optimizie xdp auth

[weli-l]

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:
Fixes #1207

Previously, since the xdp program only supports ip and port, policies configured with ns and principal types need to be
switched to user mode. However, the logic for determining whether to switch to user mode was wrong. The previous logic
was that when policy_index is greater than `MAX_MEMBER_NUM_PER_POLICY`, it will determine whether to switch to
user mode. However, `MAX_MEMBER_NUM_PER_POLICY` is a fixed value, and the number of deployed policies may be
less than this number.
The correct logic should be to traverse all policies in xdp. In each policy, if the policy does not match, the result of authz
will be stored in `match_ctx->auth_result`. If all policies are traversed and ns or principal rules are deployed, switch to
user mode. If it is not necessary to switch to user mode, return directly according to `match_ctx->auth_result`

###authz explanation and cases

B → C Traffic Authorization Policy Result

Case	Policy Scope	Policy Rules	Result	Logic Description
1	Single B-targeted	allow B	PASS	Direct match
2	Single B-targeted	deny B	DROP	Direct match
3	Single non-B target	allow A	DROP	Non-target defaults to deny
4	Single non-B target	deny A	PASS	Non-target defaults to allow
5	Mixed (contains B)	allow B + deny A	PASS	B-target priority
6	Mixed (contains B)	deny B + allow A	DROP	B-target priority
7	Multi-B (ordered)	allow B → deny B	PASS	First-match execution
8	Multi-B (ordered)	deny B → allow B	DROP	First-match execution

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 44.69%. Comparing base (d950911) to head (eeeb399).
Report is 20 commits behind head on main.

see 6 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 55a35b9...eeeb399. Read the comment docs.

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

[supercharge-xsy]

/lgtm
and we need to sort out the current authentication specifications, especially in the case of multiple policies.

[hzxuzhonghu]

can you add some description about what this pr is doning

[hzxuzhonghu]

Wy need pass this? I kind of feel this is the default value. Not needed to pass

[hzxuzhonghu]

can you add a comment why tail call to user space if no policy found

[hzxuzhonghu]

Do you ever set it to XDP_DROP? Can you point it

[weli-l]

in Line 681, if unmatched, authz result is stored temporarily
match_ctx->auth_result = match_ctx->action == ISTIO__SECURITY__ACTION__DENY ? XDP_PASS : XDP_DROP;

[weli-l]

/retest

[hzxuzhonghu]

/lgtm

[kmesh-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hzxuzhonghu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [hzxuzhonghu]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment