[BPF] suppress normal HEP policy on WEP if there is no wildcard HostE…

…ndpoint If there is no wildcard HEP, there is no policy that should be applied. But without skipping, empty list of profiles would create a default deny rule if none of the non-existent profiles matches. That is obviously always hit and traffic toward the host is dropped if defaultEndpointToHostAction is set to RETURN. fixes projectcalico#7252
tomastigera · Jan 4, 2024 · 84e926c · 84e926c
1 parent c3cd516
commit 84e926c
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/felix/dataplane/linux/bpf_ep_mgr.go b/felix/dataplane/linux/bpf_ep_mgr.go
@@ -1965,8 +1965,9 @@ func (m *bpfEndpointManager) wepApplyPolicy(ap *tc.AttachPoint,
 	}
 
 	// If workload egress and DefaultEndpointToHostAction is ACCEPT or DROP, suppress the normal
-	// host-* endpoint policy.
-	if polDirection == PolDirnEgress && m.epToHostAction != "RETURN" {
+	// host-* endpoint policy. If it does not exist, suppress it as well, not to
+	// create deny due to the fact that there are not profiles or tiers etc.
+	if polDirection == PolDirnEgress && (m.epToHostAction != "RETURN" || !m.wildcardExists) {
 		rules.SuppressNormalHostPolicy = true
 	}
 
@@ -2966,6 +2967,7 @@ func (m *bpfEndpointManager) loadPolicyProgram(
 	log.WithFields(log.Fields{
 		"progName": progName,
 		"ipFamily": ipFamily,
+		"rules":    rules,
 	}).Debug("Generating policy program...")
 
 	if ipFamily == proto.IPVersion_IPV6 {

diff --git a/felix/fv/bpf_test.go b/felix/fv/bpf_test.go
@@ -432,7 +432,7 @@ func describeBPFTests(opts ...bpfTestOpt) bool {
 
 				for i, felix := range tc.Felixes {
 					felix.Exec("conntrack", "-L")
-					felix.Exec("calico-bpf", "-6", "policy", "dump", "cali1ab524b60b9", "all", "--asm")
+					felix.Exec("calico-bpf", "policy", "dump", "cali8d1e69e5f89", "all", "--asm")
 					if testOpts.ipv6 {
 						felix.Exec("ip6tables-save", "-c")
 						felix.Exec("ip", "-6", "link")
@@ -631,6 +631,18 @@ func describeBPFTests(opts ...bpfTestOpt) bool {
 				})
 			})
 
+			Describe("with DefaultEndpointToHostAction=RETURN", func() {
+				BeforeEach(func() {
+					options.ExtraEnvVars["FELIX_DefaultEndpointToHostAction"] = "RETURN"
+					options.AutoHEPsEnabled = false
+				})
+				It("should allow traffic from workload to host", func() {
+					cc.Expect(Some, w[1], hostW)
+					cc.Expect(Some, hostW, w[0])
+					cc.CheckConnectivity(conntrackChecks(tc.Felixes)...)
+				})
+			})
+
 			getMapIDByPath := func(felix *infrastructure.Felix, filename string) (int, error) {
 				out, err := felix.ExecOutput("bpftool", "map", "show", "pinned", filename, "-j")
 				if err != nil {