change capo to make default behavior configurable

This patch uses a vpp capo plugin patch that makes the default behavior
when policies don't match configurable: drop, or goto profiles, depending
on the existence of user defined policies
This addresses the issue where dataplane takes wrong decisions because it
isn't aware of the difference between a user defined policy and an implicit
policy (like failsafe)
This also prepends an explicit deny policy in the case of an empty hostendpoint
(hep with 0 policies and 0 profiles).
This also makes endpointtohost action prior to failsafe to comply with doc.

Author: hedibouattour

calico-vpp-agent/felix/felix_server.go

@@ -90,9 +90,11 @@ type Server struct {
 	allPodsIpset *IPSet
 	/* allow traffic between uplink/tunnels and tap interfaces */
 	allowToHostPolicy *Policy
-	ip4               *net.IP
-	ip6               *net.IP
-	interfacesMap     map[string]interfaceDetails
+	/* deny all policy for heps with no policies defined */
+	denyAllPolicy *Policy
+	ip4           *net.IP
+	ip6           *net.IP
+	interfacesMap map[string]interfaceDetails
 
 	felixServerEventChan chan common.CalicoVppEvent
 	networkDefinitions   map[string]*watchers.NetworkDefinition
@@ -460,6 +462,10 @@ func (s *Server) ServeFelix(t *tomb.Tomb) error {
 	if err != nil {
 		return errors.Wrap(err, "Error in createFailSafePolicies")
 	}
+	err = s.createEmptyHEPDenyAllPolicy()
+	if err != nil {
+		return errors.Wrap(err, "Error in createFailSafePolicies")
+	}
 	for {
 		s.state = StateDisconnected
 		// Accept only one connection
@@ -1728,6 +1734,35 @@ func (s *Server) createEndpointToHostPolicy( /*may be return*/ ) (err error) {
 	return nil
 }
 
+func (s *Server) createEmptyHEPDenyAllPolicy() (err error) {
+	denyAllPol := &Policy{
+		Policy: &types.Policy{},
+		VppID:  types.InvalidID,
+		InboundRules: []*Rule{
+			{
+				VppID: types.InvalidID,
+				Rule: &types.Rule{
+					Action: types.ActionDeny,
+				},
+			},
+		},
+		OutboundRules: []*Rule{
+			{
+				VppID: types.InvalidID,
+				Rule: &types.Rule{
+					Action: types.ActionDeny,
+				},
+			},
+		},
+	}
+	err = denyAllPol.Create(s.vpp, nil)
+	if err != nil {
+		return err
+	}
+	s.denyAllPolicy = denyAllPol
+	return nil
+}
+
 // createFailSafePolicies ensures the failsafe policies defined in the Felixconfiguration exist in VPP.
 // check https://github.com/projectcalico/calico/blob/master/felix/rules/static.go :: failsafeInChain for the linux implementation
 // To be noted. This does not implement the doNotTrack case as we do not yet support doNotTrack policies.

calico-vpp-agent/felix/host_endpoint.go

@@ -134,7 +134,7 @@ func (h *HostEndpoint) handleTunnelChange(swIfIndex uint32, isAdd bool, pending
 	return err
 }
 
-func (h *HostEndpoint) getHostPolicies(state *PolicyState, tiers []Tier) (conf *types.InterfaceConfig, err error) {
+func (h *HostEndpoint) getUserDefinedPolicies(state *PolicyState, tiers []Tier) (conf *types.InterfaceConfig, err error) {
 	conf = types.NewInterfaceConfig()
 	for _, tier := range tiers {
 		for _, polName := range tier.IngressPolicies {
@@ -172,31 +172,46 @@ func (h *HostEndpoint) getHostPolicies(state *PolicyState, tiers []Tier) (conf *
 }
 
