or just policymap entries?
Since commit 1481216, L3-dependent L4 policies (ie, policies requiring both a label and a port/protocol) are implemented in the bpf policymap. However, L4-only policies are still implemented as BPF code as per the below.
cilium/pkg/endpoint/bpf.go
Lines 95 to 114 in 6b7aa76
For consistency, should we attempt to unify these by shifting l4-only policies into the same map?
Subquestion: Do L3+L4 policies generate CFG_L4_INGRESS entries in the BPF here as well as the policymap entries, or just policymap entries?