policy: Add a bpf compiling option when enable-icmp-rules flag is set

[chez-shanpu]

By this commit, bpf program is compiled with -DENABLE_ICMP_RULE option when enable-icmp-rules flag is set.

Signed-off-by: Tomoki Sugiura tomoki.sugiura@mail.shanpu.info

[joestringer]

Thanks for the fix. Just one comment below, usually we we define these in the headerfiles instead of passing additional arguments directly to the compiler. Would be good to keep that consistent.

[joestringer]

LGTM, thanks.

[joestringer]

I'm seeing Image CI builds fail, example: https://github.com/cilium/cilium/actions/runs/1362491757

These errors do not look related to the PR. I'll close/reopen the PR to see if that retriggers the CI correctly.

[joestringer]

Looks like the github image build actions are still failing. I've raised a thread on Slack to follow up on this, since it still doesn't look related to your PR.

[joestringer]

@chez-shanpu can you rebase your PR against the latest master tree? It looks like this is what is causing the image build failures.

[joestringer]

Oh, one more thing - Does this mean that we don't currently have tests for this functionality? Otherwise we could have maybe found this out earlier.

[chez-shanpu]

Does this mean that we don't currently have tests for this functionality?

Yes.
When this ICMP rule is enabled with some options, eBPF verification CI fails because of kernel complexity issue. Therefore, I added e2e test at #17135, and I was going to merge it after this complexity issue is solved and ICMP rule is implemented totally.
But, I didn't try enabling this function in a e2e script and it's worth a try.
I'll do it :)

[joestringer]

Given the code is not covered by CI, I think it's fine to merge this as-is. I would welcome followup to add coverage for this feature to CI somehow.

[chez-shanpu]

Okay, I would open another PR (or use existing PR #17135) when I add an e2e test for this function.