From 130e7e2133d05dc134464705b40963c67108783d Mon Sep 17 00:00:00 2001 From: Jarno Rajahalme Date: Tue, 22 Apr 2025 11:46:24 +0200 Subject: [PATCH] policy: Add proxy_id matching Add 'proxy_id' field to NetworkPolicy xDS 'PortNetworkPolicyRule'. If non-zero, the rule will be ignored when executing on a Listener for a non-matching proxy ID. Signed-off-by: Jarno Rajahalme --- cilium/api/npds.proto | 6 + cilium/bpf_metadata.cc | 2 +- cilium/filter_state_cilium_policy.cc | 44 ++-- cilium/network_filter.cc | 2 +- cilium/network_policy.cc | 126 ++++++----- cilium/network_policy.h | 21 +- cilium/tls_wrapper.cc | 34 +-- go/cilium/api/npds.pb.go | 318 ++++++++++++++------------- go/cilium/api/npds.pb.validate.go | 2 + tests/bpf_metadata.cc | 4 +- tests/cilium_network_policy_test.cc | 171 +++++++++++++- 11 files changed, 474 insertions(+), 256 deletions(-) diff --git a/cilium/api/npds.proto b/cilium/api/npds.proto index 148c89ac0..f6b826e44 100644 --- a/cilium/api/npds.proto +++ b/cilium/api/npds.proto @@ -130,6 +130,12 @@ message PortNetworkPolicyRule { // Traffic on this port is denied for all `remote_policies` if true bool deny = 8; + // ProxyID is non-zero if the rule was an allow rule with an explicit listener reference. + // The given value corresponds to the 'proxy_id' value in the BpfMetadata listener filter + // configuration. + // This rule should be ignored if not executing in the referred listener. + uint32 proxy_id = 9; + // Optional name for the rule, can be used in logging and error messages. string name = 5; diff --git a/cilium/bpf_metadata.cc b/cilium/bpf_metadata.cc index 273f60ec3..2a5453d74 100644 --- a/cilium/bpf_metadata.cc +++ b/cilium/bpf_metadata.cc @@ -501,7 +501,7 @@ Config::extractSocketMetadata(Network::ConnectionSocket& socket) { // based policies (e.g., with MongoDB or MySQL filters). std::string proxylib_l7proto; uint32_t remote_id = is_ingress_ ? source_identity : destination_identity; - if (policy->useProxylib(is_ingress_, remote_id, dip->port(), proxylib_l7proto)) { + if (policy->useProxylib(is_ingress_, proxy_id_, remote_id, dip->port(), proxylib_l7proto)) { ENVOY_LOG(trace, "cilium.bpf_metadata: detected proxylib l7 proto: {}", proxylib_l7proto); } diff --git a/cilium/filter_state_cilium_policy.cc b/cilium/filter_state_cilium_policy.cc index cbd64b0b0..1b4220c25 100644 --- a/cilium/filter_state_cilium_policy.cc +++ b/cilium/filter_state_cilium_policy.cc @@ -40,14 +40,14 @@ bool CiliumPolicyFilterState::enforceNetworkPolicy(const Network::Connection& co auto portPolicy = policy.findPortPolicy(ingress_, port); - if (!portPolicy.allowed(remote_id, sni)) { - ENVOY_CONN_LOG(debug, "Pod policy DENY on id: {} port: {} sni: \"{}\"", conn, remote_id, - destination_port, sni); + if (!portPolicy.allowed(proxy_id_, remote_id, sni)) { + ENVOY_CONN_LOG(debug, "Pod policy DENY on proxy_id: {} id: {} port: {} sni: \"{}\"", conn, + proxy_id_, remote_id, destination_port, sni); return false; } // populate l7proto_ if available - use_proxy_lib = portPolicy.useProxylib(remote_id, l7_proto); + use_proxy_lib = portPolicy.useProxylib(proxy_id_, remote_id, l7_proto); } // enforce Ingress policy 2nd, if any @@ -58,20 +58,22 @@ bool CiliumPolicyFilterState::enforceNetworkPolicy(const Network::Connection& co // Enforce ingress policy for Ingress, on the original destination port if (ingress_source_identity_ != 0) { auto ingressPortPolicy = policy.findPortPolicy(true, port_); - if (!ingressPortPolicy.allowed(ingress_source_identity_, sni)) { - ENVOY_CONN_LOG(debug, - "Ingress network policy DROP for source identity: {} port: {} sni: \"{}\"", - conn, ingress_source_identity_, destination_port, sni); + if (!ingressPortPolicy.allowed(proxy_id_, ingress_source_identity_, sni)) { + ENVOY_CONN_LOG( + debug, + "Ingress network policy DROP for proxy_id: {} source identity: {} port: {} sni: \"{}\"", + conn, proxy_id_, ingress_source_identity_, destination_port, sni); return false; } } // Enforce egress policy for Ingress auto egressPortPolicy = policy.findPortPolicy(false, destination_port); - if (!egressPortPolicy.allowed(destination_identity, sni)) { + if (!egressPortPolicy.allowed(proxy_id_, destination_identity, sni)) { ENVOY_CONN_LOG(debug, - "Egress network policy DROP for destination identity: {} port: {} sni: \"{}\"", - conn, destination_identity, destination_port, sni); + "Egress network policy DROP for proxy_id: {} destination identity: {} port: " + "{} sni: \"{}\"", + conn, proxy_id_, destination_identity, destination_port, sni); return false; } } @@ -104,8 +106,9 @@ bool CiliumPolicyFilterState::enforceHTTPPolicy(const Network::Connection& conn, const auto& policy = resolver->getPolicy(pod_ip_); auto remote_id = ingress_ ? source_identity_ : destination_identity; auto port = ingress_ ? port_ : destination_port; - if (!policy.allowed(ingress_, remote_id, port, headers, log_entry)) { - ENVOY_CONN_LOG(debug, "Pod HTTP policy DENY on id: {} port: {}", conn, remote_id, port); + if (!policy.allowed(ingress_, proxy_id_, remote_id, port, headers, log_entry)) { + ENVOY_CONN_LOG(debug, "Pod HTTP policy DENY on proxy_id: {} id: {} port: {}", conn, proxy_id_, + remote_id, port); return false; } } @@ -117,17 +120,20 @@ bool CiliumPolicyFilterState::enforceHTTPPolicy(const Network::Connection& conn, // Enforce ingress policy for Ingress, on the original destination port if (ingress_source_identity_ != 0) { - if (!policy.allowed(true, ingress_source_identity_, port_, headers, log_entry)) { - ENVOY_CONN_LOG(debug, "Ingress HTTP policy DROP for source identity: {} port: {}", conn, - ingress_source_identity_, port_); + if (!policy.allowed(true, proxy_id_, ingress_source_identity_, port_, headers, log_entry)) { + ENVOY_CONN_LOG(debug, + "Ingress HTTP policy DROP for proxy_id: {} source identity: {} port: {}", + conn, proxy_id_, ingress_source_identity_, port_); return false; } } // Enforce egress policy for Ingress - if (!policy.allowed(false, destination_identity, destination_port, headers, log_entry)) { - ENVOY_CONN_LOG(debug, "Egress HTTP policy DROP for destination identity: {} port: {}", conn, - destination_identity, destination_port); + if (!policy.allowed(false, proxy_id_, destination_identity, destination_port, headers, + log_entry)) { + ENVOY_CONN_LOG(debug, + "Egress HTTP policy DROP for proxy_id: {} destination identity: {} port: {}", + conn, proxy_id_, destination_identity, destination_port); return false; } } diff --git a/cilium/network_filter.cc b/cilium/network_filter.cc index ac8cc9f52..d4f2fffb3 100644 --- a/cilium/network_filter.cc +++ b/cilium/network_filter.cc @@ -279,7 +279,7 @@ Network::FilterStatus Instance::onData(Buffer::Instance& data, bool end_stream) } const auto& policy = policy_fs->getPolicy(); auto port_policy = policy.findPortPolicy(policy_fs->ingress_, destination_port_); - if (!port_policy.allowed(remote_id_, metadata)) { + if (!port_policy.allowed(policy_fs->proxy_id_, remote_id_, metadata)) { config_->Log(log_entry_, ::cilium::EntryType::Denied); reason = "metadata policy drop"; goto drop_close; diff --git a/cilium/network_policy.cc b/cilium/network_policy.cc index 98133a06e..71ab4eb31 100644 --- a/cilium/network_policy.cc +++ b/cilium/network_policy.cc @@ -364,7 +364,8 @@ class L7NetworkPolicyRule : public Logger::Loggable { class PortNetworkPolicyRule : public Logger::Loggable { public: PortNetworkPolicyRule(const NetworkPolicyMap& parent, const cilium::PortNetworkPolicyRule& rule) - : name_(rule.name()), deny_(rule.deny()), l7_proto_(rule.l7_proto()) { + : name_(rule.name()), deny_(rule.deny()), proxy_id_(rule.proxy_id()), + l7_proto_(rule.l7_proto()) { // Deny rules can not be short circuited, i.e., if any deny rules are present, then all // rules must be evaluated even if one would allow can_short_circuit_ = !deny_; @@ -410,7 +411,11 @@ class PortNetworkPolicyRule : public Logger::Loggable { } } - bool allowed(uint32_t remote_id, bool& denied) const { + bool allowed(uint32_t proxy_id, uint32_t remote_id, bool& denied) const { + // proxy_id must match if we have any. + if (proxy_id_ != 0 && proxy_id != proxy_id_) { + return false; + } // Remote ID must match if we have any. if (remotes_.size() > 0) { auto