 func (h *HostEndpoint) getTapPolicies(state *PolicyState) (conf *types.InterfaceConfig, err error) {
-	conf, err = h.getHostPolicies(state, h.Tiers)
+	conf, err = h.getUserDefinedPolicies(state, h.Tiers)
 	if err != nil {
 		return nil, errors.Wrap(err, "cannot create host policies for TapConf")
 	}
-	if len(conf.IngressPolicyIDs) > 0 {
-		conf.IngressPolicyIDs = append(conf.IngressPolicyIDs, h.server.workloadsToHostPolicy.VppID)
+	if len(conf.IngressPolicyIDs) == 0 && len(conf.ProfileIDs) == 0 {
+		// If a host endpoint is created and network policy is not in place,
+		// the Calico default is to deny traffic to/from that endpoint
+		// (except for traffic allowed by failsafe rules).
+		conf.IngressPolicyIDs = []uint32{h.server.workloadsToHostPolicy.VppID, h.server.failSafePolicy.VppID, h.server.denyAllPolicy.VppID}
+	} else {
+		if len(conf.IngressPolicyIDs) > 0 {
+			conf.UserDefinedTx = 1
+		}
 		conf.IngressPolicyIDs = append([]uint32{h.server.failSafePolicy.VppID}, conf.IngressPolicyIDs...)
+		conf.IngressPolicyIDs = append([]uint32{h.server.workloadsToHostPolicy.VppID}, conf.IngressPolicyIDs...)
 	}
-	if len(conf.EgressPolicyIDs) > 0 {
-		conf.EgressPolicyIDs = append([]uint32{h.server.AllowFromHostPolicy.VppID}, conf.EgressPolicyIDs...)
+	if len(conf.EgressPolicyIDs) == 0 && len(conf.ProfileIDs) == 0 {
+		conf.EgressPolicyIDs = []uint32{h.server.AllowFromHostPolicy.VppID, h.server.failSafePolicy.VppID, h.server.denyAllPolicy.VppID}
+	} else {
+		if len(conf.EgressPolicyIDs) > 0 {
+			conf.UserDefinedRx = 1
+		}
 		conf.EgressPolicyIDs = append([]uint32{h.server.failSafePolicy.VppID}, conf.EgressPolicyIDs...)
+		conf.EgressPolicyIDs = append([]uint32{h.server.AllowFromHostPolicy.VppID}, conf.EgressPolicyIDs...)
 	}
 	return conf, nil
 }
 
 func (h *HostEndpoint) getForwardPolicies(state *PolicyState) (conf *types.InterfaceConfig, err error) {
-	conf, err = h.getHostPolicies(state, h.ForwardTiers)
+	conf, err = h.getUserDefinedPolicies(state, h.ForwardTiers)
 	if err != nil {
 		return nil, errors.Wrap(err, "cannot create host policies for forwardConf")
 	}
 	if len(conf.EgressPolicyIDs) > 0 {
 		conf.EgressPolicyIDs = append([]uint32{h.server.allowToHostPolicy.VppID}, conf.EgressPolicyIDs...)
+		conf.UserDefinedRx = 1
 	}
 	if len(conf.IngressPolicyIDs) > 0 {
 		conf.IngressPolicyIDs = append([]uint32{h.server.allowToHostPolicy.VppID}, conf.IngressPolicyIDs...)
+		conf.UserDefinedTx = 1
 	}
 	return conf, nil
 }

calico-vpp-agent/felix/workload_endpoint.go

@@ -87,7 +87,7 @@ func fromProtoWorkload(wep *proto.WorkloadEndpoint, server *Server) *WorkloadEnd
 	return r
 }
 
-func (w *WorkloadEndpoint) getPolicies(state *PolicyState, network string) (conf *types.InterfaceConfig, err error) {
+func (w *WorkloadEndpoint) getUserDefinedPolicies(state *PolicyState, network string) (conf *types.InterfaceConfig, err error) {
 	conf = types.NewInterfaceConfig()
 	for _, tier := range w.Tiers {
 		for _, polName := range tier.IngressPolicies {
@@ -121,14 +121,26 @@ func (w *WorkloadEndpoint) getPolicies(state *PolicyState, network string) (conf
 		}
 		conf.ProfileIDs = append(conf.ProfileIDs, prof.VppID)
 	}
+	return conf, nil
+}
+
+func (w *WorkloadEndpoint) getWorkloadPolicies(state *PolicyState, network string) (conf *types.InterfaceConfig, err error) {
+	conf, err = w.getUserDefinedPolicies(state, network)
+	if err != nil {
+		return nil, errors.Wrap(err, "cannot create workload policies")
+	}
 	if len(conf.IngressPolicyIDs) > 0 {
 		conf.IngressPolicyIDs = append([]uint32{w.server.AllowFromHostPolicy.VppID}, conf.IngressPolicyIDs...)
+		conf.UserDefinedTx = 1
+	}
+	if len(conf.EgressPolicyIDs) > 0 {
+		conf.UserDefinedRx = 1
 	}
 	return conf, nil
 }
 
 func (w *WorkloadEndpoint) Create(vpp *vpplink.VppLink, swIfIndexes []uint32, state *PolicyState, network string) (err error) {
-	conf, err := w.getPolicies(state, network)
+	conf, err := w.getWorkloadPolicies(state, network)
 	if err != nil {
 		return err
 	}
@@ -144,7 +156,7 @@ func (w *WorkloadEndpoint) Create(vpp *vpplink.VppLink, swIfIndexes []uint32, st
 }
 
