Merged
Conversation
Because we use IS_BPF_HOST with the is_defined macro in tail call invokations, we not only need that macro to be defined, but also to have value 1. See the is_defined definition [1] for details. 1 - https://github.com/cilium/cilium/blob/641c0f9b3072a014c9541ecaa4e00a2b24c98d97/bpf/lib/config.h#L8-L14 Fixes: bf635d8 ("bpf: Fix program size issue with hostfw + ipv4-only") Signed-off-by: Paul Chaignon <paul@cilium.io>
This test is meant to catch complexity regressions such as fixed in the previous commit. It runs only on GKE for now and will be extended in follow up PRs. Signed-off-by: Paul Chaignon <paul@cilium.io>
9091378 to
db97913
Compare
Member
Author
|
All required builds are passing and I think we can ignore the BPF checkpatch warning. |
christarazi
approved these changes
Dec 3, 2020
kkourt
approved these changes
Dec 4, 2020
pchaigno
added a commit
that referenced
this pull request
Feb 1, 2021
We currently have a couple of host firewall tests, but they don't cover all possible packet paths. [1] added two tests for the path node <-> world (one with fromCIDR+toPorts and one combined with NodePort handling). Other firewall tests [2] are only validating correct loading without enforcing policies. This commit fills this gap by adding VXLAN and direct routing tests for the host firewall, with L3+L4 policies enforced on the paths node <-> local pod, node <-> remote pod, and node <-> remote node. The test design draws inspiration from early host firewall bugs and regressions: - Test ingress and egress at the same time with restrictions on allowed ports. This is meant to ensure we detect a regression where only one direction bypasses policy enforcement. If such a case arises, we will fail because the source port won't be allowed and the connection will be dropped. - Allow connections to/from world and pods not used in tests. This is meant to reduce the risk of bricking the nodes. Node to node communications are still strongly restricted, but the ports defined there have been stable for a while. - Test connections to local and remote pods separately. They follow very different paths through our datapath. 1 - #12621 2 - #14255 Signed-off-by: Paul Chaignon <paul@cilium.io>
pchaigno
added a commit
that referenced
this pull request
Feb 4, 2021
We currently have a couple of host firewall tests, but they don't cover all possible packet paths. [1] added two tests for the path node <-> world (one with fromCIDR+toPorts and one combined with NodePort handling). Other firewall tests [2] are only validating correct loading without enforcing policies. This commit fills this gap by adding VXLAN and direct routing tests for the host firewall, with L3+L4 policies enforced on the paths node <-> local pod, node <-> remote pod, and node <-> remote node. The test design draws inspiration from early host firewall bugs and regressions: - Test ingress and egress at the same time with restrictions on allowed ports. This is meant to ensure we detect a regression where only one direction bypasses policy enforcement. If such a case arises, we will fail because the source port won't be allowed and the connection will be dropped. - Allow connections to/from world and pods not used in tests. This is meant to reduce the risk of bricking the nodes. Node to node communications are still strongly restricted, but the ports defined there have been stable for a while. - Test connections to local and remote pods separately. They follow very different paths through our datapath. 1 - #12621 2 - #14255 Signed-off-by: Paul Chaignon <paul@cilium.io>
pchaigno
added a commit
that referenced
this pull request
Feb 8, 2021
We currently have a couple of host firewall tests, but they don't cover all possible packet paths. [1] added two tests for the path node <-> world (one with fromCIDR+toPorts and one combined with NodePort handling). Other firewall tests [2] are only validating correct loading without enforcing policies. This commit fills this gap by adding VXLAN and direct routing tests for the host firewall, with L3+L4 policies enforced on the paths node <-> local pod, node <-> remote pod, and node <-> remote node. The test design draws inspiration from early host firewall bugs and regressions: - Test ingress and egress at the same time with restrictions on allowed ports. This is meant to ensure we detect a regression where only one direction bypasses policy enforcement. If such a case arises, we will fail because the source port won't be allowed and the connection will be dropped. - Allow connections to/from world and pods not used in tests. This is meant to reduce the risk of bricking the nodes. Node to node communications are still strongly restricted, but the ports defined there have been stable for a while. - Test connections to local and remote pods separately. They follow very different paths through our datapath. 1 - #12621 2 - #14255 Signed-off-by: Paul Chaignon <paul@cilium.io>
borkmann
pushed a commit
that referenced
this pull request
Feb 9, 2021