match = remotes_.find(remote_id); @@ -435,7 +440,7 @@ class PortNetworkPolicyRule : public Logger::Loggable { return true; } - bool allowed(uint32_t remote_id, absl::string_view sni, bool& denied) const { + bool allowed(uint32_t proxy_id, uint32_t remote_id, absl::string_view sni, bool& denied) const { // sni must match if we have any if (allowed_snis_.size() > 0) { if (sni.length() == 0) { @@ -452,12 +457,12 @@ class PortNetworkPolicyRule : public Logger::Loggable { return false; } } - return allowed(remote_id, denied); + return allowed(proxy_id, remote_id, denied); } - bool allowed(uint32_t remote_id, Envoy::Http::RequestHeaderMap& headers, + bool allowed(uint32_t proxy_id, uint32_t remote_id, Envoy::Http::RequestHeaderMap& headers, Cilium::AccessLog::Entry& log_entry, bool& denied) const { - if (!allowed(remote_id, denied)) { + if (!allowed(proxy_id, remote_id, denied)) { return false; } if (http_rules_.size() > 0) { @@ -482,9 +487,9 @@ class PortNetworkPolicyRule : public Logger::Loggable { return true; } - bool useProxylib(uint32_t remote_id, std::string& l7_proto) const { + bool useProxylib(uint32_t proxy_id, uint32_t remote_id, std::string& l7_proto) const { bool denied = false; - if (!allowed(remote_id, denied)) { + if (!allowed(proxy_id, remote_id, denied)) { return false; } if (l7_proto_.length() > 0) { @@ -496,9 +501,9 @@ class PortNetworkPolicyRule : public Logger::Loggable { } // Envoy Metadata matcher, called after deny has already been checked for - bool allowed(uint32_t remote_id, const envoy::config::core::v3::Metadata& metadata, - bool& denied) const { - if (!allowed(remote_id, denied)) { + bool allowed(uint32_t proxy_id, uint32_t remote_id, + const envoy::config::core::v3::Metadata& metadata, bool& denied) const { + if (!allowed(proxy_id, remote_id, denied)) { return false; } for (const auto& rule : l7_deny_rules_) { @@ -531,11 +536,12 @@ class PortNetworkPolicyRule : public Logger::Loggable { return true; // allowed by default } - Ssl::ContextSharedPtr getServerTlsContext(uint32_t remote_id, absl::string_view sni, + Ssl::ContextSharedPtr getServerTlsContext(uint32_t proxy_id, uint32_t remote_id, + absl::string_view sni, const Ssl::ContextConfig** config, bool& raw_socket_allowed) const { bool denied = false; - if (allowed(remote_id, sni, denied)) { + if (allowed(proxy_id, remote_id, sni, denied)) { if (server_context_) { *config = &server_context_->getTlsContextConfig(); return server_context_->getTlsContext(); @@ -545,11 +551,12 @@ class PortNetworkPolicyRule : public Logger::Loggable { return nullptr; } - Ssl::ContextSharedPtr getClientTlsContext(uint32_t remote_id, absl::string_view sni, + Ssl::ContextSharedPtr getClientTlsContext(uint32_t proxy_id, uint32_t remote_id, + absl::string_view sni, const Ssl::ContextConfig** config, bool& raw_socket_allowed) const { bool denied = false; - if (allowed(remote_id, sni, denied)) { + if (allowed(proxy_id, remote_id, sni, denied)) { if (client_context_) { *config = &client_context_->getTlsContextConfig(); return client_context_->getTlsContext(); @@ -579,6 +586,9 @@ class PortNetworkPolicyRule : public Logger::Loggable { if (deny_) { res.append(indent, ' ').append("deny: true\n"); } + if (proxy_id_ != 0) { + res.append(indent, ' ').append(fmt::format("proxy_id: {}\n", proxy_id_)); + } if (!allowed_snis_.empty()) { res.append(indent, ' ').append("allowed_snis: ["); @@ -621,6 +631,7 @@ class PortNetworkPolicyRule : public Logger::Loggable { UpstreamTLSContextPtr client_context_; bool can_short_circuit_{true}; bool deny_; + uint32_t proxy_id_; absl::btree_set remotes_; std::vector allowed_snis_; // All SNIs allowed if empty. @@ -655,7 +666,7 @@ class PortNetworkPolicyRules : public Logger::Loggable { } } - bool allowed(uint32_t remote_id, Envoy::Http::RequestHeaderMap& headers, + bool allowed(uint32_t proxy_id, uint32_t remote_id, Envoy::Http::RequestHeaderMap& headers, Cilium::AccessLog::Entry& log_entry, bool& denied) const { // Empty set matches any payload from anyone if (rules_.size() == 0) { @@ -664,7 +675,7 @@ class PortNetworkPolicyRules : public Logger::Loggable { bool allowed = false; for (const auto& rule : rules_) { - if (rule->allowed(remote_id, headers, log_entry, denied)) { + if (rule->allowed(proxy_id, remote_id, headers, log_entry, denied)) { ENVOY_LOG(trace, "Cilium L7 PortNetworkPolicyRules(): ALLOWED"); allowed = true; // Short-circuit on the first match if no rules have HeaderMatches or if deny rules do not @@ -678,7 +689,7 @@ class PortNetworkPolicyRules : public Logger::Loggable { return allowed && !denied; } - bool allowed(uint32_t remote_id, absl::string_view sni, bool& denied) const { + bool allowed(uint32_t proxy_id, uint32_t remote_id, absl::string_view sni, bool& denied) const { // Empty set matches any payload from anyone if (rules_.size() == 0) { return true; @@ -686,7 +697,7 @@ class PortNetworkPolicyRules : public Logger::Loggable { bool allowed = false; for (const auto& rule : rules_) { - if (rule->allowed(remote_id, sni, denied)) { + if (rule->allowed(proxy_id, remote_id, sni, denied)) { allowed = true; // Short-circuit on the first match if no rules have HeaderMatches or if deny rules do not // exist @@ -698,17 +709,17 @@ class PortNetworkPolicyRules : public Logger::Loggable { return allowed && !denied; } - bool useProxylib(uint32_t remote_id, std::string& l7_proto) const { + bool useProxylib(uint32_t proxy_id, uint32_t remote_id, std::string& l7_proto) const { for (const auto& rule : rules_) { - if (rule->useProxylib(remote_id, l7_proto)) { + if (rule->useProxylib(proxy_id, remote_id, l7_proto)) { return true; } } return false; } - bool allowed(uint32_t remote_id, const envoy::config::core::v3::Metadata& metadata, - bool& denied) const { + bool allowed(uint32_t proxy_id, uint32_t remote_id, + const envoy::config::core::v3::Metadata& metadata, bool& denied) const { // Empty set matches any payload from anyone if (rules_.size() == 0) { return true; @@ -716,7 +727,7 @@ class PortNetworkPolicyRules : public Logger::Loggable { bool allowed = false; for (const auto& rule : rules_) { - if (rule->allowed(remote_id, metadata, denied)) { + if (rule->allowed(proxy_id, remote_id, metadata, denied)) { allowed = true; // Short-circuit on the first match if no rules have HeaderMatches or if deny rules do not // exist @@ -728,24 +739,26 @@ class PortNetworkPolicyRules : public Logger::Loggable { return allowed && !denied; } - Ssl::ContextSharedPtr getServerTlsContext(uint32_t remote_id, absl::string_view sni, + Ssl::ContextSharedPtr getServerTlsContext(uint32_t proxy_id, uint32_t remote_id, + absl::string_view sni, const Ssl::ContextConfig** config, bool& raw_socket_allowed) const { for (const auto& rule : rules_) { Ssl::ContextSharedPtr server_context = - rule->getServerTlsContext(remote_id, sni, config, raw_socket_allowed); + rule->getServerTlsContext(proxy_id, remote_id, sni, config, raw_socket_allowed); if (server_context) return server_context; } return nullptr; } - Ssl::ContextSharedPtr getClientTlsContext(uint32_t remote_id, absl::string_view sni, + Ssl::ContextSharedPtr getClientTlsContext(uint32_t proxy_id, uint32_t remote_id, + absl::string_view sni, const Ssl::ContextConfig** config, bool& raw_socket_allowed) const { for (const auto& rule : rules_) { Ssl::ContextSharedPtr client_context = - rule->getClientTlsContext(remote_id, sni, config, raw_socket_allowed); + rule->getClientTlsContext(proxy_id, remote_id, sni, config, raw_socket_allowed); if (client_context) return client_context; } @@ -822,49 +835,52 @@ bool PortPolicy::for_first_range(std::function bool { - return rules.useProxylib(remote_id, l7_proto); + return rules.useProxylib(proxy_id, remote_id, l7_proto); }); } -bool PortPolicy::allowed(uint32_t remote_id, Envoy::Http::RequestHeaderMap& headers, +bool PortPolicy::allowed(uint32_t proxy_id, uint32_t remote_id, + Envoy::Http::RequestHeaderMap& headers, Cilium::AccessLog::Entry& log_entry) const { return for_range([&](const PortNetworkPolicyRules& rules, bool& denied) -> bool { - return rules.allowed(remote_id, headers, log_entry, denied); + return rules.allowed(proxy_id, remote_id, headers, log_entry, denied); }); } -bool