policy: Fix broad deny with except bug

With the policy as shown by [1] applied, traffic to 1.1.1.2/32 would be
denied but only because of the default-deny fallback, and not have a
policy correlation.  In Hubble, this would show up as
`policy-verdict:none` in the flow instead of "Policy denied by
denylist".

In the denyPreferredInsertWithChanges() logic for v1.15 and below (v1.16
and main unaffected), the "deny-deny" [2] logic removed what the policy
engine considered a redundant deny entry that leads to the missing
policy correlation described above.

The fix is to minimally cherry-pick 317a8af ("policy: Keep deny
entries when covered by another CIDR deny") [from the v1.16 tree]. This
cherry-picked commit is built off of a2ff24f ("policy: Fix Deny
Insertion Logic"), which was found by bisecting v1.15 and v1.16 to
identify when this bug was "fixed" in the later versions of Cilium.

In addition, this commit contains another minimal cherry-pick from
317a8af ("policy: Keep deny entries when covered by another CIDR
deny") [from the v1.16 tree] for the "deny-allow" [3] and "allow-deny"
[4] case. [3] fixes a transient bug as explained by
#33953 (comment).

For more context on the changes to the policy engine between versions,
tracing the commit history from the commits mentioned above would be the
best way.

[1]:

```
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: allow
spec:
  egress:
  - toCIDR:
    - 1.1.1.1/32
    - 1.1.1.2/32
  endpointSelector: {}
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: deny
spec:
  egressDeny:
  - toCIDRSet:
    - cidr: 1.0.0.0/8
      except:
      - 1.1.1.1/32
  endpointSelector: {}
```

[2]: "Deny-deny" refers to the policy engine code path inside
     denyPreferredInsertWithChanges() under

```
if newEntry.IsDeny {
  ...
  ms.ForEachDeny()
  ...
}
```

[3]: Similar to [2], "deny-allow" refers to

```
if newEntry.IsDeny {
  ...
  ms.ForEachAllow()
  ...
}
```

[4]: Similar to [3], "allow-deny" refers to (note the ! in the
condition)

```
if !newEntry.IsDeny {
  ...
  ms.ForEachDeny()
  ...
}
```

Signed-off-by: Chris Tarazi <[email protected]>
Signed-off-by: Jarno Rajahalme <[email protected]>

Author: jrajahalme

pkg/policy/distillery_test.go

@@ -1399,7 +1399,7 @@ var (
 
 	worldIPIdentity    = localIdentity(16324)
 	worldCIDR          = api.CIDR("192.0.2.3/32")
-	lblWorldIP         = labels.ParseSelectLabelArray(fmt.Sprintf("%s:%s", labels.LabelSourceCIDR, worldCIDR))
+	lblWorldIP         = cidr.GetCIDRLabels(netip.MustParsePrefix(string(worldCIDR)))
 	ruleL3AllowWorldIP = api.NewRule().WithIngressRules([]api.IngressRule{{
 		IngressCommonRule: api.IngressCommonRule{
 			FromCIDR: api.CIDRSlice{worldCIDR},
@@ -1528,6 +1528,13 @@ var (
 	mapKeyL3L4Port8080ProtoSCTPWorldSNIngress = Key{worldSubnetIdentity.Uint32(), 8080, 132, trafficdirection.Ingress.Uint8()}
 	mapKeyL3L4Port8080ProtoSCTPWorldSNEgress  = Key{worldSubnetIdentity.Uint32(), 8080, 132, trafficdirection.Egress.Uint8()}
 
