bpf_metadata: simplify variable naming for N/S L7 LB case

This commit simplifies the variable naming for the N/S L7 LB case in getMetadata. * Rename `ip` to `ingress_ip` * use `ingress_ip` instead of `pod_ip` to avoid confusion Signed-off-by: Marco Hofstetter <[email protected]>
cilium · Jan 7, 2025 · 16b2bd1 · 16b2bd1
1 parent fa045b1
commit 16b2bd1
Showing 1 changed file with 21 additions and 17 deletions.
diff --git a/cilium/bpf_metadata.cc b/cilium/bpf_metadata.cc
@@ -406,38 +406,42 @@ Cilium::SocketOptionSharedPtr Config::getMetadata(Network::ConnectionSocket& soc
     // North/south L7 LB, assume the source security identity of the configured source addresses,
     // if any and policy for this identity exists.
 
-    // Pick the local source address of the same family as the incoming connection
-    const Network::Address::Ip* ip = selectIPVersion(sip->version(), source_addresses);
-
-    if (!ip) {
-      // IP family of the connection has no configured local source address
-      ENVOY_LOG(warn,
-                "cilium.bpf_metadata (north/south L7 LB): No local IP source address configured "
-                "for the family of {}",
-                pod_ip);
+    // Pick the local ingress source address of the same family as the incoming connection
+    const Network::Address::Ip* ingress_ip = selectIPVersion(sip->version(), source_addresses);
+    auto& ingress_ip_str = ingress_ip->addressAsString();
+
+    if (!ingress_ip) {
+      // IP family of the connection has no configured local ingress source address
+      ENVOY_LOG(
+          warn,
+          "cilium.bpf_metadata (north/south L7 LB): No local Ingress IP source address configured "
+          "for the family of {}",
+          sip->addressAsString());
       return nullptr;
     }
 
-    pod_ip = ip->addressAsString();
-
-    auto new_source_id = resolvePolicyId(ip);
-    if (new_source_id == Cilium::ID::WORLD) {
+    auto new_source_identity = resolvePolicyId(ingress_ip);
+    if (new_source_identity == Cilium::ID::WORLD) {
       // No security ID available for the configured source IP
       ENVOY_LOG(warn,
-                "cilium.bpf_metadata (north/south L7 LB): Unknown local IP source address "
+                "cilium.bpf_metadata (north/south L7 LB): Unknown local Ingress IP source address "
                 "configured: {}",
-                pod_ip);
+                ingress_ip_str);
       return nullptr;
     }
 
     // Enforce ingress policy on the incoming Ingress traffic?
     if (enforce_policy_on_l7lb_)
       ingress_source_identity = source_identity;
 
-    source_identity = new_source_id;
+    source_identity = new_source_identity;
 
     // AllowAllEgressPolicy will be returned if no explicit Ingress policy exists
-    policy = getPolicy(pod_ip);
+    policy = getPolicy(ingress_ip_str);
+
+    // Set Ingress source IP as pod_ip (In case of egress (how N/S L7 LB is implemented), the pod_ip
+    // is the source IP)
+    pod_ip = ingress_ip_str;
 
     // Original source address is never used for north/south LB
     // This means that a local host IP is used if no IP is configured to be used instead of it