PortPolicy::allowed(uint32_t remote_id, absl::string_view sni) const { +bool PortPolicy::allowed(uint32_t proxy_id, uint32_t remote_id, absl::string_view sni) const { return for_range([&](const PortNetworkPolicyRules& rules, bool& denied) -> bool { - return rules.allowed(remote_id, sni, denied); + return rules.allowed(proxy_id, remote_id, sni, denied); }); } -bool PortPolicy::allowed(uint32_t remote_id, +bool PortPolicy::allowed(uint32_t proxy_id, uint32_t remote_id, const envoy::config::core::v3::Metadata& metadata) const { return for_range([&](const PortNetworkPolicyRules& rules, bool& denied) -> bool { - return rules.allowed(remote_id, metadata, denied); + return rules.allowed(proxy_id, remote_id, metadata, denied); }); } -Ssl::ContextSharedPtr PortPolicy::getServerTlsContext(uint32_t remote_id, absl::string_view sni, +Ssl::ContextSharedPtr PortPolicy::getServerTlsContext(uint32_t proxy_id, uint32_t remote_id, + absl::string_view sni, const Ssl::ContextConfig** config, bool& raw_socket_allowed) const { Ssl::ContextSharedPtr ret; for_first_range([&](const PortNetworkPolicyRules& rules) -> bool { - ret = rules.getServerTlsContext(remote_id, sni, config, raw_socket_allowed); + ret = rules.getServerTlsContext(proxy_id, remote_id, sni, config, raw_socket_allowed); return ret != nullptr; }); return ret; } -Ssl::ContextSharedPtr PortPolicy::getClientTlsContext(uint32_t remote_id, absl::string_view sni, +Ssl::ContextSharedPtr PortPolicy::getClientTlsContext(uint32_t proxy_id, uint32_t remote_id, + absl::string_view sni, const Ssl::ContextConfig** config, bool& raw_socket_allowed) const { Ssl::ContextSharedPtr ret; for_first_range([&](const PortNetworkPolicyRules& rules) -> bool { - ret = rules.getClientTlsContext(remote_id, sni, config, raw_socket_allowed); + ret = rules.getClientTlsContext(proxy_id, remote_id, sni, config, raw_socket_allowed); return ret != nullptr; }); return ret; @@ -1087,27 +1103,27 @@ class PolicyInstanceImpl : public PolicyInstance { ingress_(parent, policy_proto_.ingress_per_port_policies()), egress_(parent, policy_proto_.egress_per_port_policies()) {} - bool allowed(bool ingress, uint32_t remote_id, uint16_t port, + bool allowed(bool ingress, uint32_t proxy_id, uint32_t remote_id, uint16_t port, Envoy::Http::RequestHeaderMap& headers, Cilium::AccessLog::Entry& log_entry) const override { const auto port_policy = findPortPolicy(ingress, port); - return port_policy.allowed(remote_id, headers, log_entry); + return port_policy.allowed(proxy_id, remote_id, headers, log_entry); } - bool allowed(bool ingress, uint32_t remote_id, absl::string_view sni, + bool allowed(bool ingress, uint32_t proxy_id, uint32_t remote_id, absl::string_view sni, uint16_t port) const override { const auto port_policy = findPortPolicy(ingress, port); - return port_policy.allowed(remote_id, sni); + return port_policy.allowed(proxy_id, remote_id, sni); } const PortPolicy findPortPolicy(bool ingress, uint16_t port) const override { return ingress ? ingress_.findPortPolicy(port) : egress_.findPortPolicy(port); } - bool useProxylib(bool ingress, uint32_t remote_id, uint16_t port, + bool useProxylib(bool ingress, uint32_t proxy_id, uint32_t remote_id, uint16_t port, std::string& l7_proto) const override { const auto port_policy = findPortPolicy(ingress, port); - return port_policy.useProxylib(remote_id, l7_proto); + return port_policy.useProxylib(proxy_id, remote_id, l7_proto); } const std::string& conntrackName() const override { return conntrack_map_name_; } @@ -1401,12 +1417,12 @@ class AllowAllEgressPolicyInstanceImpl : public PolicyInstance { list.emplace_front(PortNetworkPolicyRules()); } - bool allowed(bool ingress, uint32_t, uint16_t, Envoy::Http::RequestHeaderMap&, + bool allowed(bool ingress, uint32_t, uint32_t, uint16_t, Envoy::Http::RequestHeaderMap&, Cilium::AccessLog::Entry&) const override { return ingress ? false : true; } - bool allowed(bool ingress, uint32_t, absl::string_view, uint16_t) const override { + bool allowed(bool ingress, uint32_t, uint32_t, absl::string_view, uint16_t) const override { return ingress ? false : true; } @@ -1415,7 +1431,9 @@ class AllowAllEgressPolicyInstanceImpl : public PolicyInstance { : PortPolicy(empty_map_, empty_rules_, 1); } - bool useProxylib(bool, uint32_t, uint16_t, std::string&) const override { return false; } + bool useProxylib(bool, uint32_t, uint32_t, uint16_t, std::string&) const override { + return false; + } const std::string& conntrackName() const override { return empty_string; } @@ -1446,18 +1464,22 @@ class DenyAllPolicyInstanceImpl : public PolicyInstance { public: DenyAllPolicyInstanceImpl() {} - bool allowed(bool, uint32_t, uint16_t, Envoy::Http::RequestHeaderMap&, + bool allowed(bool, uint32_t, uint32_t, uint16_t, Envoy::Http::RequestHeaderMap&, Cilium::AccessLog::Entry&) const override { return false; } - bool allowed(bool, uint32_t, absl::string_view, uint16_t) const override { return false; } + bool allowed(bool, uint32_t, uint32_t, absl::string_view, uint16_t) const override { + return false; + } const PortPolicy findPortPolicy(bool, uint16_t) const override { return PortPolicy(empty_map_, empty_rules, 0); } - bool useProxylib(bool, uint32_t, uint16_t, std::string&) const override { return false; } + bool useProxylib(bool, uint32_t, uint32_t, uint16_t, std::string&) const override { + return false; + } const std::string& conntrackName() const override { return empty_string; } diff --git a/cilium/network_policy.h b/cilium/network_policy.h index 507956860..391b03c93 100644 --- a/cilium/network_policy.h +++ b/cilium/network_policy.h @@ -89,26 +89,29 @@ class PortPolicy : public Logger::Loggable { public: // useProxylib returns true if a proxylib parser should be used. // 'l7_proto' is set to the parser name in that case. - bool useProxylib(uint32_t remote_id, std::string& l7_proto) const; + bool useProxylib(uint32_t proxy_id, uint32_t remote_id, std::string& l7_proto) const; // HTTP-layer policy check. 'headers' and 'log_entry' may be manipulated by the policy. - bool allowed(uint32_t remote_id, Envoy::Http::RequestHeaderMap& headers, + bool allowed(uint32_t proxy_id, uint32_t remote_id, Envoy::Http::RequestHeaderMap& headers, Cilium::AccessLog::Entry& log_entry) const; // Network-layer policy check - bool allowed(uint32_t remote_id, absl::string_view sni) const; + bool allowed(uint32_t proxy_id, uint32_t remote_id, absl::string_view sni) const; // Envoy filter metadata policy check - bool allowed(uint32_t remote_id, const envoy::config::core::v3::Metadata& metadata) const; + bool allowed(uint32_t proxy_id, uint32_t remote_id, + const envoy::config::core::v3::Metadata& metadata) const; // getServerTlsContext returns the server TLS context, if any. If a non-null pointer is returned, // then also the config pointer '*config' is set. // If '*config' is nullptr and 'raw_socket_allowed' is 'true' on return then the policy // allows the connection without TLS and a raw socket should be used. - Ssl::ContextSharedPtr getServerTlsContext(uint32_t remote_id, absl::string_view sni, + Ssl::ContextSharedPtr getServerTlsContext(uint32_t proxy_id, uint32_t remote_id, + absl::string_view sni, const Ssl::ContextConfig** config, bool& raw_socket_allowed) const; // getClientTlsContext returns the client TLS context, if any. If a non-null pointer is returned, // then also the config pointer '*config' is set. // If '*config' is nullptr and 'raw_socket_allowed' is 'true' on return then the policy // allows the connection without TLS and a raw socket should be used. - Ssl::ContextSharedPtr getClientTlsContext(uint32_t remote_id, absl::string_view sni, + Ssl::ContextSharedPtr getClientTlsContext(uint32_t proxy_id, uint32_t remote_id, + absl::string_view sni, const Ssl::ContextConfig** config, bool& raw_socket_allowed) const; @@ -142,18 +145,18 @@ class PolicyInstance { } }; - virtual bool allowed(bool ingress, uint32_t remote_id, uint16_t port, + virtual bool allowed(bool ingress, uint32_t proxy_id, uint32_t remote_id, uint16_t port, Envoy::Http::RequestHeaderMap& headers, Cilium::AccessLog::Entry& log_entry) const PURE; - virtual bool allowed(bool ingress, uint32_t remote_id, absl::string_view