L4 policy does not allow any traffic

[aanm]

Might be related with #2571

$ docker run --net cilium --label app=b -d busybox nc -l -p 80
$ cilium endpoint list
ENDPOINT   POLICY (ingress)   POLICY (egress)   IDENTITY   LABELS (source:key[=value])                   IPv6                 IPv4           STATUS   
           ENFORCEMENT        ENFORCEMENT                                                                                                    
16996      Enabled            Disabled          27239      container:app=b                               f00d::a00:0:0:4264   10.0.118.183   ready
$ cilium policy import ./l4-policy.json
$ docker run --net cilium --label app=a -ti busybox sh
/ # wget 10.0.118.183:80
Connecting to 10.0.118.183:80 (10.0.118.183:80)

on a different terminal

$ cilium monitor | grep '10.0.118.183:80'
<- endpoint 27280 flow 0xcf4aba39 identity 47997->0 state new ifindex 0: 10.0.111.25:34020 -> 10.0.118.183:80 tcp SYN
xx drop (Policy denied (L3)) flow 0xcf4aba39 to endpoint 16996, identity 47997->27239: 10.0.111.25:34020 -> 10.0.118.183:80 tcp SYN

l4-policy.json

[
    {
        "endpointSelector": {
            "matchLabels": {
                "any:app": "b"
            }
        },
        "ingress": [
            {
                "toPorts": [
                    {
                        "ports": [
                            {
                                "port": "80",
                                "protocol": "TCP"
                            }
                        ]
                    }
                ]
            }
        ],
        "labels": [
            {
                "key": "io.cilium.k8s-policy-name",
                "value": "l4-rule",
                "source": "unspec"
            }
        ]
    }
]

[joestringer]

Can we get a dump of things like cilium bpf policy get <epid>?

[aanm]

@joestringer ah, forgot. Yeah it's empty

$ sudo cilium bpf policy get 16996 
LABELS (source:key[=value])   PORT/PROTO   ACTION   BYTES   PACKETS   
$ sudo cilium bpf policy get 16996  -n
IDENTITY   PORT/PROTO   ACTION    BYTES   PACKETS   
1          ANY          allowed   0       0

@joestringer btw, the fact that the output is empty without the -n is a known issue, right?

[joestringer]

@aanm it is now: #2908

In the map, I would have expected there to be an entry for every known identity + port 80.

[aanm]

something like?

$ sudo cilium bpf policy get 16996  -n
IDENTITY   PORT/PROTO   ACTION    BYTES   PACKETS   
1          ANY          allowed   0       0
ANY        80          allowed   0       0

[joestringer]

More like:

$ sudo cilium bpf policy get 16996  -n
IDENTITY   PORT/PROTO   ACTION    BYTES   PACKETS   
1          ANY          allowed   0       0
256        80          allowed   0       0
257        80          allowed   0       0
258        80          allowed   0       0
259        80          allowed   0       0
...

[joestringer]

The ingress rule doesn't have the following wildcard selector for labels:

        "fromEndpoints": [                                                      
            {"matchLabels":{}}                                                  
        ],

[joestringer]

The test here:

cilium/test/runtime/Policies.go

Line 599 in 0c269fc

connectivityTest(allRequests, app, helpers.Httpd1, BeFalse)

is using this policy here:

cilium/test/runtime/manifests/Policies-l4-policy.json

Lines 2 to 12 in 0c269fc

	"endpointSelector": {
	"matchLabels":{"id.httpd1":""}
	},
	"ingress": [{
	"toPorts": [{
	"ports": [
	{"port": "80", "protocol": "tcp"}
	]
	}]
	}]
	},

and it's expecting the traffic to port 80 to fail, despite allowing that port in the policy. I believe that it's expecting users to specify a wildcard fromEndpoints selector.

EDIT: After some offline discussion, it seems that this test should actually validate that access to http1 passes, not fails.