Skip to content

bpf: tests: egressgw: enable HostFW#42955

Merged
julianwiedmann merged 3 commits intomainfrom
pr/jwi/main/bpf-test-egw-hostfw
Nov 25, 2025
Merged

bpf: tests: egressgw: enable HostFW#42955
julianwiedmann merged 3 commits intomainfrom
pr/jwi/main/bpf-test-egw-hostfw

Conversation

@julianwiedmann
Copy link
Copy Markdown
Member

@julianwiedmann julianwiedmann commented Nov 24, 2025
edited
Loading 

Let's validate that EGW replies (ext_endpoint -> EgressIP) make it through
the ingress path on the GW node without being blocked by the HostFW.

This relies on the following sequence
1. RevSNAT (turns the packet into ext_endpoint -> PodIP), then
2. HostFW ingress enforcement, which does an on-the-spot ipcache lookup for
   the daddr (PodIP) and breaks out if the matched identity is not HOST_ID.

Also enable HostFW in the "redirect_from_host" tests, even though this only
tests the egress path on the GW node.

@julianwiedmann julianwiedmann added area/CI Continuous Integration testing issue or flake area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/ci This PR makes changes to the CI. area/host-firewall Impacts the host firewall or the host endpoint. feature/egress-gateway Impacts the egress IP gateway feature. labels Nov 24, 2025
@julianwiedmann
bpf: tests: align IPv6 ipcache key
8fde8b8 
The memcpy() below expects the IPv6 address to be aligned.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
bpf: tests: egressgw: use ipcache_v4_add_world_entry()
db1dd04 
Replace open-coded occurrences with the appropriate helper.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann
bpf: tests: egressgw: enable HostFW
0b8cc29 
Let's validate that EGW replies (ext_endpoint -> EgressIP) make it through
the ingress path on the GW node without being blocked by the HostFW.

This relies on the following sequence
1. RevSNAT (turns the packet into ext_endpoint -> PodIP), then
2. HostFW ingress enforcement, which does an on-the-spot ipcache lookup for
   the daddr (PodIP) and breaks out if the matched identity is not HOST_ID.

Also enable HostFW in the "redirect_from_host" tests, even though this only
tests the egress path on the GW node.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann julianwiedmann force-pushed the pr/jwi/main/bpf-test-egw-hostfw branch from 3e6690f to 0b8cc29 Compare November 25, 2025 08:27
@julianwiedmann
Copy link
Copy Markdown
Member Author

julianwiedmann commented Nov 25, 2025

/test

@julianwiedmann julianwiedmann changed the title Pr/jwi/main/bpf test egw hostfw bpf: tests: egressgw: enable HostFW Nov 25, 2025
@julianwiedmann julianwiedmann requested review from a team and rgo3 and removed request for a team November 25, 2025 11:09
@julianwiedmann julianwiedmann marked this pull request as ready for review November 25, 2025 11:09
@julianwiedmann julianwiedmann requested a review from a team as a code owner November 25, 2025 11:09
@julianwiedmann julianwiedmann added this pull request to the merge queue Nov 25, 2025
Merged via the queue into main with commit 741109f Nov 25, 2025
93 checks passed
@julianwiedmann julianwiedmann deleted the pr/jwi/main/bpf-test-egw-hostfw branch November 25, 2025 21:27
@julianwiedmann julianwiedmann added the backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. label Dec 15, 2025
@julianwiedmann julianwiedmann mentioned this pull request Dec 15, 2025
Merged
2 tasks
@github-actions github-actions Bot added backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. and removed backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. labels Jan 5, 2026
@cilium-release-bot cilium-release-bot Bot moved this to Released in cilium v1.19.0 Feb 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@YutaroHayakawa YutaroHayakawa YutaroHayakawa approved these changes

@rgo3 rgo3 Awaiting requested review from rgo3 rgo3 was automatically assigned from cilium/egress-gateway

Assignees

No one assigned

Labels

area/CI Continuous Integration testing issue or flake area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. area/host-firewall Impacts the host firewall or the host endpoint. backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. feature/egress-gateway Impacts the egress IP gateway feature. release-note/ci This PR makes changes to the CI.

Projects

No open projects
cilium v1.19.0
Status: Released

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@julianwiedmann @YutaroHayakawa @msune