+	mapKeyL3L4Port8080ProtoTCPWorldIPIngress  = Key{worldIPIdentity.Uint32(), 8080, 6, trafficdirection.Ingress.Uint8()}
+	mapKeyL3L4Port8080ProtoTCPWorldIPEgress   = Key{worldIPIdentity.Uint32(), 8080, 6, trafficdirection.Egress.Uint8()}
+	mapKeyL3L4Port8080ProtoUDPWorldIPIngress  = Key{worldIPIdentity.Uint32(), 8080, 17, trafficdirection.Ingress.Uint8()}
+	mapKeyL3L4Port8080ProtoUDPWorldIPEgress   = Key{worldIPIdentity.Uint32(), 8080, 17, trafficdirection.Egress.Uint8()}
+	mapKeyL3L4Port8080ProtoSCTPWorldIPIngress = Key{worldIPIdentity.Uint32(), 8080, 132, trafficdirection.Ingress.Uint8()}
+	mapKeyL3L4Port8080ProtoSCTPWorldIPEgress  = Key{worldIPIdentity.Uint32(), 8080, 132, trafficdirection.Egress.Uint8()}
+
 	ruleL3AllowWorldSubnet = api.NewRule().WithIngressRules([]api.IngressRule{{
 		ToPorts: api.PortRules{
 			api.PortRule{
@@ -1611,7 +1618,7 @@ func Test_EnsureDeniesPrecedeAllows(t *testing.T) {
 		return cache.IdentityCache{
 			identity.NumericIdentity(identityFoo): labelsFoo,
 			identity.ReservedIdentityWorld:        labels.LabelWorld.LabelArray(),
-			worldIPIdentity:                       lblWorldIP,                  // "192.0.2.3/32"
+			worldIPIdentity:                       lblWorldIP.LabelArray(),     // "192.0.2.3/32"
 			worldSubnetIdentity:                   lblWorldSubnet.LabelArray(), // "192.0.2.0/24"
 		}
 	}
@@ -1654,14 +1661,24 @@ func Test_EnsureDeniesPrecedeAllows(t *testing.T) {
 		result   MapState
 	}{
 		{"deny_world_no_labels", api.Rules{ruleL3DenyWorld, ruleL3AllowWorldIP}, defaultIDs, map[Key]MapStateEntry{
-			mapKeyL3WorldIngress: mapEntryDeny,
-			mapKeyL3WorldEgress:  mapEntryDeny,
+			mapKeyL3WorldIngress:         mapEntryDeny,
+			mapKeyL3WorldEgress:          mapEntryDeny,
+			mapKeyL3SubnetIngress:        mapEntryDeny,
+			mapKeyL3SubnetEgress:         mapEntryDeny,
+			mapKeyL3SmallerSubnetIngress: mapEntryDeny,
+			mapKeyL3SmallerSubnetEgress:  mapEntryDeny,
 		}}, {"deny_world_with_labels", api.Rules{ruleL3DenyWorldWithLabels, ruleL3AllowWorldIP}, defaultIDs, map[Key]MapStateEntry{
-			mapKeyL3WorldIngress: mapEntryWorldDenyWithLabels,
-			mapKeyL3WorldEgress:  mapEntryWorldDenyWithLabels,
+			mapKeyL3WorldIngress:         mapEntryWorldDenyWithLabels,
+			mapKeyL3WorldEgress:          mapEntryWorldDenyWithLabels,
+			mapKeyL3SubnetIngress:        mapEntryWorldDenyWithLabels,
+			mapKeyL3SubnetEgress:         mapEntryWorldDenyWithLabels,
+			mapKeyL3SmallerSubnetIngress: mapEntryWorldDenyWithLabels,
+			mapKeyL3SmallerSubnetEgress:  mapEntryWorldDenyWithLabels,
 		}}, {"deny_one_ip_with_a_larger_subnet", api.Rules{ruleL3DenySubnet, ruleL3AllowWorldIP}, defaultIDs, map[Key]MapStateEntry{
-			mapKeyL3SubnetIngress: mapEntryDeny,
-			mapKeyL3SubnetEgress:  mapEntryDeny,
+			mapKeyL3SubnetIngress:        mapEntryDeny,
+			mapKeyL3SubnetEgress:         mapEntryDeny,
+			mapKeyL3SmallerSubnetIngress: mapEntryDeny,
+			mapKeyL3SmallerSubnetEgress:  mapEntryDeny,
 		}}, {"deny_part_of_a_subnet_with_an_ip", api.Rules{ruleL3DenySmallerSubnet, ruleL3AllowLargerSubnet}, defaultIDs, map[Key]MapStateEntry{
 			mapKeyL3SmallerSubnetIngress: mapEntryDeny,
 			mapKeyL3SmallerSubnetEgress:  mapEntryDeny,
@@ -1691,6 +1708,12 @@ func Test_EnsureDeniesPrecedeAllows(t *testing.T) {
 			mapKeyL3L4Port8080ProtoUDPWorldEgress:     mapEntryDeny,
 			mapKeyL3L4Port8080ProtoSCTPWorldIngress:   mapEntryDeny,
 			mapKeyL3L4Port8080ProtoSCTPWorldEgress:    mapEntryDeny,
+			mapKeyL3L4Port8080ProtoTCPWorldIPIngress:  mapEntryDeny,
+			mapKeyL3L4Port8080ProtoTCPWorldIPEgress:   mapEntryDeny,
+			mapKeyL3L4Port8080ProtoUDPWorldIPIngress:  mapEntryDeny,
+			mapKeyL3L4Port8080ProtoUDPWorldIPEgress:   mapEntryDeny,
+			mapKeyL3L4Port8080ProtoSCTPWorldIPIngress: mapEntryDeny,
+			mapKeyL3L4Port8080ProtoSCTPWorldIPEgress:  mapEntryDeny,
 			mapKeyL3SmallerSubnetIngress:              mapEntryAllow,
 			mapKeyL3SmallerSubnetEgress:               mapEntryAllow,
 			mapKeyL3L4Port8080ProtoTCPWorldSNIngress:  mapEntryDeny,

