add policy default and profile default

Author: hedibouattour

calico-vpp-agent/felix/felix_server.go

@@ -82,6 +82,7 @@ type Server struct {
 	/* workloadToHost may drop traffic that goes from the pods to the host */
 	workloadsToHostPolicy  *Policy
 	defaultTap0IngressConf []uint32
+	defaultTap0EgressConf  []uint32
 	/* always allow traffic coming from host to the pods (for healthchecks and so on) */
 	// AllowFromHostPolicy persists the policy allowing host --> pod communications.
 	// See CreateAllowFromHostPolicy definition
@@ -959,6 +960,22 @@ func (s *Server) handleHostEndpointUpdate(msg *proto.HostEndpointUpdate, pending
 			// we are not supposed to fallback to expectedIPs if interfaceName doesn't match
 			// this is the current behavior in calico linux
 			s.log.Errorf("cannot find host endpoint: interface named %s does not exist", hep.InterfaceName)
+			// *************************** this is temporary, for dev
+			if hep.expectedIPs != nil {
+				for _, existingIf := range s.interfacesMap {
+				interfaceFound1:
+					for _, address := range existingIf.addresses {
+						for _, expectedIP := range hep.expectedIPs {
+							if address == expectedIP {
+								hep.UplinkSwIfIndexes = append(hep.UplinkSwIfIndexes, existingIf.uplinkIndex)
+								hep.TapSwIfIndexes = append(hep.TapSwIfIndexes, existingIf.tapIndex)
+								break interfaceFound1
+							}
+						}
+					}
+				}
+			}
+			// ***************************
 		}
 	} else if hep.InterfaceName == "" && hep.expectedIPs != nil {
 		for _, existingIf := range s.interfacesMap {
@@ -1713,13 +1730,22 @@ func (s *Server) createEndpointToHostPolicy( /*may be return*/ ) (err error) {
 				},
 			},
 		},
+		OutboundRules: []*Rule{
+			{
+				VppID: types.InvalidID,
+				Rule: &types.Rule{
+					Action: types.ActionAllow,
+				},
+			},
+		},
 	}
 	err = allowAllPol.Create(s.vpp, &ps)
 	if err != nil {
 		return err
 	}
 	conf := types.NewInterfaceConfig()
 	conf.IngressPolicyIDs = append(conf.IngressPolicyIDs, s.workloadsToHostPolicy.VppID, allowAllPol.VppID)
+	conf.EgressPolicyIDs = append(conf.EgressPolicyIDs, allowAllPol.VppID)
 	swifindexes, err := s.vpp.SearchInterfacesWithTagPrefix("host-") // tap0 interfaces
 	if err != nil {
 		s.log.Error(err)
@@ -1731,6 +1757,7 @@ func (s *Server) createEndpointToHostPolicy( /*may be return*/ ) (err error) {
 		}
 	}
 	s.defaultTap0IngressConf = conf.IngressPolicyIDs
+	s.defaultTap0EgressConf = conf.EgressPolicyIDs
 	return nil
 }
 

calico-vpp-agent/felix/host_endpoint.go

@@ -22,6 +22,7 @@ import (
 	"github.com/projectcalico/calico/felix/proto"
 
 	"github.com/projectcalico/vpp-dataplane/v3/vpplink"
+	"github.com/projectcalico/vpp-dataplane/v3/vpplink/generated/bindings/capo"
 	"github.com/projectcalico/vpp-dataplane/v3/vpplink/types"
 )
 