sni, + virtual bool allowed(bool ingress, uint32_t proxy_id, uint32_t remote_id, absl::string_view sni, uint16_t port) const PURE; virtual const PortPolicy findPortPolicy(bool ingress, uint16_t port) const PURE; // Returns true if the policy specifies l7 protocol for the connection, and // returns the l7 protocol string in 'l7_proto' - virtual bool useProxylib(bool ingress, uint32_t remote_id, uint16_t port, + virtual bool useProxylib(bool ingress, uint32_t proxy_id, uint32_t remote_id, uint16_t port, std::string& l7_proto) const PURE; virtual const std::string& conntrackName() const PURE; diff --git a/cilium/tls_wrapper.cc b/cilium/tls_wrapper.cc index 786fa3398..269e7b13d 100644 --- a/cilium/tls_wrapper.cc +++ b/cilium/tls_wrapper.cc @@ -91,20 +91,20 @@ class SslSocketWrapper : public Network::TransportSocket, Logger::Loggableconnection(); ENVOY_CONN_LOG(trace, "retrieving policy filter state", conn); - auto policy_socket_option = + auto policy_fs = conn.streamInfo().filterState()->getDataReadOnly( Cilium::CiliumPolicyFilterState::key()); - if (policy_socket_option) { - const auto& policy = policy_socket_option->getPolicy(); + if (policy_fs) { + const auto& policy = policy_fs->getPolicy(); // Resolve the destination security ID and port uint32_t destination_identity = 0; - uint32_t destination_port = policy_socket_option->port_; + uint32_t destination_port = policy_fs->port_; const Network::Address::Ip* dip = nullptr; bool is_client = state_ == Extensions::TransportSockets::Tls::InitialState::Client; - if (!policy_socket_option->ingress_) { + if (!policy_fs->ingress_) { Network::Address::InstanceConstSharedPtr dst_address = is_client ? callbacks_->connection().connectionInfoProvider().remoteAddress() : callbacks_->connection().connectionInfoProvider().localAddress(); @@ -112,7 +112,7 @@ class SslSocketWrapper : public Network::TransportSocket, Logger::Loggableip(); if (dip) { destination_port = dip->port(); - destination_identity = policy_socket_option->resolvePolicyId(dip); + destination_identity = policy_fs->resolvePolicyId(dip); } else { ENVOY_CONN_LOG(warn, "cilium.tls_wrapper: Non-IP destination address: {}", conn, dst_address->asString()); @@ -123,16 +123,18 @@ class SslSocketWrapper : public Network::TransportSocket, Logger::Loggablesni_; + const auto& sni = policy_fs->sni_; - auto remote_id = policy_socket_option->ingress_ ? policy_socket_option->source_identity_ - : destination_identity; - auto port_policy = policy.findPortPolicy(policy_socket_option->ingress_, destination_port); + auto remote_id = policy_fs->ingress_ ? policy_fs->source_identity_ : destination_identity; + auto port_policy = policy.findPortPolicy(policy_fs->ingress_, destination_port); const Envoy::Ssl::ContextConfig* config = nullptr; bool raw_socket_allowed = false; + auto proxy_id = policy_fs->proxy_id_; Envoy::Ssl::ContextSharedPtr ctx = - is_client ? port_policy.getClientTlsContext(remote_id, sni, &config, raw_socket_allowed) - : port_policy.getServerTlsContext(remote_id, sni, &config, raw_socket_allowed); + is_client ? port_policy.getClientTlsContext(proxy_id, remote_id, sni, &config, + raw_socket_allowed) + : port_policy.getServerTlsContext(proxy_id, remote_id, sni, &config, + raw_socket_allowed); if (ctx) { // create the underlying SslSocket auto status_or_socket = Extensions::TransportSockets::Tls::SslSocket::create( @@ -157,7 +159,7 @@ class SslSocketWrapper : public Network::TransportSocket, Logger::Loggable"); - if (policy_socket_option->ingress_) { + if (policy_fs->ingress_) { Network::Address::InstanceConstSharedPtr src_address = is_client ? callbacks_->connection().connectionInfoProvider().localAddress() : callbacks_->connection().connectionInfoProvider().remoteAddress(); @@ -176,9 +178,9 @@ class SslSocketWrapper : public Network::TransportSocket, Logger::Loggablepod_ip_, - policy_socket_option->ingress_ ? "source" : "destination", ipStr, remote_id, - destination_port, sni); + conn, is_client ? "client" : "server", policy_fs->pod_ip_, + policy_fs->ingress_ ? "source" : "destination", ipStr, remote_id, destination_port, + sni); } } else { ENVOY_CONN_LOG(warn, diff --git a/go/cilium/api/npds.pb.go b/go/cilium/api/npds.pb.go index ff9ea17cd..19e02f54e 100644 --- a/go/cilium/api/npds.pb.go +++ b/go/cilium/api/npds.pb.go @@ -444,6 +444,11 @@ type PortNetworkPolicyRule struct { // Traffic on this port is denied for all `remote_policies` if true Deny bool `protobuf:"varint,8,opt,name=deny,proto3" json:"deny,omitempty"` + // ProxyID is non-zero if the rule was an allow rule with an explicit listener reference. + // The given value corresponds to the 'proxy_id' value in the BpfMetadata listener filter + // configuration. + // This rule should be ignored if not executing in the referred listener. + ProxyId uint32 `protobuf:"varint,9,opt,name=proxy_id,json=proxyId,proto3" json:"proxy_id,omitempty"` // Optional name for the rule, can be used in logging and error messages. Name string `protobuf:"bytes,5,opt,name=name,proto3" json:"name,omitempty"` // The set of numeric remote security IDs explicitly allowed or denied. @@ -516,6 +521,13 @@ func (x *PortNetworkPolicyRule) GetDeny() bool { return false } +func (x *PortNetworkPolicyRule) GetProxyId() uint32 { + if x != nil { + return x.ProxyId + } + return 0 +} + func (x *PortNetworkPolicyRule) GetName() string { if x != nil { return x.Name @@ -1230,162 +1242,164 @@ var file_cilium_api_npds_proto_rawDesc = []byte{ 0x52, 0x0c, 0x74, 0x6c, 0x73, 0x53, 0x64, 0x73, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x12, 0x25, 0x0a, 0x0e, 0x61, 0x6c, 0x70, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0d, 0x61, 0x6c, 0x70, 0x6e, 0x50, 0x72, 0x6f, 0x74, - 0x6f, 0x63, 0x6f, 0x6c, 0x73, 0x22, 0xbf, 0x04, 0x0a, 0x15, 0x50, 0x6f, 0x72, 0x74, 0x4e, 0x65, + 0x6f, 0x63, 0x6f, 0x6c, 0x73, 0x22, 0xda, 0x04, 0x0a, 0x15, 0x50, 0x6f, 0x72, 0x74, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x64, 0x65, 0x6e, 0x79, 0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x04, 0x64, - 0x65, 0x6e, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x41, 0x0a, 0x1d, 0x64, 0x65, 0x70, 0x72, 0x65, - 0x63, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x5f, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x69, 0x65, 0x73, 0x5f, 0x36, 0x34, 0x18, 0x01, 0x20, 0x03, 0x28, 0x04, 0x52, 0x1a, - 0x64, 0x65, 0x70, 0x72, 0x65, 0x63, 0x61, 0x74, 0x65, 0x64, 0x52, 0x65, 0x6d, 0x6f, 0x74, 0x65, - 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x36, 0x34, 0x12, 0x27, 0x0a, 0x0f, 0x72, 0x65, - 0x6d, 0x6f, 0x74, 0x65, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x18, 0x07, 0x20, - 0x03, 0x28, 0x0d, 0x52, 0x0e, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x6f, 0x6c, 0x69, 0x63, - 0x69, 0x65, 0x73, 0x12, 0x48, 0x0a, 0x16, 0x64, 0x6f, 0x77, 0x6e, 0x73, 0x74, 0x72, 0x65, 0x61, - 0x6d, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x18, 0x03, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2e, 0x54, 0x4c, 0x53, - 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x52, 0x14, 0x64, 0x6f, 0x77, 0x6e, 0x73, 0x74, 0x72, - 0x65, 0x61, 0x6d, 0x54, 0x6c, 0x73, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x12, 0x44, 0x0a, - 0x14, 0x75, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x63, 0x6f, - 0x6e, 0x74, 0x65, 0x78, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x63, 0x69, - 0x6c, 0x69, 0x75, 0x6d, 0x2e, 0x54, 0x4c, 0x53, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x52, - 0x12, 0x75, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x54, 0x6c, 0x73, 0x43, 0x6f, 0x6e, 0x74, - 0x65, 0x78, 0x74, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x6e, 0x61, - 0x6d, 0x65, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0b, 0x73, 0x65, 0x72, 0x76, 0x65, - 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x19, 0x0a, 0x08, 0x6c, 0x37, 0x5f, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6c, 0x37, 0x50, 0x72, 0x6f, 0x74, - 0x6f, 0x12, 0x3f, 0x0a, 0x0a, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x72, 0x75, 0x6c, 0x65, 0x73, 0x18, - 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1e, 0x2e, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2e, 0x48, - 0x74, 0x74, 