From 582f05780632199ba5de27d73fdb772d376485ae Mon Sep 17 00:00:00 2001
From: l1b0k <libokang.lbk@alibaba-inc.com>
Date: Fri, 12 Apr 2024 13:38:31 +0800
Subject: [PATCH 1/2] policy: fix ip cache driven secid derivation for external
 traffic

use two type of datapath
- ipvlan
- veth

ipvlan for previous terway ipvlan datapath. Bpf program is attached directly on slave link inside container netns.

veth for terway datapath v2.

Signed-off-by: l1b0k <libokang.lbk@alibaba-inc.com>
---
 ...ven-secid-derivation-for-external-tr.patch | 35 +++++++++++++++++++
 policy/cilium/0023-fix-sec-label.patch        | 31 ----------------
 2 files changed, 35 insertions(+), 31 deletions(-)
 create mode 100644 policy/cilium/0023-fix-ip-cache-driven-secid-derivation-for-external-tr.patch
 delete mode 100644 policy/cilium/0023-fix-sec-label.patch

diff --git a/policy/cilium/0023-fix-ip-cache-driven-secid-derivation-for-external-tr.patch b/policy/cilium/0023-fix-ip-cache-driven-secid-derivation-for-external-tr.patch
new file mode 100644
index 00000000..cb951089
--- /dev/null
+++ b/policy/cilium/0023-fix-ip-cache-driven-secid-derivation-for-external-tr.patch
@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: l1b0k <libokang.dev@gmail.com>
+Date: Thu, 11 Apr 2024 15:45:33 +0800
+Subject: fix ip cache driven secid derivation for external traffic ensuring
+ correct identity-based policy enforcement in BPF programs.
+
+Signed-off-by: l1b0k <libokang.dev@gmail.com>
+---
+ pkg/datapath/loader/loader.go | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/pkg/datapath/loader/loader.go b/pkg/datapath/loader/loader.go
+index e0c3fe6a00..2ed01b9b19 100644
+--- a/pkg/datapath/loader/loader.go
++++ b/pkg/datapath/loader/loader.go
+@@ -16,6 +16,7 @@ import (
+ 	"github.com/vishvananda/netlink"
+ 
+ 	"github.com/cilium/cilium/pkg/command/exec"
++	datapathOption "github.com/cilium/cilium/pkg/datapath/option"
+ 
+ 	"github.com/cilium/cilium/pkg/bpf"
+ 	"github.com/cilium/cilium/pkg/byteorder"
+@@ -157,7 +158,7 @@ func patchHostNetdevDatapath(ep datapath.Endpoint, objPath, dstPath, ifName stri
+ 		return err
+ 	}
+ 
+-	if !option.Config.EnableHostLegacyRouting {
++	if option.Config.DatapathMode == datapathOption.DatapathModeVeth {
+ 		opts["SECCTX_FROM_IPCACHE"] = uint32(SecctxFromIpcacheEnabled)
+ 	} else {
+ 		opts["SECCTX_FROM_IPCACHE"] = uint32(SecctxFromIpcacheDisabled)
+-- 
+2.44.0
+
diff --git a/policy/cilium/0023-fix-sec-label.patch b/policy/cilium/0023-fix-sec-label.patch
deleted file mode 100644
index 1d82bf10..00000000
--- a/policy/cilium/0023-fix-sec-label.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: l1b0k <libokang.dev@gmail.com>
-Date: Thu, 11 Apr 2024 15:45:33 +0800
-Subject: fix sec label
-
-Signed-off-by: l1b0k <libokang.dev@gmail.com>
----
- bpf/bpf_host.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/bpf/bpf_host.c b/bpf/bpf_host.c
-index e29bbc5c97..95d93e01aa 100644
---- a/bpf/bpf_host.c
-+++ b/bpf/bpf_host.c
-@@ -563,6 +563,13 @@ handle_ipv4(struct __ctx_buff *ctx, __u32 secctx,
- 		if (ep->flags & ENDPOINT_F_HOST)
- 			return CTX_ACT_OK;
-
-+#ifdef ENABLE_ROUTING
-+        info = lookup_ip4_remote_endpoint(ip4->saddr);
-+        if (info && info->sec_label) {
-+            return ipv4_local_delivery(ctx, ETH_HLEN, info->sec_label, ip4, ep,
-+                           METRIC_INGRESS, from_host, false);
-+        }
-+#endif
- 		return ipv4_local_delivery(ctx, ETH_HLEN, secctx, ip4, ep,
- 					   METRIC_INGRESS, from_host, false);
- 	}
--- 
-2.44.0
-

From 3e346b17015f3b1b03fd59c87fca1810d57e6590 Mon Sep 17 00:00:00 2001
From: l1b0k <libokang.lbk@alibaba-inc.com>
Date: Fri, 12 Apr 2024 15:48:31 +0800
Subject: [PATCH 2/2] policy: update image

Signed-off-by: l1b0k <libokang.lbk@alibaba-inc.com>
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 0eef94a4..55511c79 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-ARG TERWAY_POLICY_IMAGE=registry.cn-hongkong.aliyuncs.com/acs/terway:policy-d78b0c3@sha256:503a31bc708cec62b4f3276affd0d708a091148ce9bf4503744a3d1f3755b66f
+ARG TERWAY_POLICY_IMAGE=registry-cn-zhangjiakou.ack.aliyuncs.com/acs/terway:policy-582f057@sha256:17fbff0f3ae5c1631c902c7c83c7022f69b4ff3d726645856f5cbb161854a630
 ARG UBUNTU_IMAGE=registry.cn-hangzhou.aliyuncs.com/acs/ubuntu:22.04-update
 ARG CILIUM_LLVM_IMAGE=quay.io/cilium/cilium-llvm:547db7ec9a750b8f888a506709adb41f135b952e@sha256:4d6fa0aede3556c5fb5a9c71bc6b9585475ac9b1064f516d4c45c8fb691c9d9e
 ARG CILIUM_BPFTOOL_IMAGE=quay.io/cilium/cilium-bpftool:78448c1a37ff2b790d5e25c3d8b8ec3e96e6405f@sha256:99a9453a921a8de99899ef82e0822f0c03f65d97005c064e231c06247ad8597d