@@ -180,10 +181,14 @@ func (h *HostEndpoint) getTapPolicies(state *PolicyState) (conf *types.Interface
 		// If a host endpoint is created and network policy is not in place,
 		// the Calico default is to deny traffic to/from that endpoint
 		// (except for traffic allowed by failsafe rules).
+		// note: this applies to ingress and egress separately, so if you don't have
+		// ingress only you drop ingress
 		conf.IngressPolicyIDs = []uint32{h.server.workloadsToHostPolicy.VppID, h.server.failSafePolicy.VppID, h.server.denyAllPolicy.VppID}
 	} else {
 		if len(conf.IngressPolicyIDs) > 0 {
-			conf.UserDefinedTx = 1
+			conf.PolicyDefaultTx = capo.CAPO_DEFAULT_DENY
+		} else if len(conf.ProfileIDs) > 0 {
+			conf.PolicyDefaultTx = capo.CAPO_DEFAULT_PASS
 		}
 		conf.IngressPolicyIDs = append([]uint32{h.server.failSafePolicy.VppID}, conf.IngressPolicyIDs...)
 		conf.IngressPolicyIDs = append([]uint32{h.server.workloadsToHostPolicy.VppID}, conf.IngressPolicyIDs...)
@@ -192,7 +197,9 @@ func (h *HostEndpoint) getTapPolicies(state *PolicyState) (conf *types.Interface
 		conf.EgressPolicyIDs = []uint32{h.server.AllowFromHostPolicy.VppID, h.server.failSafePolicy.VppID, h.server.denyAllPolicy.VppID}
 	} else {
 		if len(conf.EgressPolicyIDs) > 0 {
-			conf.UserDefinedRx = 1
+			conf.PolicyDefaultRx = capo.CAPO_DEFAULT_DENY
+		} else if len(conf.ProfileIDs) > 0 {
+			conf.PolicyDefaultRx = capo.CAPO_DEFAULT_PASS
 		}
 		conf.EgressPolicyIDs = append([]uint32{h.server.failSafePolicy.VppID}, conf.EgressPolicyIDs...)
 		conf.EgressPolicyIDs = append([]uint32{h.server.AllowFromHostPolicy.VppID}, conf.EgressPolicyIDs...)
@@ -207,11 +214,15 @@ func (h *HostEndpoint) getForwardPolicies(state *PolicyState) (conf *types.Inter
 	}
 	if len(conf.EgressPolicyIDs) > 0 {
 		conf.EgressPolicyIDs = append([]uint32{h.server.allowToHostPolicy.VppID}, conf.EgressPolicyIDs...)
-		conf.UserDefinedRx = 1
+		conf.PolicyDefaultRx = capo.CAPO_DEFAULT_DENY
+	} else if len(conf.ProfileIDs) > 0 {
+		conf.PolicyDefaultRx = capo.CAPO_DEFAULT_PASS
 	}
 	if len(conf.IngressPolicyIDs) > 0 {
 		conf.IngressPolicyIDs = append([]uint32{h.server.allowToHostPolicy.VppID}, conf.IngressPolicyIDs...)
-		conf.UserDefinedTx = 1
+		conf.PolicyDefaultTx = capo.CAPO_DEFAULT_DENY
+	} else if len(conf.ProfileIDs) > 0 {
+		conf.PolicyDefaultTx = capo.CAPO_DEFAULT_PASS
 	}
 	return conf, nil
 }
@@ -288,6 +299,7 @@ func (h *HostEndpoint) Delete(vpp *vpplink.VppLink, state *PolicyState) (err err
 		h.server.log.Infof("policy(del) interface swif=%d", swIfIndex)
 		conf := types.NewInterfaceConfig()
 		conf.IngressPolicyIDs = h.server.defaultTap0IngressConf
+		conf.EgressPolicyIDs = h.server.defaultTap0EgressConf
 		err = vpp.ConfigurePolicies(swIfIndex, conf, 0)
 		if err != nil {
 			return errors.Wrapf(err, "cannot unconfigure policies on interface %d", swIfIndex)

calico-vpp-agent/felix/workload_endpoint.go

@@ -22,6 +22,7 @@ import (
 	"github.com/projectcalico/calico/felix/proto"
 
 	"github.com/projectcalico/vpp-dataplane/v3/vpplink"
+	"github.com/projectcalico/vpp-dataplane/v3/vpplink/generated/bindings/capo"
 	"github.com/projectcalico/vpp-dataplane/v3/vpplink/types"
 )
 
@@ -131,10 +132,14 @@ func (w *WorkloadEndpoint) getWorkloadPolicies(state *PolicyState, network strin
 	}
 	if len(conf.IngressPolicyIDs) > 0 {
 		conf.IngressPolicyIDs = append([]uint32{w.server.AllowFromHostPolicy.VppID}, conf.IngressPolicyIDs...)
-		conf.UserDefinedTx = 1
+		conf.PolicyDefaultTx = capo.CAPO_DEFAULT_DENY
+	} else if len(conf.ProfileIDs) > 0 {
+		conf.PolicyDefaultTx = capo.CAPO_DEFAULT_PASS
 	}
 	if len(conf.EgressPolicyIDs) > 0 {
-		conf.UserDefinedRx = 1
+		conf.PolicyDefaultRx = capo.CAPO_DEFAULT_DENY
+	} else if len(conf.ProfileIDs) > 0 {
+		conf.PolicyDefaultRx = capo.CAPO_DEFAULT_PASS
 	}
 	return conf, nil
 }