0x70, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x52, 0x75, 0x6c, 0x65, 0x73, 0x48, 0x00, 0x52, 0x09, 0x68, 0x74, 0x74, 0x70, 0x52, 0x75, 0x6c, - 0x65, 0x73, 0x12, 0x42, 0x0a, 0x0b, 0x6b, 0x61, 0x66, 0x6b, 0x61, 0x5f, 0x72, 0x75, 0x6c, 0x65, - 0x73, 0x18, 0x65, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, - 0x2e, 0x4b, 0x61, 0x66, 0x6b, 0x61, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x48, 0x00, 0x52, 0x0a, 0x6b, 0x61, 0x66, 0x6b, - 0x61, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x12, 0x39, 0x0a, 0x08, 0x6c, 0x37, 0x5f, 0x72, 0x75, 0x6c, - 0x65, 0x73, 0x18, 0x66, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x63, 0x69, 0x6c, 0x69, 0x75, - 0x6d, 0x2e, 0x4c, 0x37, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x48, 0x00, 0x52, 0x07, 0x6c, 0x37, 0x52, 0x75, 0x6c, 0x65, - 0x73, 0x42, 0x04, 0x0a, 0x02, 0x6c, 0x37, 0x22, 0x60, 0x0a, 0x16, 0x48, 0x74, 0x74, 0x70, 0x4e, + 0x65, 0x6e, 0x79, 0x12, 0x19, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x5f, 0x69, 0x64, 0x18, + 0x09, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x07, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x49, 0x64, 0x12, 0x12, + 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, + 0x6d, 0x65, 0x12, 0x41, 0x0a, 0x1d, 0x64, 0x65, 0x70, 0x72, 0x65, 0x63, 0x61, 0x74, 0x65, 0x64, + 0x5f, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, + 0x5f, 0x36, 0x34, 0x18, 0x01, 0x20, 0x03, 0x28, 0x04, 0x52, 0x1a, 0x64, 0x65, 0x70, 0x72, 0x65, + 0x63, 0x61, 0x74, 0x65, 0x64, 0x52, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x6f, 0x6c, 0x69, 0x63, + 0x69, 0x65, 0x73, 0x36, 0x34, 0x12, 0x27, 0x0a, 0x0f, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x5f, + 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x0d, 0x52, 0x0e, + 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x12, 0x48, + 0x0a, 0x16, 0x64, 0x6f, 0x77, 0x6e, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x5f, 0x74, 0x6c, 0x73, + 0x5f, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, + 0x2e, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2e, 0x54, 0x4c, 0x53, 0x43, 0x6f, 0x6e, 0x74, 0x65, + 0x78, 0x74, 0x52, 0x14, 0x64, 0x6f, 0x77, 0x6e, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x54, 0x6c, + 0x73, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x12, 0x44, 0x0a, 0x14, 0x75, 0x70, 0x73, 0x74, + 0x72, 0x65, 0x61, 0x6d, 0x5f, 0x74, 0x6c, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, + 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2e, + 0x54, 0x4c, 0x53, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x52, 0x12, 0x75, 0x70, 0x73, 0x74, + 0x72, 0x65, 0x61, 0x6d, 0x54, 0x6c, 0x73, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x12, 0x21, + 0x0a, 0x0c, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x06, + 0x20, 0x03, 0x28, 0x09, 0x52, 0x0b, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, + 0x73, 0x12, 0x19, 0x0a, 0x08, 0x6c, 0x37, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x18, 0x02, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x07, 0x6c, 0x37, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x3f, 0x0a, 0x0a, + 0x68, 0x74, 0x74, 0x70, 0x5f, 0x72, 0x75, 0x6c, 0x65, 0x73, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x1e, 0x2e, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2e, 0x48, 0x74, 0x74, 0x70, 0x4e, 0x65, + 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x73, + 0x48, 0x00, 0x52, 0x09, 0x68, 0x74, 0x74, 0x70, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x12, 0x42, 0x0a, + 0x0b, 0x6b, 0x61, 0x66, 0x6b, 0x61, 0x5f, 0x72, 0x75, 0x6c, 0x65, 0x73, 0x18, 0x65, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2e, 0x4b, 0x61, 0x66, 0x6b, + 0x61, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x75, + 0x6c, 0x65, 0x73, 0x48, 0x00, 0x52, 0x0a, 0x6b, 0x61, 0x66, 0x6b, 0x61, 0x52, 0x75, 0x6c, 0x65, + 0x73, 0x12, 0x39, 0x0a, 0x08, 0x6c, 0x37, 0x5f, 0x72, 0x75, 0x6c, 0x65, 0x73, 0x18, 0x66, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2e, 0x4c, 0x37, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x75, 0x6c, 0x65, - 0x73, 0x12, 0x46, 0x0a, 0x0a, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x72, 0x75, 0x6c, 0x65, 0x73, 0x18, - 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2e, 0x48, - 0x74, 0x74, 0x70, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x52, 0x75, 0x6c, 0x65, 0x42, 0x08, 0xfa, 0x42, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x09, - 0x68, 0x74, 0x74, 0x70, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x22, 0xd2, 0x03, 0x0a, 0x0b, 0x48, 0x65, - 0x61, 0x64, 0x65, 0x72, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x12, 0x1b, 0x0a, 0x04, 0x6e, 0x61, 0x6d, - 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04, 0x72, 0x02, 0x10, 0x01, - 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x42, 0x0a, 0x0c, - 0x6d, 0x61, 0x74, 0x63, 0x68, 0x5f, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, - 0x28, 0x0e, 0x32, 0x1f, 0x2e, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2e, 0x48, 0x65, 0x61, 0x64, - 0x65, 0x72, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x2e, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x41, 0x63, 0x74, - 0x69, 0x6f, 0x6e, 0x52, 0x0b, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, - 0x12, 0x4b, 0x0a, 0x0f, 0x6d, 0x69, 0x73, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x5f, 0x61, 0x63, 0x74, - 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x22, 0x2e, 0x63, 0x69, 0x6c, 0x69, - 0x75, 0x6d, 0x2e, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x2e, 0x4d, - 0x69, 0x73, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0e, 0x6d, - 0x69, 0x73, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x28, 0x0a, - 0x10, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x73, 0x64, 0x73, 0x5f, 0x73, 0x65, 0x63, 0x72, 0x65, - 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x53, 0x64, - 0x73, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x22, 0x4c, 0x0a, 0x0b, 0x4d, 0x61, 0x74, 0x63, 0x68, - 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x15, 0x0a, 0x11, 0x43, 0x4f, 0x4e, 0x54, 0x49, 0x4e, - 0x55, 0x45, 0x5f, 0x4f, 0x4e, 0x5f, 0x4d, 0x41, 0x54, 0x43, 0x48, 0x10, 0x00, 0x12, 0x11, 0x0a, - 0x0d, 0x46, 0x41, 0x49, 0x4c, 0x5f, 0x4f, 0x4e, 0x5f, 0x4d, 0x41, 0x54, 0x43, 0x48, 0x10, 0x01, - 0x12, 0x13, 0x0a, 0x0f, 0x44, 0x45, 0x4c, 0x45, 0x54, 0x45, 0x5f, 0x4f, 0x4e, 0x5f, 0x4d, 0x41, - 0x54, 0x43, 0x48, 0x10, 0x02, 0x22, 0x86, 0x01, 0x0a, 0x0e, 0x4d, 0x69, 0x73, 0x6d, 0x61, 0x74, - 0x63, 0x68, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x14, 0x0a, 0x10, 0x46, 0x41, 0x49, 0x4c, - 0x5f, 0x4f, 0x4e, 0x5f, 0x4d, 0x49, 0x53, 0x4d, 0x41, 0x54, 0x43, 0x48, 0x10, 0x00, 0x12, 0x18, - 0x0a, 0x14, 0x43, 0x4f, 0x4e, 0x54, 0x49, 0x4e, 0x55, 0x45, 0x5f, 0x4f, 0x4e, 0x5f, 0x4d, 0x49, - 0x53, 0x4d, 0x41, 0x54, 0x43, 0x48, 0x10, 0x01, 0x12, 0x13, 0x0a, 0x0f, 0x41, 0x44, 0x44, 0x5f, - 0x4f, 0x4e, 0x5f, 0x4d, 0x49, 0x53, 0x4d, 0x41, 0x54, 0x43, 0x48, 0x10, 0x02, 0x12, 0x16, 0x0a, - 0x12, 0x44, 0x45, 0x4c, 0x45, 0x54, 0x45, 0x5f, 0x4f, 0x4e, 0x5f, 0x4d, 0x49, 0x53, 0x4d, 0x41, - 0x54, 0x43, 0x48, 0x10, 0x03, 0x12, 0x17, 0x0a, 0x13, 0x52, 0x45, 0x50, 0x4c, 0x41, 0x43, 0x45, - 0x5f, 0x4f, 0x4e, 0x5f, 0x4d, 0x49, 0x53, 0x4d, 0x41, 0x54, 0x43, 0x48, 0x10, 0x04, 0x22, 0x93, - 0x01, 0x0a, 0x15, 0x48, 0x74, 0x74, 0x70, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x3e, 0x0a, 0x07, 0x68, 0x65, 0x61, 0x64, - 0x65, 0x72, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x65, 0x6e, 0x76, 0x6f, - 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x2e, 0x76, - 0x33, 0x2e, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x72, 0x52, - 0x07, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x12, 0x3a, 0x0a, 0x0e, 0x68, 0x65, 0x61, 0x64, - 0x65, 0x72, 0x5f, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, - 0x32, 0x13, 0x2e, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2e, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, - 0x4d, 0x61, 0x74, 0x63, 0x68, 0x52, 0x0d, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x4d, 0x61, 0x74, - 0x63, 0x68, 0x65, 0x73, 0x22, 0x64, 0x0a, 0x17, 0x4b, 0x61, 0x66, 0x6b, 0x61, 0x4e, 