Skip to content

pkg/policy: Support more tunnel protocols as extended protocols#44459

Merged
julianwiedmann merged 1 commit intocilium:mainfrom
simplysoft-net:feature/extended-tunnel-protocols
Mar 16, 2026
Merged

pkg/policy: Support more tunnel protocols as extended protocols#44459
julianwiedmann merged 1 commit intocilium:mainfrom
simplysoft-net:feature/extended-tunnel-protocols

Conversation

@simplysoft
Copy link
Copy Markdown
Contributor

@simplysoft simplysoft commented Feb 20, 2026

Add support to other extended protocols IPIP, IPV6, GRE, ESP and AH.

Host firewall currently breaks ipsec for us as well as the tunnels we are using. Only workaround is to disable host-firewall alltogether. This PR bases on #39872 by extended the list of protocols.

This also fixes #44386

@simplysoft simplysoft requested review from a team as code owners February 20, 2026 19:38
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 20, 2026
@github-actions github-actions bot added sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. kind/community-contribution This was a contribution made by a community member. labels Feb 20, 2026
@aanm aanm requested review from a team and ldelossa and removed request for a team February 23, 2026 09:21
@aanm aanm added the area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. label Feb 23, 2026
@aanm
Copy link
Copy Markdown
Member

aanm commented Feb 23, 2026

/test

@aanm aanm added the release-note/minor This PR changes functionality that users may find relevant to operating Cilium. label Feb 23, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 23, 2026
qmonnet
qmonnet approved these changes Feb 23, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just looked at the doc changes, this looks OK, thank you!

@fristonio fristonio changed the title pke/policy: Support more tunnel protocols as extended protocols pkg/policy: Support more tunnel protocols as extended protocols Feb 24, 2026
@fristonio
Copy link
Copy Markdown
Member

fristonio commented Feb 24, 2026

@simplysoft Seems like there are some go lint failures. Can you take a look?

@simplysoft simplysoft force-pushed the feature/extended-tunnel-protocols branch from a6daccf to c11e80e Compare February 24, 2026 21:23
@simplysoft simplysoft requested a review from a team as a code owner February 24, 2026 21:23
@simplysoft simplysoft requested a review from nebril February 24, 2026 21:23
@pchaigno pchaigno enabled auto-merge February 28, 2026 06:22
@pchaigno
Copy link
Copy Markdown
Member

pchaigno commented Feb 28, 2026

/test

@derailed
Copy link
Copy Markdown
Contributor

derailed commented Mar 11, 2026

@simplysoft Looks like some tests are failing. Can you take a peek?
Thank you!

@simplysoft
pkg/policy: Support more tunnel protocols as extended protocols
f9cc4cb 
Add support to other extended protocols IPIP, IPV6, GRE, ESP and AH.

Based on cilium#39872

Signed-off-by: simplysoft <1588210+simplysoft@users.noreply.github.com>
auto-merge was automatically disabled March 11, 2026 19:57

Head branch was pushed to by a user without write access

@simplysoft simplysoft force-pushed the feature/extended-tunnel-protocols branch from c11e80e to f9cc4cb Compare March 11, 2026 19:57
@simplysoft
Copy link
Copy Markdown
Contributor Author

simplysoft commented Mar 11, 2026

I've rebased in hope that tests might pass, on a first look couldn't really find out if those errors are related to this change or just flaky CI

@julianwiedmann
Copy link
Copy Markdown
Member

julianwiedmann commented Mar 16, 2026

/test

@julianwiedmann julianwiedmann added this pull request to the merge queue Mar 16, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 16, 2026
Merged via the queue into cilium:main with commit 6e17f7c Mar 16, 2026
77 of 79 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nebril nebril nebril approved these changes

@ldelossa ldelossa ldelossa approved these changes

@aanm aanm aanm approved these changes

@jrajahalme jrajahalme jrajahalme approved these changes

@rastislavs rastislavs rastislavs approved these changes

@qmonnet qmonnet qmonnet approved these changes

@fristonio fristonio fristonio approved these changes

Assignees

No one assigned

Labels

area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. kind/community-contribution This was a contribution made by a community member. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Host firewall drops IPIP (protocol 4) traffic with no way to allow it via policy