cilium · jrajahalme · Mar 11, 2024 · Feb 15, 2024 · Feb 28, 2024 · Feb 29, 2024
@@ -38,10 +38,9 @@ each other via that port.
 
 .. note::
 
-   When running in the tunneling mode (i.e. with VXLAN or Geneve), pod to pod
-   traffic will be sent only over the WireGuard tunnel which means that the
-   packets will bypass the other tunnel, and thus they will be encapsulated
-   only once.
+   When running in tunnel routing mode, pod to pod traffic is encapsulated twice.
+   It is first sent to the VXLAN / Geneve tunnel interface, and then subsequently
+   also encapsulated by the WireGuard tunnel.
 
 Enable WireGuard in Cilium
 ==========================

@@ -333,7 +333,7 @@ static __always_inline int handle_ipv4(struct __ctx_buff *ctx,
 			if (!vtep)
 				goto skip_vtep;
 			if (vtep->tunnel_endpoint) {
-				if (identity_is_world_ipv4(*identity))
+				if (!identity_is_world_ipv4(*identity))
 					return DROP_INVALID_VNI;
 			}
 		}

@@ -285,6 +285,8 @@ func catCommands() []string {
 	files := []string{
 		"/proc/sys/net/core/bpf_jit_enable",
 		"/proc/kallsyms",
+		"/proc/buddyinfo",
+		"/proc/pagetypeinfo",
 		"/etc/resolv.conf",
 		"/var/log/docker.log",
 		"/var/log/daemon.log",

@@ -1,20 +1,18 @@
 #!/usr/bin/env bash
 
-
 HQ_POD=$(kubectl get pods -l app=empire-hq -o jsonpath='{.items[0].metadata.name}')
 OUTPOST_8888_POD=$(kubectl get pods -l outpostid=8888 -o jsonpath='{.items[0].metadata.name}')
 OUTPOST_9999_POD=$(kubectl get pods -l outpostid=9999 -o jsonpath='{.items[0].metadata.name}')
 BACKUP_POD=$(kubectl get pods -l app=empire-backup -o jsonpath='{.items[0].metadata.name}')
 
-#generate traffic
+# generate traffic
 
 echo "producing messages"
-kubectl exec $HQ_POD sh -- -c "echo “Happy 40th Birthday to General Tagge” | ./kafka-produce.sh --topic empire-announce"
-kubectl exec $HQ_POD sh -- -c "echo “deathstar plans v3” | ./kafka-produce.sh --topic deathstar-plans"
+kubectl exec "$HQ_POD" -- sh -c 'echo "Happy 40th Birthday to General Tagge" | ./kafka-produce.sh --topic empire-announce'
+kubectl exec "$HQ_POD" -- sh -c 'echo "deathstar plans v3" | ./kafka-produce.sh --topic deathstar-plans'
 
 echo "consuming messages"
 
-kubectl exec $OUTPOST_9999_POD sh -- -c "./kafka-consume.sh --topic empire-announce --from-beginning --max-messages 1"
-kubectl exec $OUTPOST_8888_POD sh -- -c "./kafka-consume.sh --topic empire-announce --from-beginning --max-messages 1"
-kubectl exec $BACKUP_POD sh -- -c "./kafka-consume.sh --topic deathstar-plans --from-beginning --max-messages 1"
-
+kubectl exec "$OUTPOST_9999_POD" -- sh -c './kafka-consume.sh --topic empire-announce --from-beginning --max-messages 1'
+kubectl exec "$OUTPOST_8888_POD" -- sh -c './kafka-consume.sh --topic empire-announce --from-beginning --max-messages 1'
+kubectl exec "$BACKUP_POD" -- sh -c './kafka-consume.sh --topic deathstar-plans --from-beginning --max-messages 1'
@@ -528,7 +528,7 @@ func toPathMatch(match gatewayv1.HTTPRouteMatch) model.StringMatch {
 }
 
 func toGRPCPathMatch(match gatewayv1alpha2.GRPCRouteMatch) model.StringMatch {
-	if match.Method.Service == nil || match.Method == nil {
+	if match.Method == nil || match.Method.Service == nil {
 		return model.StringMatch{}
 	}
 

@@ -24,10 +24,10 @@ func NewCIDRTrie[T any]() *CIDRTrie[T] {
 }
 
 // Lookup returns the longest matched value for a given address.
-func (c *CIDRTrie[T]) Lookup(addr netip.Addr) T {
+func (c *CIDRTrie[T]) Lookup(addr netip.Addr) (T, bool) {
 	if !addr.IsValid() {
 		var def T
-		return def
+		return def, false
 	}
 	bits := addr.BitLen()
 	prefix := netip.PrefixFrom(addr, bits)

@@ -42,7 +42,7 @@ loop:
 				continue loop
 			}
 		}
-		have := trie.Lookup(prefixes[name].Addr())
+		have, _ := trie.Lookup(prefixes[name].Addr())
 		if have != name {
 			t.Errorf("Lookup(%s) returned %s want %s", prefixes[name].String(), have, name)
 		}
@@ -92,7 +92,9 @@ loop:
 			"0",
 		},
 	} {
-		assert.Equal(t, tc.v, trie.Lookup(netip.MustParsePrefix(tc.k).Addr()))
+		v, ok := trie.Lookup(netip.MustParsePrefix(tc.k).Addr())
+		assert.True(t, ok)
+		assert.Equal(t, tc.v, v)
 	}
 
 }