pkg/policy/mapstate.go

@@ -365,12 +365,7 @@ func (keys MapState) addKeyWithChanges(key Key, entry MapStateEntry, changes Cha
 	// Keep all owners that need this entry so that it is deleted only if all the owners delete their contribution
 	oldEntry, exists := keys[key]
 	var datapathEqual bool
-	if exists {
-		// Deny entry can only be overridden by another deny entry
-		if oldEntry.IsDeny && !entry.IsDeny {
-			return
-		}
-
+	if exists && oldEntry.IsDeny == entry.IsDeny {
 		if entry.DeepEqual(&oldEntry) {
 			return // nothing to do
 		}
@@ -383,7 +378,7 @@ func (keys MapState) addKeyWithChanges(key Key, entry MapStateEntry, changes Cha
 		datapathEqual = oldEntry.DatapathEqual(&entry)
 		oldEntry.Merge(&entry)
 		keys[key] = oldEntry
-	} else {
+	} else if !exists || entry.IsDeny {
 		// Newly inserted entries must have their own containers, so that they
 		// remain separate when new owners/dependents are added to existing entries
 		entry.DerivedFromRules = slices.Clone(entry.DerivedFromRules)
@@ -564,6 +559,7 @@ func (keys MapState) denyPreferredInsertWithChanges(newKey Key, newEntry MapStat
 		return
 	}
 	if newEntry.IsDeny {
+		bailed := false
 		for k, v := range keys {
 			// Protocols and traffic directions that don't match ensure that the policies
 			// do not interact in anyway.
@@ -587,44 +583,96 @@ func (keys MapState) denyPreferredInsertWithChanges(newKey Key, newEntry MapStat
 						// identity is removed.
 						newEntry.AddDependent(newKeyCpy)
 					}
-				} else if (newKey.Identity == k.Identity ||
-					identityIsSupersetOf(newKey.Identity, k.Identity, identities)) &&
-					(newKey.PortProtoIsBroader(k) || newKey.PortProtoIsEqual(k)) {
-					// If the new-entry is a superset (or equal) of the iterated-allow-entry and
-					// the new-entry has a broader (or equal) port-protocol then we
-					// should delete the iterated-allow-entry
-					keys.deleteKeyWithChanges(k, nil, changes)
+				} else if newKey.PortProtoIsBroader(k) || newKey.PortProtoIsEqual(k) {
+					// If newKey has a broader (or equal) port-protocol then we should
+					// either delete the iterated-allow-entry (if the identity is the
+					// same or the newKey is L3 wildcard), or change it to a deny entry
+					// if the newKey's identity is a superset of the iterated identity
+					// (e.g., newKey has a wider CIDR (say 10/8 covering the iterated
+					// identity of more specific CIDR (say 10.1.1.1). Note that the
+					// security identities assigned to these CIDRs have no numerical
+					// relation to each other (e.g, they could be any numbers X and Y)
+					// and the datapath does an exact match on them.
+					if newKey.Identity == 0 || newKey.Identity == k.Identity {
+						keys.deleteKeyWithChanges(k, nil, changes)
+					} else if identityIsSupersetOf(newKey.Identity, k.Identity, identities) {
+						// When newKey.Identity is not ANY and is different from the
+						// subset key, but still a superset (e.g., in CIDR sense) we
+						// must keep the subset key and make it a deny instead.
+						l3l4DenyEntry := NewMapStateEntry(newKey, newEntry.DerivedFromRules, false, true, DefaultAuthType, AuthTypeDisabled)
+						keys.addKeyWithChanges(k, l3l4DenyEntry, changes)
+						newEntry.AddDependent(k)
+					}
+				} else if newKey.Identity != 0 {
+					if identityIsSupersetOf(newKey.Identity, k.Identity, identities) {
+						// k.PortProtoIsBroader(newKey) // due to if statements above
+
+						// Deny takes precedence for the port/proto of the newKey
+						// for each allow with broader port/proto and narrower ID.
+
+						// If newKey is a superset of the iterated allow key and newKey has
+						// more specific port-protocol than the iterated allow key then an