We currently have a couple of host firewall tests, but they don't cover all possible packet paths. [1] added two tests for the path node <-> world (one with fromCIDR+toPorts and one combined with NodePort handling). Other firewall tests [2] are only validating correct loading without enforcing policies. This commit fills this gap by adding VXLAN and direct routing tests for the host firewall, with L3+L4 policies enforced on the paths node <-> local pod, node <-> remote pod, and node <-> remote node. The test design draws inspiration from early host firewall bugs and regressions: - Test ingress and egress at the same time with restrictions on allowed ports. This is meant to ensure we detect a regression where only one direction bypasses policy enforcement. If such a case arises, we will fail because the source port won't be allowed and the connection will be dropped. - Allow connections to/from world and pods not used in tests. This is meant to reduce the risk of bricking the nodes. Node to node communications are still strongly restricted, but the ports defined there have been stable for a while. - Test connections to local and remote pods separately. They follow very different paths through our datapath. 1 - #12621 2 - #14255 Signed-off-by: Paul Chaignon <paul@cilium.io>
lyveng
pushed a commit
to lyveng/cilium
that referenced
this pull request
Mar 4, 2021
We currently have a couple of host firewall tests, but they don't cover all possible packet paths. [1] added two tests for the path node <-> world (one with fromCIDR+toPorts and one combined with NodePort handling). Other firewall tests [2] are only validating correct loading without enforcing policies. This commit fills this gap by adding VXLAN and direct routing tests for the host firewall, with L3+L4 policies enforced on the paths node <-> local pod, node <-> remote pod, and node <-> remote node. The test design draws inspiration from early host firewall bugs and regressions: - Test ingress and egress at the same time with restrictions on allowed ports. This is meant to ensure we detect a regression where only one direction bypasses policy enforcement. If such a case arises, we will fail because the source port won't be allowed and the connection will be dropped. - Allow connections to/from world and pods not used in tests. This is meant to reduce the risk of bricking the nodes. Node to node communications are still strongly restricted, but the ports defined there have been stable for a while. - Test connections to local and remote pods separately. They follow very different paths through our datapath. 1 - cilium#12621 2 - cilium#14255 Signed-off-by: Paul Chaignon <paul@cilium.io>
vadorovsky
pushed a commit
to vadorovsky/cilium
that referenced
this pull request
May 19, 2021
[ upstream commit 6f59f4f ] We currently have a couple of host firewall tests, but they don't cover all possible packet paths. [1] added two tests for the path node <-> world (one with fromCIDR+toPorts and one combined with NodePort handling). Other firewall tests [2] are only validating correct loading without enforcing policies. This commit fills this gap by adding VXLAN and direct routing tests for the host firewall, with L3+L4 policies enforced on the paths node <-> local pod, node <-> remote pod, and node <-> remote node. The test design draws inspiration from early host firewall bugs and regressions: - Test ingress and egress at the same time with restrictions on allowed ports. This is meant to ensure we detect a regression where only one direction bypasses policy enforcement. If such a case arises, we will fail because the source port won't be allowed and the connection will be dropped. - Allow connections to/from world and pods not used in tests. This is meant to reduce the risk of bricking the nodes. Node to node communications are still strongly restricted, but the ports defined there have been stable for a while. - Test connections to local and remote pods separately. They follow very different paths through our datapath. 1 - cilium#12621 2 - cilium#14255 Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
twpayne
pushed a commit
that referenced
this pull request
May 21, 2021
[ upstream commit 6f59f4f ] We currently have a couple of host firewall tests, but they don't cover all possible packet paths. [1] added two tests for the path node <-> world (one with fromCIDR+toPorts and one combined with NodePort handling). Other firewall tests [2] are only validating correct loading without enforcing policies. This commit fills this gap by adding VXLAN and direct routing tests for the host firewall, with L3+L4 policies enforced on the paths node <-> local pod, node <-> remote pod, and node <-> remote node. The test design draws inspiration from early host firewall bugs and regressions: - Test ingress and egress at the same time with restrictions on allowed ports. This is meant to ensure we detect a regression where only one direction bypasses policy enforcement. If such a case arises, we will fail because the source port won't be allowed and the connection will be dropped. - Allow connections to/from world and pods not used in tests. This is meant to reduce the risk of bricking the nodes. Node to node communications are still strongly restricted, but the ports defined there have been stable for a while. - Test connections to local and remote pods separately. They follow very different paths through our datapath. 1 - #12621 2 - #14255 Signed-off-by: Paul Chaignon <paul@cilium.io> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
First commit fixes a bug in #14232 (introduced during the last rebase). Second commit adds a test to ensure we don't regress again.
Fixes: #14232