Skip to content

feat(egress): reload deny.always and allow.always every minute#698

Merged
hittyt merged 1 commit intoalibaba:mainfrom
Pangjiping:feat/egress/dynamic-list
Apr 15, 2026
Merged

feat(egress): reload deny.always and allow.always every minute#698
hittyt merged 1 commit intoalibaba:mainfrom
Pangjiping:feat/egress/dynamic-list

Conversation

@Pangjiping
Copy link
Copy Markdown
Collaborator

@Pangjiping Pangjiping commented Apr 12, 2026

Summary

  • Reload deny.always and allow.always every minute using mtime/size checks, treat file deletion as rule removal, and apply updates to both DNS evaluation and nft static policy.
  • Decouple refresh from the policy API critical path by avoiding the main policy_server lock during refresh; commitPolicy now consumes the current always-rule snapshot only.

Testing

  • Not run (explain why)
  • Unit tests
  • Integration tests
  • e2e / manual verification

Breaking Changes

  • None
  • Yes (describe impact and migration path)

Checklist

  • Linked Issue or clearly described motivation
  • Added/updated docs (if needed)
  • Added/updated tests (if needed)
  • Security impact considered
  • Backward compatibility considered

@Pangjiping Pangjiping added feature New feature or request component/egress labels Apr 12, 2026
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Apr 12, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d5cbc57355

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread components/egress/policy_server.go Outdated
Comment thread components/egress/policy_server.go
@Pangjiping Pangjiping force-pushed the feat/egress/dynamic-list branch from d5cbc57 to ca5717b Compare April 12, 2026 10:55
@Pangjiping
feat(egress): reload deny.always and allow.always every minute using …
c722ffc 
…mtime/size checks, treat file deletion as rule removal, and apply updates to both DNS evaluation and nft static policy.
@Pangjiping Pangjiping force-pushed the feat/egress/dynamic-list branch from ca5717b to c722ffc Compare April 12, 2026 11:04
hittyt
hittyt approved these changes Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@hittyt hittyt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@hittyt hittyt merged commit 99fa9be into alibaba:main Apr 15, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@hittyt hittyt hittyt approved these changes

@jwx0925 jwx0925 Awaiting requested review from jwx0925 jwx0925 is a code owner

Assignees

@jwx0925 jwx0925

@hittyt hittyt

Labels

component/egress feature New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Pangjiping @hittyt @jwx0925