+						// additional deny entry with port/proto of newKey and with the
+						// identity of the iterated allow key must be added.
+						denyKeyCpy := newKey
+						denyKeyCpy.Identity = k.Identity
+						l3l4DenyEntry := NewMapStateEntry(newKey, newEntry.DerivedFromRules, false, true, DefaultAuthType, AuthTypeDisabled)
+						keys.addKeyWithChanges(denyKeyCpy, l3l4DenyEntry, changes)
+						newEntry.AddDependent(denyKeyCpy)
+					}
 				}
-			} else if (newKey.Identity == k.Identity ||
-				identityIsSupersetOf(k.Identity, newKey.Identity, identities)) &&
-				k.DestPort == 0 && k.Nexthdr == 0 &&
-				!v.HasDependent(newKey) {
-				// If this iterated-deny-entry is a supserset (or equal) of the new-entry and
-				// the iterated-deny-entry is an L3-only policy then we
-				// should not insert the new entry (as long as it is not one
-				// of the special L4-only denies we created to cover the special
-				// case of a superset-allow with a more specific port-protocol).
 				//
-				// NOTE: This condition could be broader to reject more deny entries,
-				// but there *may* be performance tradeoffs.
-				return
-			} else if (newKey.Identity == k.Identity ||
-				identityIsSupersetOf(newKey.Identity, k.Identity, identities)) &&
-				newKey.DestPort == 0 && newKey.Nexthdr == 0 &&
-				!newEntry.HasDependent(k) {
-				// If this iterated-deny-entry is a subset (or equal) of the new-entry and
-				// the new-entry is an L3-only policy then we
-				// should delete the iterated-deny-entry (as long as it is not one
-				// of the special L4-only denies we created to cover the special
-				// case of a superset-allow with a more specific port-protocol).
+				// END OF ITERATED-ALLOW PROCESSING, ALL REMAINING CONDITIONS HIT
+				// ITERATED-DENY ENTRIES
 				//
-				// NOTE: This condition could be broader to reject more deny entries,
-				// but there *may* be performance tradeoffs.
+			} else if bailed {
+				// Skip processing further deny entries if we are bailing out.
+				// We still need to loop through all the allow entries, so we can not
+				// break out when bailing!
+				continue
+			} else if (k.Identity == 0 || k.Identity == newKey.Identity) &&
+				(k.PortProtoIsEqual(newKey) || k.PortProtoIsBroader(newKey)) {
+				// A narrower of two deny keys is redundant in the datapath only if
+				// the broader ID is 0, or the IDs are the same. This is because the
+				// ID will be assigned from the ipcache and datapath has no notion
+				// of one ID being related to another (e.g., in a CIDR sense).
+
+				// If this iterated-deny-entry is an deny-all-L3 or has the same ID
+				// as the new-entry and the iterated-deny-entry has a broader (or
+				// equal) port-protocol it will match all the packets the newKey
+				// would, given that we do not allow more specific allow rules to be
+				// inserted.
+
+				// Identical key needs to be added if entries are different (to merge
+				// them). This has no effect on the datapath policy map but is
+				// needed for internal bookkeeping.
+				if k != newKey || v.DeepEqual(&newEntry) {
+					bailed = true
+					continue
+				}
+			} else if (newKey.Identity == 0 || newKey.Identity == k.Identity) &&
+				(newKey.PortProtoIsEqual(k) || newKey.PortProtoIsBroader(k)) &&
+				!newEntry.HasDependent(k) {
+				// If this iterated-deny-entry is a subset (or equal) of the
+				// new-entry and the new-entry has a broader (or equal)
+				// port-protocol the newKey will match all the packets the iterated
+				// key would, given that there are no more specific or L4-only allow
+				// entries. We remove(d) the more specific allow rules in the blocks
+				// above, and added more specific deny rules if there was an L4-only