0x65, 0x74, - 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x12, - 0x49, 0x0a, 0x0b, 0x6b, 0x61, 0x66, 0x6b, 0x61, 0x5f, 0x72, 0x75, 0x6c, 0x65, 0x73, 0x18, 0x01, - 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1e, 0x2e, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2e, 0x4b, 0x61, - 0x66, 0x6b, 0x61, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x52, 0x75, 0x6c, 0x65, 0x42, 0x08, 0xfa, 0x42, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x0a, - 0x6b, 0x61, 0x66, 0x6b, 0x61, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x22, 0xbe, 0x01, 0x0a, 0x16, 0x4b, - 0x61, 0x66, 0x6b, 0x61, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x61, 0x70, 0x69, 0x5f, 0x76, 0x65, 0x72, - 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0a, 0x61, 0x70, 0x69, 0x56, - 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x19, 0x0a, 0x08, 0x61, 0x70, 0x69, 0x5f, 0x6b, 0x65, - 0x79, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x05, 0x52, 0x07, 0x61, 0x70, 0x69, 0x4b, 0x65, 0x79, - 0x73, 0x12, 0x35, 0x0a, 0x09, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x03, - 0x20, 0x01, 0x28, 0x09, 0x42, 0x18, 0xfa, 0x42, 0x15, 0x72, 0x13, 0x32, 0x11, 0x5e, 0x5b, 0x61, - 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x2e, 0x5f, 0x2d, 0x5d, 0x2a, 0x24, 0x52, 0x08, - 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49, 0x64, 0x12, 0x31, 0x0a, 0x05, 0x74, 0x6f, 0x70, 0x69, - 0x63, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x42, 0x1b, 0xfa, 0x42, 0x18, 0x72, 0x16, 0x18, 0xff, - 0x01, 0x32, 0x11, 0x5e, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x2e, 0x5f, - 0x2d, 0x5d, 0x2a, 0x24, 0x52, 0x05, 0x74, 0x6f, 0x70, 0x69, 0x63, 0x22, 0x9a, 0x01, 0x0a, 0x14, - 0x4c, 0x37, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, - 0x75, 0x6c, 0x65, 0x73, 0x12, 0x41, 0x0a, 0x0e, 0x6c, 0x37, 0x5f, 0x61, 0x6c, 0x6c, 0x6f, 0x77, - 0x5f, 0x72, 0x75, 0x6c, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x63, - 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2e, 0x4c, 0x37, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x52, 0x0c, 0x6c, 0x37, 0x41, 0x6c, 0x6c, - 0x6f, 0x77, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x12, 0x3f, 0x0a, 0x0d, 0x6c, 0x37, 0x5f, 0x64, 0x65, - 0x6e, 0x79, 0x5f, 0x72, 0x75, 0x6c, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1b, - 0x2e, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2e, 0x4c, 0x37, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, - 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x52, 0x0b, 0x6c, 0x37, 0x44, - 0x65, 0x6e, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x22, 0xea, 0x01, 0x0a, 0x13, 0x4c, 0x37, 0x4e, + 0x73, 0x48, 0x00, 0x52, 0x07, 0x6c, 0x37, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x42, 0x04, 0x0a, 0x02, + 0x6c, 0x37, 0x22, 0x60, 0x0a, 0x16, 0x48, 0x74, 0x74, 0x70, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, + 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x12, 0x46, 0x0a, 0x0a, + 0x68, 0x74, 0x74, 0x70, 0x5f, 0x72, 0x75, 0x6c, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, + 0x32, 0x1d, 0x2e, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2e, 0x48, 0x74, 0x74, 0x70, 0x4e, 0x65, + 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x42, + 0x08, 0xfa, 0x42, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x09, 0x68, 0x74, 0x74, 0x70, 0x52, + 0x75, 0x6c, 0x65, 0x73, 0x22, 0xd2, 0x03, 0x0a, 0x0b, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x4d, + 0x61, 0x74, 0x63, 0x68, 0x12, 0x1b, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x09, 0x42, 0x07, 0xfa, 0x42, 0x04, 0x72, 0x02, 0x10, 0x01, 0x52, 0x04, 0x6e, 0x61, 0x6d, + 0x65, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x42, 0x0a, 0x0c, 0x6d, 0x61, 0x74, 0x63, 0x68, + 0x5f, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1f, 0x2e, + 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2e, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x4d, 0x61, 0x74, + 0x63, 0x68, 0x2e, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0b, + 0x6d, 0x61, 0x74, 0x63, 0x68, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x4b, 0x0a, 0x0f, 0x6d, + 0x69, 0x73, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x5f, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x04, + 0x20, 0x01, 0x28, 0x0e, 0x32, 0x22, 0x2e, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2e, 0x48, 0x65, + 0x61, 0x64, 0x65, 0x72, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x2e, 0x4d, 0x69, 0x73, 0x6d, 0x61, 0x74, + 0x63, 0x68, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0e, 0x6d, 0x69, 0x73, 0x6d, 0x61, 0x74, + 0x63, 0x68, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x28, 0x0a, 0x10, 0x76, 0x61, 0x6c, 0x75, + 0x65, 0x5f, 0x73, 0x64, 0x73, 0x5f, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x18, 0x05, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x0e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x53, 0x64, 0x73, 0x53, 0x65, 0x63, 0x72, + 0x65, 0x74, 0x22, 0x4c, 0x0a, 0x0b, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x41, 0x63, 0x74, 0x69, 0x6f, + 0x6e, 0x12, 0x15, 0x0a, 0x11, 0x43, 0x4f, 0x4e, 0x54, 0x49, 0x4e, 0x55, 0x45, 0x5f, 0x4f, 0x4e, + 0x5f, 0x4d, 0x41, 0x54, 0x43, 0x48, 0x10, 0x00, 0x12, 0x11, 0x0a, 0x0d, 0x46, 0x41, 0x49, 0x4c, + 0x5f, 0x4f, 0x4e, 0x5f, 0x4d, 0x41, 0x54, 0x43, 0x48, 0x10, 0x01, 0x12, 0x13, 0x0a, 0x0f, 0x44, + 0x45, 0x4c, 0x45, 0x54, 0x45, 0x5f, 0x4f, 0x4e, 0x5f, 0x4d, 0x41, 0x54, 0x43, 0x48, 0x10, 0x02, + 0x22, 0x86, 0x01, 0x0a, 0x0e, 0x4d, 0x69, 0x73, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x41, 0x63, 0x74, + 0x69, 0x6f, 0x6e, 0x12, 0x14, 0x0a, 0x10, 0x46, 0x41, 0x49, 0x4c, 0x5f, 0x4f, 0x4e, 0x5f, 0x4d, + 0x49, 0x53, 0x4d, 0x41, 0x54, 0x43, 0x48, 0x10, 0x00, 0x12, 0x18, 0x0a, 0x14, 0x43, 0x4f, 0x4e, + 0x54, 0x49, 0x4e, 0x55, 0x45, 0x5f, 0x4f, 0x4e, 0x5f, 0x4d, 0x49, 0x53, 0x4d, 0x41, 0x54, 0x43, + 0x48, 0x10, 0x01, 0x12, 0x13, 0x0a, 0x0f, 0x41, 0x44, 0x44, 0x5f, 0x4f, 0x4e, 0x5f, 0x4d, 0x49, + 0x53, 0x4d, 0x41, 0x54, 0x43, 0x48, 0x10, 0x02, 0x12, 0x16, 0x0a, 0x12, 0x44, 0x45, 0x4c, 0x45, + 0x54, 0x45, 0x5f, 0x4f, 0x4e, 0x5f, 0x4d, 0x49, 0x53, 0x4d, 0x41, 0x54, 0x43, 0x48, 0x10, 0x03, + 0x12, 0x17, 0x0a, 0x13, 0x52, 0x45, 0x50, 0x4c, 0x41, 0x43, 0x45, 0x5f, 0x4f, 0x4e, 0x5f, 0x4d, + 0x49, 0x53, 0x4d, 0x41, 0x54, 0x43, 0x48, 0x10, 0x04, 0x22, 0x93, 0x01, 0x0a, 0x15, 0x48, 0x74, + 0x74, 0x70, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, + 0x75, 0x6c, 0x65, 0x12, 0x3e, 0x0a, 0x07, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x18, 0x01, + 0x20, 0x03, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, + 0x66, 0x69, 0x67, 0x2e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x2e, 0x76, 0x33, 0x2e, 0x48, 0x65, 0x61, + 0x64, 0x65, 0x72, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x72, 0x52, 0x07, 0x68, 0x65, 0x61, 0x64, + 0x65, 0x72, 0x73, 0x12, 0x3a, 0x0a, 0x0e, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x5f, 0x6d, 0x61, + 0x74, 0x63, 0x68, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x63, 0x69, + 0x6c, 0x69, 0x75, 0x6d, 0x2e, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x4d, 0x61, 0x74, 0x63, 0x68, + 0x52, 0x0d, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x22, + 0x64, 0x0a, 0x17, 0x4b, 0x61, 0x66, 0x6b, 0x61, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, + 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x12, 0x49, 0x0a, 0x0b, 0x6b, 0x61, + 0x66, 0x6b, 0x61, 0x5f, 0x72, 0x75, 0x6c, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, + 0x1e, 0x2e, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2e, 0x4b, 0x61, 0x66, 0x6b, 0x61, 0x4e, 0x65, + 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x42, + 0x08, 0xfa, 0x42, 0x05, 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x0a, 0x6b, 0x61, 0x66, 0x6b, 0x61, + 0x52, 0x75, 0x6c, 0x65, 0x73, 0x22, 0xbe, 0x01, 0x0a, 0x16, 0x4b, 0x61, 0x66, 0x6b, 0x61, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x75, 0x6c, 0x65, - 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, - 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x39, 0x0a, 0x04, 0x72, 0x75, 0x6c, 0x65, 0x18, 0x01, 0x20, 0x03, - 