Skip to content

fix(policy): Fix CIDR exception validation in CIDR policy#44637

Merged
squeed merged 1 commit intocilium:mainfrom
tsotne95:pr/fix-44614
Mar 5, 2026
Merged

fix(policy): Fix CIDR exception validation in CIDR policy#44637
squeed merged 1 commit intocilium:mainfrom
tsotne95:pr/fix-44614

Conversation

@tsotne95
Copy link
Copy Markdown
Contributor

@tsotne95 tsotne95 commented Mar 5, 2026
edited by squeed
Loading

During validation added to consider prefix length too.
Added unit test cases.

Fixes: #44614

Fixes a bug where  toCIDRSet / fromCIDRSet policies permitted CIDR exceptions larger than the given CIDR set.

@tsotne95
fix(policy): Fix CIDR exception validation in CIDR policy
a4281cc 
During validation added to consider prefix length too.
Added unit test cases.

Fixes: cilium#44614

Signed-off-by: Tsotne Chakhvadze <tsotne@google.com>
@tsotne95 tsotne95 requested review from a team as code owners March 5, 2026 08:28
@tsotne95 tsotne95 requested a review from squeed March 5, 2026 08:28
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 5, 2026
@github-actions github-actions bot added the sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. label Mar 5, 2026
@tsotne95
Copy link
Copy Markdown
Contributor Author

tsotne95 commented Mar 5, 2026

/test

@tsotne95
Copy link
Copy Markdown
Contributor Author

tsotne95 commented Mar 5, 2026

I don't see rocket emoji idk somehow it didn't trigger some actions? gonna try again

@tsotne95
Copy link
Copy Markdown
Contributor Author

tsotne95 commented Mar 5, 2026

/test

@tsotne95
Copy link
Copy Markdown
Contributor Author

tsotne95 commented Mar 5, 2026

/ci-clustermesh

@tsotne95
Copy link
Copy Markdown
Contributor Author

tsotne95 commented Mar 5, 2026

/ci-l7

@tsotne95
Copy link
Copy Markdown
Contributor Author

tsotne95 commented Mar 5, 2026

/ci-gateway-api

squeed
squeed approved these changes Mar 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@squeed squeed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In theory, we can also enforce this with CEL, but this seems fine to me.

@squeed squeed added the release-note/bug This PR fixes an issue in a previous release of Cilium. label Mar 5, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot added ready-to-merge This PR has passed all tests and received consensus from code owners to merge. and removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Mar 5, 2026
@squeed squeed added this pull request to the merge queue Mar 5, 2026
Merged via the queue into cilium:main with commit 5c68745 Mar 5, 2026
87 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@squeed squeed squeed approved these changes

Assignees

No one assigned

Labels

ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

exception CIDR can be bigger than the main CIDR and still pass validation

2 participants

@tsotne95 @squeed