Label tier default action when programming dataplane rules (#10023)

mazdakn · web-flow · commit 4ff3cb04272f · 2025-03-20T16:56:14.000-07:00
* label end of tier in iptables/nftables

* change the bpf policy program

* Fix UTs
diff --git a/felix/bpf/polprog/pol_prog_builder.go b/felix/bpf/polprog/pol_prog_builder.go
@@ -504,7 +504,7 @@ func (p *Builder) writeTiers(tiers []Tier, destLeg matchLeg, allowLabel string)
 		if action == TierEndUndef {
 			action = TierEndDeny
 		}
-		p.b.AddCommentF("End of tier %s", tier.Name)
+		p.b.AddCommentF("End of tier %s: %s", tier.Name, tier.EndAction)
 		log.Debugf("End of tier %d %q: %s", p.tierID, tier.Name, action)
 		p.writeRule(Rule{
 			Rule:    &proto.Rule{},
diff --git a/felix/dataplane/linux/endpoint_mgr_test.go b/felix/dataplane/linux/endpoint_mgr_test.go
@@ -363,7 +363,7 @@ func chainsForIfaces(ipVersion uint8,
 					{
 						Match:   iptables.Match().MarkClear(16),
 						Action:  iptables.DropAction{},
-						Comment: []string{"Drop if no policies passed packet"},
+						Comment: []string{fmt.Sprintf("End of tier %v. Drop if no policies passed packet", tierName)},
 					},
 				}...)
 			}
@@ -473,7 +473,7 @@ func chainsForIfaces(ipVersion uint8,
 					{
 						Match:   iptables.Match().MarkClear(16),
 						Action:  iptables.DropAction{},
-						Comment: []string{"Drop if no policies passed packet"},
+						Comment: []string{fmt.Sprintf("End of tier %v. Drop if no policies passed packet", tierName)},
 					},
 				}...)
 			}
diff --git a/felix/rules/endpoints.go b/felix/rules/endpoints.go
@@ -698,9 +698,12 @@ func (r *DefaultRuleRenderer) endpointIptablesChain(
 						})
 					}
 					rules = append(rules, generictables.Rule{
-						Match:   r.NewMatch().MarkClear(r.MarkPass),
-						Action:  r.IptablesFilterDenyAction(),
-						Comment: []string{fmt.Sprintf("%s if no policies passed packet", r.IptablesFilterDenyAction())},
+						Match:  r.NewMatch().MarkClear(r.MarkPass),
+						Action: r.IptablesFilterDenyAction(),
+						Comment: []string{fmt.Sprintf("End of tier %s. %s if no policies passed packet",
+							tier.Name,
+							r.IptablesFilterDenyAction()),
+						},
 					})
 				} else if r.FlowLogsEnabled {
 					// If we do not require an end of tier drop (i.e. because all of the policies in the tier are
diff --git a/felix/rules/endpoints_test.go b/felix/rules/endpoints_test.go

Original file line number	Diff line number	Diff line change
`@@ -504,7 +504,7 @@ func (p *Builder) writeTiers(tiers []Tier, destLeg matchLeg, allowLabel string)`
`504`	`504`	`if action == TierEndUndef {`
`505`	`505`	`action = TierEndDeny`
`506`	`506`	`}`
`507`		`- p.b.AddCommentF("End of tier %s", tier.Name)`
	`507`	`+ p.b.AddCommentF("End of tier %s: %s", tier.Name, tier.EndAction)`
`508`	`508`	`log.Debugf("End of tier %d %q: %s", p.tierID, tier.Name, action)`
`509`	`509`	`p.writeRule(Rule{`
`510`	`510`	`Rule: &proto.Rule{},`
Original file line number	Diff line number	Diff line change
`@@ -363,7 +363,7 @@ func chainsForIfaces(ipVersion uint8,`
`363`	`363`	`{`
`364`	`364`	`Match: iptables.Match().MarkClear(16),`
`365`	`365`	`Action: iptables.DropAction{},`
`366`		`- Comment: []string{"Drop if no policies passed packet"},`
	`366`	`+ Comment: []string{fmt.Sprintf("End of tier %v. Drop if no policies passed packet", tierName)},`
`367`	`367`	`},`
`368`	`368`	`}...)`
`369`	`369`	`}`
`@@ -473,7 +473,7 @@ func chainsForIfaces(ipVersion uint8,`
`473`	`473`	`{`
`474`	`474`	`Match: iptables.Match().MarkClear(16),`
`475`	`475`	`Action: iptables.DropAction{},`
`476`		`- Comment: []string{"Drop if no policies passed packet"},`
	`476`	`+ Comment: []string{fmt.Sprintf("End of tier %v. Drop if no policies passed packet", tierName)},`
`477`	`477`	`},`
`478`	`478`	`}...)`
`479`	`479`	`}`