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2e, 0x4c, 0x37, 0x4e, 0x65, - 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x2e, - 0x52, 0x75, 0x6c, 0x65, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x04, 0x72, 0x75, 0x6c, 0x65, 0x12, - 0x4b, 0x0a, 0x0d, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x72, 0x75, 0x6c, 0x65, - 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x74, - 0x79, 0x70, 0x65, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x72, 0x2e, 0x76, 0x33, 0x2e, 0x4d, - 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x72, 0x52, 0x0c, - 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x75, 0x6c, 0x65, 0x1a, 0x37, 0x0a, 0x09, - 0x52, 0x75, 0x6c, 0x65, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, - 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, - 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x5c, 0x0a, 0x19, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, - 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x44, 0x75, - 0x6d, 0x70, 0x12, 0x3f, 0x0a, 0x0f, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x70, 0x6f, 0x6c, - 0x69, 0x63, 0x69, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x63, 0x69, - 0x6c, 0x69, 0x75, 0x6d, 0x2e, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x52, 0x0f, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x69, 0x65, 0x73, 0x32, 0xda, 0x02, 0x0a, 0x1d, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x44, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x53, 0x65, - 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x7a, 0x0a, 0x15, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x4e, - 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x12, 0x2c, - 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x64, - 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x2e, 0x76, 0x33, 0x2e, 0x44, 0x69, 0x73, 0x63, - 0x6f, 0x76, 0x65, 0x72, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2d, 0x2e, 0x65, - 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x64, 0x69, 0x73, - 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x2e, 0x76, 0x33, 0x2e, 0x44, 0x69, 0x73, 0x63, 0x6f, 0x76, - 0x65, 0x72, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x28, 0x01, 0x30, - 0x01, 0x12, 0x9e, 0x01, 0x0a, 0x14, 0x46, 0x65, 0x74, 0x63, 0x68, 0x4e, 0x65, 0x74, 0x77, 0x6f, - 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x12, 0x2c, 0x2e, 0x65, 0x6e, 0x76, - 0x6f, 0x79, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x64, 0x69, 0x73, 0x63, 0x6f, - 0x76, 0x65, 0x72, 0x79, 0x2e, 0x76, 0x33, 0x2e, 0x44, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, - 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2d, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, - 0x2e, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, - 0x72, 0x79, 0x2e, 0x76, 0x33, 0x2e, 0x44, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x52, - 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x29, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x23, 0x22, - 0x1e, 0x2f, 0x76, 0x33, 0x2f, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x3a, 0x6e, - 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x3a, - 0x01, 0x2a, 0x1a, 0x1c, 0x8a, 0xa4, 0x96, 0xf3, 0x07, 0x16, 0x0a, 0x14, 0x63, 0x69, 0x6c, 0x69, - 0x75, 0x6d, 0x2e, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, - 0x42, 0x2e, 0x5a, 0x2c, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, - 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2f, 0x67, 0x6f, 0x2f, 0x63, - 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2f, 0x61, 0x70, 0x69, 0x3b, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, - 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x12, 0x1f, 0x0a, 0x0b, 0x61, 0x70, 0x69, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0a, 0x61, 0x70, 0x69, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, + 0x6e, 0x12, 0x19, 0x0a, 0x08, 0x61, 0x70, 0x69, 0x5f, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x02, 0x20, + 0x03, 0x28, 0x05, 0x52, 0x07, 0x61, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x35, 0x0a, 0x09, + 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x42, + 0x18, 0xfa, 0x42, 0x15, 0x72, 0x13, 0x32, 0x11, 0x5e, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, + 0x30, 0x2d, 0x39, 0x2e, 0x5f, 0x2d, 0x5d, 0x2a, 0x24, 0x52, 0x08, 0x63, 0x6c, 0x69, 0x65, 0x6e, + 0x74, 0x49, 0x64, 0x12, 0x31, 0x0a, 0x05, 0x74, 0x6f, 0x70, 0x69, 0x63, 0x18, 0x04, 0x20, 0x01, + 0x28, 0x09, 0x42, 0x1b, 0xfa, 0x42, 0x18, 0x72, 0x16, 0x18, 0xff, 0x01, 0x32, 0x11, 0x5e, 0x5b, + 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x2e, 0x5f, 0x2d, 0x5d, 0x2a, 0x24, 0x52, + 0x05, 0x74, 0x6f, 0x70, 0x69, 0x63, 0x22, 0x9a, 0x01, 0x0a, 0x14, 0x4c, 0x37, 0x4e, 0x65, 0x74, + 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x12, + 0x41, 0x0a, 0x0e, 0x6c, 0x37, 0x5f, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x5f, 0x72, 0x75, 0x6c, 0x65, + 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, + 0x2e, 0x4c, 0x37, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x52, 0x75, 0x6c, 0x65, 0x52, 0x0c, 0x6c, 0x37, 0x41, 0x6c, 0x6c, 0x6f, 0x77, 0x52, 0x75, 0x6c, + 0x65, 0x73, 0x12, 0x3f, 0x0a, 0x0d, 0x6c, 0x37, 0x5f, 0x64, 0x65, 0x6e, 0x79, 0x5f, 0x72, 0x75, + 0x6c, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x63, 0x69, 0x6c, 0x69, + 0x75, 0x6d, 0x2e, 0x4c, 0x37, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x52, 0x0b, 0x6c, 0x37, 0x44, 0x65, 0x6e, 0x79, 0x52, 0x75, + 0x6c, 0x65, 0x73, 0x22, 0xea, 0x01, 0x0a, 0x13, 0x4c, 0x37, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, + 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, + 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, + 0x39, 0x0a, 0x04, 0x72, 0x75, 0x6c, 0x65, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x25, 0x2e, + 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2e, 0x4c, 0x37, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, + 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x75, 0x6c, 0x65, 0x2e, 0x52, 0x75, 0x6c, 0x65, 0x45, + 0x6e, 0x74, 0x72, 0x79, 0x52, 0x04, 0x72, 0x75, 0x6c, 0x65, 0x12, 0x4b, 0x0a, 0x0d, 0x6d, 0x65, + 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x72, 0x75, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x03, 0x28, + 0x0b, 0x32, 0x26, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x2e, 0x6d, + 0x61, 0x74, 0x63, 0x68, 0x65, 0x72, 0x2e, 0x76, 0x33, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, + 0x74, 0x61, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x72, 0x52, 0x0c, 0x6d, 0x65, 0x74, 0x61, 0x64, + 0x61, 0x74, 0x61, 0x52, 0x75, 0x6c, 0x65, 0x1a, 0x37, 0x0a, 0x09, 0x52, 0x75, 0x6c, 0x65, 0x45, + 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, + 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, + 0x22, 0x5c, 0x0a, 0x19, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, + 0x69, 0x65, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x44, 0x75, 0x6d, 0x70, 0x12, 0x3f, 0x0a, + 0x0f, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, + 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2e, + 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x0f, 0x6e, + 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x32, 0xda, + 0x02, 0x0a, 0x1d, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x44, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, + 0x12, 0x7a, 0x0a, 0x15, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, + 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x12, 0x2c, 0x2e, 0x65, 0x6e, 0x76, 0x6f, + 0x79, 0x2e, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, + 0x65, 0x72, 0x79, 0x2e, 0x76, 0x33, 0x2e, 0x44, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, + 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2d, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, + 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, + 0x79, 0x2e, 0x76, 0x33, 0x2e, 0x44, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x52, 0x65, + 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x28, 0x01, 0x30, 0x01, 0x12, 0x9e, 0x01, 0x0a, + 0x14, 0x46, 0x65, 0x74, 0x63, 0x68, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, + 0x69, 0x63, 