vpplink/capo.go

@@ -200,14 +200,16 @@ func (v *VppLink) ConfigurePolicies(swIfIndex uint32, conf *types.InterfaceConfi
 	ids := append(rxPolicyIDs, txPolicyIDs...)
 	ids = append(ids, profileIDs...)
 	_, err := client.CapoConfigurePolicies(v.GetContext(), &capo.CapoConfigurePolicies{
-		SwIfIndex:     swIfIndex,
-		NumRxPolicies: uint32(len(rxPolicyIDs)),
-		NumTxPolicies: uint32(len(txPolicyIDs)),
-		TotalIds:      uint32(len(rxPolicyIDs) + len(txPolicyIDs) + len(profileIDs)),
-		PolicyIds:     ids,
-		InvertRxTx:    invertRxTx,
-		UserDefinedRx: conf.UserDefinedRx,
-		UserDefinedTx: conf.UserDefinedTx,
+		SwIfIndex:        swIfIndex,
+		NumRxPolicies:    uint32(len(rxPolicyIDs)),
+		NumTxPolicies:    uint32(len(txPolicyIDs)),
+		TotalIds:         uint32(len(rxPolicyIDs) + len(txPolicyIDs) + len(profileIDs)),
+		PolicyIds:        ids,
+		InvertRxTx:       invertRxTx,
+		PolicyDefaultRx:  conf.PolicyDefaultRx,
+		PolicyDefaultTx:  conf.PolicyDefaultTx,
+		ProfileDefaultRx: conf.ProfileDefaultRx,
+		ProfileDefaultTx: conf.ProfileDefaultTx,
 	})
 	if err != nil {
 		return fmt.Errorf("capoConfigurePolicies failed: %w", err)

vpplink/generated/bindings/capo/capo.ba.go

@@ -1,13 +1,32 @@
-VPP Version                 : 25.06-rc0~248-gfaaad85cd
+VPP Version                 : 25.06.0-20~g0cbcc38af-dirty
 Binapi-generator version    : v0.11.0
-VPP Base commit             : 91a65d8a5 gerrit:34726/3 interface: add buffer stats api
+VPP Base commit             : 47505bc21 misc: Initial changes for stable/2506 branch
 ------------------ Cherry picked commits --------------------
 gerrit:43468/5 capo: fix default behavior and add user defined policy flag
-ip: add support for checksum in IP midchain
 capo: Calico Policies plugin
 acl: acl-plugin custom policies
 cnat: [WIP] no k8s maglev from pods
 pbl: Port based balancer
+gerrit:42876/10 gso: add support for ipip tso for phyiscal interfaces
+gerrit:42598/12 pg: add support for checksum offload
+gerrit:43336/3 gso: fix ip fragment support for gso packet
+gerrit:42425/8 interface: add support for proper checksum handling
+gerrit:43083/3 virtio: conditionally set checksum offload based on TCP/UDP offload flags
+gerrit:43084/3 af_packet: conditionally set checksum offload based on TCP/UDP offload flags
+gerrit:43082/6 ipip: fix the offload flags
+gerrit:42891/5 ip: compute checksums before fragmentation if offloaded
+gerrit:43081/2 interface: clear flags after checksum computation
+gerrit:42419/5 dpdk: fix the outer flags
+gerrit:42186/6 tap: enable IPv4 checksum offload on interface
+gerrit:42185/6 vnet: add assert for offload flags in debug mode
+gerrit:42184/6 interface: add a new cap for virtual interfaces
 gerrit:revert:39675/5 Revert "ip-neighbor: do not use sas to determine NS source address"
 gerrit:34726/3 interface: add buffer stats api
+misc: VPP 25.06 Release Notes
+hsa: http client init wrk->vlib_main in setup
+tls: add half close support
+af_packet: show host interface offload flags
+af_packet: fix the error handling on transmit
+dma_intel: fix ats_disable attribute handling
+misc: Initial changes for stable/2506 branch
 -------------------------------------------------------------

vpplink/generated/generate.log

@@ -148,4 +148,4 @@ git_apply_private 0003-acl-acl-plugin-custom-policies.patch
 git_apply_private 0004-capo-Calico-Policies-plugin.patch
 
 
-git_cherry_pick refs/changes/68/43468/5 https://gerrit.fd.io/r/c/vpp/+/43468
+git_cherry_pick refs/changes/68/43468/6 https://gerrit.fd.io/r/c/vpp/+/43468

vpplink/generated/vpp_clone_current.sh

@@ -326,17 +326,21 @@ type InterfaceConfig struct {
 	IngressPolicyIDs []uint32
 	EgressPolicyIDs  []uint32
 	ProfileIDs       []uint32
-	UserDefinedRx    uint8
-	UserDefinedTx    uint8
+	PolicyDefaultRx  capo.CapoPolicyDefault
+	PolicyDefaultTx  capo.CapoPolicyDefault
+	ProfileDefaultRx capo.CapoPolicyDefault
+	ProfileDefaultTx capo.CapoPolicyDefault
 }
 
 func NewInterfaceConfig() *InterfaceConfig {
 	return &InterfaceConfig{
 		IngressPolicyIDs: make([]uint32, 0),
 		EgressPolicyIDs:  make([]uint32, 0),
 		ProfileIDs:       make([]uint32, 0),
-		UserDefinedRx:    0,
-		UserDefinedTx:    0,
+		PolicyDefaultRx:  capo.CAPO_DEFAULT_ALLOW,
+		PolicyDefaultTx:  capo.CAPO_DEFAULT_ALLOW,
+		ProfileDefaultRx: capo.CAPO_DEFAULT_DENY,
+		ProfileDefaultTx: capo.CAPO_DEFAULT_DENY,
 	}
 }