 func (w *WorkloadEndpoint) Update(vpp *vpplink.VppLink, new *WorkloadEndpoint, state *PolicyState, network string) (err error) {
-	conf, err := new.getPolicies(state, network)
+	conf, err := new.getWorkloadPolicies(state, network)
 	if err != nil {
 		return err
 	}

vpplink/capo.go

@@ -206,6 +206,8 @@ func (v *VppLink) ConfigurePolicies(swIfIndex uint32, conf *types.InterfaceConfi
 		TotalIds:      uint32(len(rxPolicyIDs) + len(txPolicyIDs) + len(profileIDs)),
 		PolicyIds:     ids,
 		InvertRxTx:    invertRxTx,
+		UserDefinedRx: conf.UserDefinedRx,
+		UserDefinedTx: conf.UserDefinedTx,
 	})
 	if err != nil {
 		return fmt.Errorf("capoConfigurePolicies failed: %w", err)

vpplink/generated/bindings/capo/capo.ba.go

@@ -1,31 +1,13 @@
-VPP Version                 : 25.06.0-19~g354a6aabf
+VPP Version                 : 25.06-rc0~248-gfaaad85cd
 Binapi-generator version    : v0.11.0
-VPP Base commit             : 47505bc21 misc: Initial changes for stable/2506 branch
+VPP Base commit             : 91a65d8a5 gerrit:34726/3 interface: add buffer stats api
 ------------------ Cherry picked commits --------------------
+gerrit:43468/5 capo: fix default behavior and add user defined policy flag
+ip: add support for checksum in IP midchain
 capo: Calico Policies plugin
 acl: acl-plugin custom policies
 cnat: [WIP] no k8s maglev from pods
 pbl: Port based balancer
-gerrit:42876/10 gso: add support for ipip tso for phyiscal interfaces
-gerrit:42598/12 pg: add support for checksum offload
-gerrit:43336/3 gso: fix ip fragment support for gso packet
-gerrit:42425/8 interface: add support for proper checksum handling
-gerrit:43083/3 virtio: conditionally set checksum offload based on TCP/UDP offload flags
-gerrit:43084/3 af_packet: conditionally set checksum offload based on TCP/UDP offload flags
-gerrit:43082/6 ipip: fix the offload flags
-gerrit:42891/5 ip: compute checksums before fragmentation if offloaded
-gerrit:43081/2 interface: clear flags after checksum computation
-gerrit:42419/5 dpdk: fix the outer flags
-gerrit:42186/6 tap: enable IPv4 checksum offload on interface
-gerrit:42185/6 vnet: add assert for offload flags in debug mode
-gerrit:42184/6 interface: add a new cap for virtual interfaces
 gerrit:revert:39675/5 Revert "ip-neighbor: do not use sas to determine NS source address"
 gerrit:34726/3 interface: add buffer stats api
-misc: VPP 25.06 Release Notes
-hsa: http client init wrk->vlib_main in setup
-tls: add half close support
-af_packet: show host interface offload flags
-af_packet: fix the error handling on transmit
-dma_intel: fix ats_disable attribute handling
-misc: Initial changes for stable/2506 branch
 -------------------------------------------------------------

vpplink/generated/generate.log

@@ -146,3 +146,6 @@ git_apply_private 0001-pbl-Port-based-balancer.patch
 git_apply_private 0002-cnat-WIP-no-k8s-maglev-from-pods.patch
 git_apply_private 0003-acl-acl-plugin-custom-policies.patch
 git_apply_private 0004-capo-Calico-Policies-plugin.patch
+
+
+git_cherry_pick refs/changes/68/43468/5 https://gerrit.fd.io/r/c/vpp/+/43468

vpplink/generated/vpp_clone_current.sh

@@ -326,13 +326,17 @@ type InterfaceConfig struct {
 	IngressPolicyIDs []uint32
 	EgressPolicyIDs  []uint32
 	ProfileIDs       []uint32
+	UserDefinedRx    uint8
+	UserDefinedTx    uint8
 }
 
 func NewInterfaceConfig() *InterfaceConfig {
 	return &InterfaceConfig{
 		IngressPolicyIDs: make([]uint32, 0),
 		EgressPolicyIDs:  make([]uint32, 0),
 		ProfileIDs:       make([]uint32, 0),
+		UserDefinedRx:    0,
+		UserDefinedTx:    0,
 	}
 }