+				// allow rule. We use 'HasDependant' to figure out that 'k' must
+				// remain to take precedence over the L4-only allow key.
+
+				// Identical key would have been captured in the block above, so we
+				// do not need to check for it here.
 				keys.deleteKeyWithChanges(k, nil, changes)
 			}
 		}
-		keys.addKeyWithChanges(newKey, newEntry, changes)
+		if !bailed {
+			keys.addKeyWithChanges(newKey, newEntry, changes)
+		}
 	} else {
+		insertAsDeny := false
+		var denyEntry MapStateEntry
 		for k, v := range keys {
 			// Protocols and traffic directions that don't match ensure that the policies
 			// do not interact in anyway.
@@ -650,17 +698,55 @@ func (keys MapState) denyPreferredInsertWithChanges(newKey Key, newEntry MapStat
 						// identity is removed.
 						keys.addDependentOnEntry(k, v, denyKeyCpy, changes)
 					}
-				} else if (k.Identity == newKey.Identity ||
-					identityIsSupersetOf(k.Identity, newKey.Identity, identities)) &&
-					(k.PortProtoIsBroader(newKey) || k.PortProtoIsEqual(newKey)) &&
-					!v.HasDependent(newKey) {
-					// If the iterated-deny-entry is a superset (or equal) of the new-entry and has a
-					// broader (or equal) port-protocol than the new-entry then the new
-					// entry should not be inserted.
-					return
+				} else if k.PortProtoIsBroader(newKey) || k.PortProtoIsEqual(newKey) {
+					if k.Identity == 0 || k.Identity == newKey.Identity {
+						// If the iterated-deny-entry is a datapath superset (or
+						// equal) of the new-entry and has a broader (or equal)
+						// port-protocol than the new-entry then the new entry
+						// should not be inserted.
+						return
+					} else if identityIsSupersetOf(k.Identity, newKey.Identity, identities) {
+						// if newKey is not bailed due to being covered in the
+						// datapath by a deny entry, but is covered by a deny entry
+						// in the CIDR sense, we must change this allow entry to a
+						// deny entry so that the covering deny policy is honored
+						// also for this ID in the datapath.
+						if !insertAsDeny {
+							insertAsDeny = true
+							denyEntry = NewMapStateEntry(k, v.DerivedFromRules, false, true, DefaultAuthType, AuthTypeDisabled)
+						} else {
+							// Collect the owners and labels of all the contributing deny rules
+							denyEntry.Merge(&v)
+						}
+					}
+				} else if k.Identity != 0 {
+					// newKey.PortProtoIsBroader(k) as per previous if statements
+					//
+					// New L3/4 deny entry is not needed if the iterated key has wildcard L3,
+					// as in that case it has precedence due to it having more specific L4.
+					// So here we are only concerned about 'k' having a superset identity in
+					// the CIDR sense, in which case a new L3/4 deny entry is needed.
+					if identityIsSupersetOf(k.Identity, newKey.Identity, identities) {
+						// If the new-entry is a subset of the iterated-deny-entry
+						// and the new-entry has a less specific port-protocol than
+						// the iterated-deny-entry then an additional copy of the
+						// iterated-deny-entry with the identity of the new-entry
+						// must be added.
+						denyKeyCpy := k
+						denyKeyCpy.Identity = newKey.Identity
+						l3l4DenyEntry := NewMapStateEntry(k, v.DerivedFromRules, false, true, DefaultAuthType, AuthTypeDisabled)
+						keys.addKeyWithChanges(denyKeyCpy, l3l4DenyEntry, changes)
+						// L3-only entries can be deleted incrementally so we need
+						// to track their effects on other entries so that those
+						// effects can be reverted when the identity is removed.
+						keys.addDependentOnEntry(k, v, denyKeyCpy, changes)
+					}
 				}
 			}
 		}
+		if insertAsDeny {
+			newEntry = denyEntry
+		}
 		keys.authPreferredInsert(newKey, newEntry, features, changes)
 	}
 }