Commits on May 10, 2023

1. datapath: link-local unicast addresses are "host" …

   This is a fix for a regression in the local addresses logic, introduced
   in 080857b as part of the
   implementation for AddressScopeMax. Addresses with the form of
   link-local unicast addresses began to be filtered out of the local
   address aggregation, causing them to labeled with the "world" identity
   for the sake of policy enforcement. Examples of such addresses include:
   
   169.254.10.10
   fe80::1234
   
   This caused issues for a variety of users, whose policies allowing
   "host" traffic would no longer allow traffic to these addresses, forcing
   the use of workarounds involving CIDR policies, which is not the
   intended behavior for this type of address. This was a regression as of
   Cilium 1.12.0-rc2. One reason for this regression was that logic prior
   to the change looked at the address scope, whereas logic after the
   change looked at the address bytes, and it was found that many users had
   assigned addresses of the forms above but with scope global, causing
   them to again be filtered unconditionally.
   
   This patch factors out the local address filtering logic into a
   function, removes the skip over IsLinkLocalUnicast(), and adds a variety
   of unit tests for that function.
   
   fixes: #25242
   fixes: #23910
   fixes: #16308
   fixes: #20055
   
   Signed-off-by: Andrew Sauber <andrew.sauber@isovalent.com>

   

   asauber committed May 10, 2023
   Configuration menu

   • View commit details
   • Copy full SHA for dac638e
   • Browse repository at this point

   Copy the full SHA

   dac638e View commit details

   Browse the repository at this point in the history