0x69, 0x65, 0x73, 0x12, 0x2c, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x73, 0x65, + 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x2e, + 0x76, 0x33, 0x2e, 0x44, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x1a, 0x2d, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x73, 0x65, 0x72, 0x76, + 0x69, 0x63, 0x65, 0x2e, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x2e, 0x76, 0x33, + 0x2e, 0x44, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x22, 0x29, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x23, 0x22, 0x1e, 0x2f, 0x76, 0x33, 0x2f, + 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x3a, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, + 0x6b, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x3a, 0x01, 0x2a, 0x1a, 0x1c, 0x8a, + 0xa4, 0x96, 0xf3, 0x07, 0x16, 0x0a, 0x14, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x2e, 0x4e, 0x65, + 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x42, 0x2e, 0x5a, 0x2c, 0x67, + 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, + 0x2f, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2f, 0x67, 0x6f, 0x2f, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, + 0x2f, 0x61, 0x70, 0x69, 0x3b, 0x63, 0x69, 0x6c, 0x69, 0x75, 0x6d, 0x62, 0x06, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x33, } var ( diff --git a/go/cilium/api/npds.pb.validate.go b/go/cilium/api/npds.pb.validate.go index 70118cedc..4434e6111 100644 --- a/go/cilium/api/npds.pb.validate.go +++ b/go/cilium/api/npds.pb.validate.go @@ -531,6 +531,8 @@ func (m *PortNetworkPolicyRule) validate(all bool) error { // no validation rules for Deny + // no validation rules for ProxyId + // no validation rules for Name if all { diff --git a/tests/bpf_metadata.cc b/tests/bpf_metadata.cc index b315a96ec..3095903bb 100644 --- a/tests/bpf_metadata.cc +++ b/tests/bpf_metadata.cc @@ -187,8 +187,8 @@ TestConfig::extractSocketMetadata(Network::ConnectionSocket& socket) { // Set metadata for policy based listener filter chain matching // Note: tls_inspector may overwrite this value, if it executes after us! std::string l7proto; - policy.useProxylib(is_ingress_, port, is_ingress_ ? source_identity : destination_identity, - l7proto); + policy.useProxylib(is_ingress_, proxy_id_, is_ingress_ ? source_identity : destination_identity, + port, l7proto); return absl::optional(Cilium::BpfMetadata::SocketMetadata( 0, 0, source_identity, is_ingress_, is_l7lb_, port, std::move(pod_ip), "", nullptr, nullptr, diff --git a/tests/cilium_network_policy_test.cc b/tests/cilium_network_policy_test.cc index d8e76e3b9..25df5aac7 100644 --- a/tests/cilium_network_policy_test.cc +++ b/tests/cilium_network_policy_test.cc @@ -104,7 +104,7 @@ class CiliumNetworkPolicyTest : public ::testing::Test { uint16_t port, Http::TestRequestHeaderMapImpl&& headers) { const auto& policy = policy_map_->GetPolicyInstance(pod_ip, false); Cilium::AccessLog::Entry log_entry; - return policy.allowed(ingress, remote_id, port, headers, log_entry) + return policy.allowed(ingress, proxy_id_, remote_id, port, headers, log_entry) ? testing::AssertionSuccess() : testing::AssertionFailure(); } @@ -131,11 +131,13 @@ class CiliumNetworkPolicyTest : public ::testing::Test { tls_socket_required = false; raw_socket_allowed = false; Envoy::Ssl::ContextSharedPtr ctx = - !ingress ? port_policy.getClientTlsContext(remote_id, sni, &config, raw_socket_allowed) - : port_policy.getServerTlsContext(remote_id, sni, &config, raw_socket_allowed); + !ingress ? port_policy.getClientTlsContext(proxy_id_, remote_id, sni, &config, + raw_socket_allowed) + : port_policy.getServerTlsContext(proxy_id_, remote_id, sni, &config, + raw_socket_allowed); // separate policy lookup for validation - bool allowed = policy.allowed(ingress, remote_id, sni, port); + bool allowed = policy.allowed(ingress, proxy_id_, remote_id, sni, port); // if connection is allowed without TLS socket then TLS context is not required if (raw_socket_allowed) { @@ -199,6 +201,7 @@ class CiliumNetworkPolicyTest : public ::testing::Test { NiceMock factory_context_; std::shared_ptr policy_map_; NiceMock store_; + uint32_t proxy_id_ = 42; }; TEST_F(CiliumNetworkPolicyTest, UpdatesRejectedStatName) { @@ -899,6 +902,166 @@ TEST_F(CiliumNetworkPolicyTest, HttpPolicyUpdate) { EXPECT_FALSE(EgressAllowed("10.1.2.3", 43, 8080, {{":path", "/public"}})); // Wrong path: EXPECT_FALSE(EgressAllowed("10.1.2.3", 43, 80, {{":path", "/publicz"}})); + + // 4th update with matching proxy_id in policy + EXPECT_NO_THROW(version = updateFromYaml(R"EOF(version_info: "2" +resources: +- "@type": type.googleapis.com/cilium.NetworkPolicy + endpoint_ips: + - "10.1.2.3" + endpoint_id: 42 + ingress_per_port_policies: + - port: 80 + rules: + - remote_policies: [ 43 ] + http_rules: + http_rules: + - headers: + - name: ':path' + exact_match: '/allowed' + - port: 80 + end_port: 10000 + rules: + - proxy_id: 42 + egress_per_port_policies: + - port: 80 + rules: + - remote_policies: [ 43, 44 ] + http_rules: + http_rules: + - headers: + - name: ':path' + safe_regex_match: + google_re2: {} + regex: '.*public$' +)EOF")); + EXPECT_EQ(version, "2"); + EXPECT_TRUE(policy_map_->exists("10.1.2.3")); + + expected = R"EOF(ingress: + rules: + [80-80]: + - rules: + - remotes: [43] + http_rules: + - headers: + - name: ":path" + value: "/allowed" + - rules: + - remotes: [] + proxy_id: 42 + [81-10000]: + - rules: + - remotes: [] + proxy_id: 42 + wildcard_rules: [] +egress: + rules: + [80-80]: + - rules: + - remotes: [43,44] + http_rules: + - headers: + - name: ":path" + regex: + wildcard_rules: [] +)EOF"; + + EXPECT_TRUE(Validate("10.1.2.3", expected)); + + // Allowed remote ID, port, & path: + EXPECT_TRUE(IngressAllowed("10.1.2.3", 43, 80, {{":path", "/allowed"}})); + // Matching proxy ID: + EXPECT_TRUE(IngressAllowed("10.1.2.3", 40, 80, {{":path", "/allowed"}})); + // Matching proxy ID: + EXPECT_TRUE(IngressAllowed("10.1.2.3", 43, 8080, {{":path", "/allowed"}})); + // Matching proxy ID: + EXPECT_TRUE(IngressAllowed("10.1.2.3", 43, 80, {{":path", "/notallowed"}})); + + // Port out of range: + EXPECT_FALSE(IngressAllowed("10.1.2.3", 43, 79, {{":path", "/allowed"}})); + // Port out of range: + EXPECT_FALSE(IngressAllowed("10.1.2.3", 43, 10001, {{":path", "/notallowed"}})); + + // 5th update with non-matching proxy_id in policy + EXPECT_NO_THROW(version = updateFromYaml(R"EOF(version_info: "2" +resources: +- "@type": type.googleapis.com/cilium.NetworkPolicy + endpoint_ips: + - "10.1.2.3" + endpoint_id: 42 + ingress_per_port_policies: + - port: 80 + rules: + - remote_policies: [ 43 ] + http_rules: + http_rules: + - headers: + - name: ':path' + exact_match: '/allowed' + - port: 80 + end_port: 10000 + rules: + - proxy_id: 99 + egress_per_port_policies: + - port: 80 + rules: + - remote_policies: [ 43, 44 ] + http_rules: + http_rules: + - headers: + - name: ':path' + safe_regex_match: + google_re2: {} + regex: '.*public$' +)EOF")); + EXPECT_EQ(version, "2"); + EXPECT_TRUE(policy_map_->exists("10.1.2.3")); + + expected = R"EOF(ingress: + rules: + [80-80]: + - rules: + - remotes: [43] + http_rules: + - headers: + - name: ":path" + value: "/allowed" + - rules: + - remotes: [] + proxy_id: 99 + [81-10000]: + - rules: + - remotes: [] + proxy_id: 99 + wildcard_rules: [] +egress: + rules: + [80-80]: + - rules: + - remotes: [43,44] + http_rules: + - headers: + - name: ":path" + regex: + wildcard_rules: [] +)EOF"; + + EXPECT_TRUE(Validate("10.1.2.3", expected)); + + // Allowed remote ID, port, & path: + EXPECT_TRUE(IngressAllowed("10.1.2.3", 43, 80, {{":path", "/allowed"}})); + // Non-matching proxy ID: + EXPECT_FALSE(IngressAllowed("10.1.2.3", 40, 80, {{":path", "/allowed"}})); + // Non-matching proxy ID: + EXPECT_FALSE(IngressAllowed("10.1.2.3", 43, 8080, {{":path", "/allowed"}})); + // Non-matching proxy ID: + EXPECT_FALSE(IngressAllowed("10.1.2.3", 43, 80, {{":path", "/notallowed"}})); + + // Port out of range: + EXPECT_FALSE(IngressAllowed("10.1.2.3", 43, 79, {{":path", "/allowed"}})); + // Port out of range: + EXPECT_FALSE(IngressAllowed("10.1.2.3", 43, 10001, {{":path", "/notallowed"}})); } TEST_F(CiliumNetworkPolicyTest, HttpOverlappingPortRanges) {