8000 check-encryption-leak:fix: L4 ports usages when no TCP/UDP packet by smagnani96 · Pull Request #38290 · cilium/cilium · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

check-encryption-leak:fix: L4 ports usages when no TCP/UDP packet #38290

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 19, 2025
Merged

check-encryption-leak:fix: L4 ports usages when no TCP/UDP packet #38290

merged 1 commit into from
Mar 19, 2025

Conversation

smagnani96
Copy link
Contributor 
Ensure packet protocol before using L4 ports in the check-encryption-leak script.

@smagnani96 smagnani96 added kind/enhancement This would improve or streamline existing functionality. area/CI Continuous Integration testing issue or flake area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. release-note/ci This PR makes changes to the CI. affects/v1.14 This issue affects v1.14 branch feature/ipsec Relates to Cilium's IPsec feature feature/wireguard Relates to Cilium's Wireguard feature needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch labels Mar 18, 2025
@smagnani96 smagnani96 force-pushed the pr/smagnani96/check-encryption-leak-l4-ports-fix branch 2 times, most recently from cfbf5a9 to ac375cc Compare March 18, 2025 17:46
@smagnani96
check-encryption-leak:fix: L4 ports usages when no TCP/UDP packet
d6d6171 
This commit slightly adjusts our report logic and lookup of the value
$pod_to_pod_via_proxy. With this patch, we now consider whether the
packet under analysis is TCP/UDP before using/printing the source and
destination ports. This way, we do not erroneously lookup/report wrong
values in cases of other protocols (ex. ICMP).
Prior to this, in case of an ICMP message, we could read a dirty
$udp->source (actually ICMP type and code) that might match a potential
entry in the map. In this case, lookup a value with `port = protocol = 0`
would return the empty value.

Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
@smagnani96 smagnani96 force-pushed the pr/smagnani96/check-encryption-leak-l4-ports-fix branch from ac375cc to d6d6171 Compare March 18, 2025 18:48
@smagnani96
Copy link
Contributor Author

/test

@smagnani96 smagnani96 marked this pull request as ready for review March 19, 2025 16:09
@smagnani96 smagnani96 requested review from a team as code owners March 19, 2025 16:09
@smagnani96 smagnani96 requested a review from pchaigno March 19, 2025 16:09
@pchaigno pchaigno added this pull request to the merge queue Mar 19, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 19, 2025
Merged via the queue into main with commit c097696 Mar 19, 2025
294 of 296 checks passed
@pchaigno pchaigno deleted the pr/smagnani96/check-encryption-leak-l4-ports-fix branch March 19, 2025 17:05
@smagnani96 smagnani96 added the backport/author The backport will be carried out by the author of the PR. label Mar 20, 2025
This was referenced Mar 26, 2025
Merged
Merged
Merged
@github-actions github-actions bot added backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. labels Mar 26, 2025
@julianwiedmann julianwiedmann removed needs-backport/1.15 This PR / issue needs backporting to the v1.15 branch needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch labels Apr 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pchaigno pchaigno pchaigno approved these changes

Assignees
No one assigned
Labels
affects/v1.14 This issue affects v1.14 branch area/CI Continuous Integration testing issue or flake area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. backport/author The backport will be carried out by the author of the PR. backport-done/1.15 The backport for Cilium 1.15.x for this PR is done. backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. feature/ipsec Relates to Cilium's IPsec feature feature/wireguard Relates to Cilium's Wireguard feature kind/enhancement This would improve or streamline existing functionality. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/ci This PR makes changes to the CI.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@smagnani96 @pchaigno @julianwiedmann
0