policy: return ICMP "Destination unreachable" on ipv4 ingress policy denials

[41ks]

Description

This is mostly a copy of PR #42068 following the changes introduced in PR #43226. See #41859 for the full list of TODOs.

This PR adds the ICMP response functionality to ingress policy denials.
The functionality works for local and remote endpoints with/without tunneling and with/without eBPF Host Routing.

Testing

• Created a new unit test
• Performed integration tests: backported the PR to Cilium 1.18.6, then created a pod with an ingress policy denying all traffic. Then tried to reach this pod from multiple different places and confirmed ping was returning "Packet filtered":

# ping 10.130.112.4
 PING 10.130.112.4 (10.130.112.4) 56(84) bytes of data.
 From 10.130.112.4 icmp_seq=1 Packet filtered
 From 10.130.112.4 icmp_seq=2 Packet filtered
 [...]

• Local pod from same node [legacy routing]
• Pod from a different node in the same cluster [legacy routing]
• Pod in a different cluster [legacy routing]
• Local pod from same node [eBPF host routing]
• Pod from a different node in the same cluster [eBPF host routing]
• Pod in a different cluster [eBPF host routing]

policy: add option to return ICMP "Destination unreachable" on ipv4 ingress policy denials

[julianwiedmann]

👋 please rebase on-top of #44186

[ldelossa]

@41ks it appears the initial container build on CI failed. This doesn't seem to be an issue with this PR. however, the simplest thing to re-kick all the failed tests if so perform an amend and a force push.

[qmonnet]

I'm only reviewing for the doc update - the change looks good, thanks!

[julianwiedmann]

Thank you for tackling this! I see that the change currently only has your sign-off - please check with @antonipp how you can accurately attribute his contributions.

I left some initial comments inline. Once we have more test coverage, it's easier to evaluate the proposed change.

[julianwiedmann]

Instead of an if-else construct, you could just fall through here.

[41ks]

Let me know if the new implementation looks better

[41ks]

Hey @julianwiedmann I applied your suggestions in the second commit. I also revamped the test suite to make it more complete. Let me know what you think and if I have correctly applied your suggestions.

[pchaigno]

/test

[julianwiedmann]

As you can imagine, this is the really tricky part. I don't think it's robust to assume that we have one specific scenario (!defined(ENABLE_HOST_ROUTING) && !defined(ENABLE_ROUTING)) that we should special-case - we always need to be ready to handle a CTX_ACT_OK.

And it's gets more interesting - the pod ingress path can be entered in two ways:

1. as to-container on the pod's TC hook (I believe this is what your tests currently exercise). Any returned CTX_ACT_OK would then result in the ICMP packet accidentally slipping into the original destination pod.
2. in cil_lxc_policy(), when another BPF program calls tail_call_policy() to push a packet straight to the destination. Not handling the CTX_ACT_OK would mean that the ICMP packet then continues in the initial program's context. We need to be careful here, I think we might need to bring some of the epilogue logic in cil_lxc_policy() over into our new tailcall program.

In the end CTX_ACT_OK should always mean "send to host stack". Maybe we just need to be explicit about that, and redirect the packet to the cilium_host veth pair ... ?

We should also think about tests for (2.). There's prior art for how to correctly enter this path, if you look for local_delivery_fill_meta() in bpf/tests.

[joestringer]

I've marked this PR as draft. When you have addressed the comments and workflow test results, bring the PR back to the attention of reviewers by scrolling to the bottom of the page and clicking the "Ready for Review" button. Thanks!

[github-actions]

This pull request has been automatically marked as stale because it
has not had recent activity. It will be closed if no further activity
occurs. Thank you for your contributions.