l7policy: Log allowed traffic once.

jrajahalme · jrajahalme · commit 04afc8befaf7 · 2025-06-18T16:44:41.000+02:00
Signed-off-by: Jarno Rajahalme &lt;jarno@isovalent.com&gt;
diff --git a/cilium/l7policy.cc b/cilium/l7policy.cc
@@ -218,6 +218,8 @@ Http::FilterHeadersStatus AccessFilter::decodeHeaders(Http::RequestHeaderMap& he
     }
 
     // must have a policy configured
+    // This is safe as the upstream filter was introduced at Cilium 1.16 and
+    // bpf_metadata config has had 'enforce_policy_on_l7lb' set since Cilium 1.15.
     if (policy_fs->pod_ip_.length() == 0 && policy_fs->ingress_policy_name_.length() == 0) {
       ENVOY_CONN_LOG(warn, "cilium.network: no policy configured", conn.ref());
       return Http::FilterHeadersStatus::StopIteration;
@@ -264,8 +266,6 @@ Http::FilterHeadersStatus AccessFilter::decodeHeaders(Http::RequestHeaderMap& he
                                    absl::nullopt, absl::string_view());
         return Http::FilterHeadersStatus::StopIteration;
       }
-      // Log as a forwarded request
-      config_->log(*log_entry_, ::cilium::EntryType::Request);
     }
 
     // Is there an Ingress policy?
@@ -282,9 +282,9 @@ Http::FilterHeadersStatus AccessFilter::decodeHeaders(Http::RequestHeaderMap& he
                                    absl::nullopt, absl::string_view());
         return Http::FilterHeadersStatus::StopIteration;
       }
-      // Log as a forwarded request
-      config_->log(*log_entry_, ::cilium::EntryType::Request);
     }
+    // Log as a forwarded request, once.
+    config_->log(*log_entry_, ::cilium::EntryType::Request);
   }
   return Http::FilterHeadersStatus::Continue;
 }

Original file line number	Diff line number	Diff line change
`@@ -218,6 +218,8 @@ Http::FilterHeadersStatus AccessFilter::decodeHeaders(Http::RequestHeaderMap& he`
`218`	`218`	`}`
`219`	`219`
`220`	`220`	`// must have a policy configured`
	`221`	`+ // This is safe as the upstream filter was introduced at Cilium 1.16 and`
	`222`	`+ // bpf_metadata config has had 'enforce_policy_on_l7lb' set since Cilium 1.15.`
`221`	`223`	`if (policy_fs->pod_ip_.length() == 0 && policy_fs->ingress_policy_name_.length() == 0) {`
`222`	`224`	`ENVOY_CONN_LOG(warn, "cilium.network: no policy configured", conn.ref());`
`223`	`225`	`return Http::FilterHeadersStatus::StopIteration;`
`@@ -264,8 +266,6 @@ Http::FilterHeadersStatus AccessFilter::decodeHeaders(Http::RequestHeaderMap& he`
`264`	`266`	`absl::nullopt, absl::string_view());`
`265`	`267`	`return Http::FilterHeadersStatus::StopIteration;`
`266`	`268`	`}`
`267`		`- // Log as a forwarded request`
`268`		`- config_->log(*log_entry_, ::cilium::EntryType::Request);`
`269`	`269`	`}`
`270`	`270`
`271`	`271`	`// Is there an Ingress policy?`
`@@ -282,9 +282,9 @@ Http::FilterHeadersStatus AccessFilter::decodeHeaders(Http::RequestHeaderMap& he`
`282`	`282`	`absl::nullopt, absl::string_view());`
`283`	`283`	`return Http::FilterHeadersStatus::StopIteration;`
`284`	`284`	`}`
`285`		`- // Log as a forwarded request`
`286`		`- config_->log(*log_entry_, ::cilium::EntryType::Request);`
`287`	`285`	`}`
	`286`	`+ // Log as a forwarded request, once.`
	`287`	`+ config_->log(*log_entry_, ::cilium::EntryType::Request);`
`288`	`288`	`}`
`289`	`289`	`return Http::FilterHeadersStatus::Continue;`
`290`	`290`	`}`