From: Vipul Singh Date: Fri, 12 Dec 2025 01:44:58 +0000 (+0000) Subject: Remove duplicate rules sent to sdp for same endpt X-Git-Url: https://git.feebdaed.xyz/?a=commitdiff_plain;h=d72d01857da789307639b397fdb9e70fdf8250b6;p=0xmirror%2Fcilium.git Remove duplicate rules sent to sdp for same endpt Cilium agent was sending the dns rules for each ip of an endpoint. This send duplicate data to the sdp in case an endpoint has ipv4/ipv6 ip address. Signed-off-by: Vipul Singh --- diff --git a/pkg/fqdn/service/service.go b/pkg/fqdn/service/service.go index 628c522774..fb1c46169b 100644 --- a/pkg/fqdn/service/service.go +++ b/pkg/fqdn/service/service.go @@ -334,6 +334,10 @@ func (s *FQDNDataServer) sendAndRecvAckForDNSPolicies(stream pb.FQDNData_StreamP // Get the IPs associated with this identity epIPs := identityIPMap[rule.Identity] + // Track which endpoint IDs we've already added for this specific DNS policy + // This prevents duplicates when multiple IPs(ipv4/ipv6) from the same identity point to the same endpoint + addedEndpoints := make(map[uint32]bool) + // For each IP, find the corresponding endpoint and create DNS policy for _, prefix := range epIPs { ip := prefix.Addr() @@ -344,9 +348,18 @@ func (s *FQDNDataServer) sendAndRecvAckForDNSPolicies(stream pb.FQDNData_StreamP continue } + endpointID := uint32(ep.GetID()) + + // Skip if we've already added this endpoint for this DNS policy + if addedEndpoints[endpointID] { + continue + } + // Mark this endpoint as added for this DNS policy + addedEndpoints[endpointID] = true + // Create DNS policy with endpoint information egressL7DnsPolicy = append(egressL7DnsPolicy, &pb.DNSPolicy{ - SourceEndpointId: uint32(ep.GetID()), + SourceEndpointId: endpointID, DnsServers: dnsPolicy.DnsServers, DnsPattern: dnsPolicy.DnsPattern, }) diff --git a/pkg/fqdn/service/service_test.go b/pkg/fqdn/service/service_test.go index a70c358211..43bf6f5e64 100644 --- a/pkg/fqdn/service/service_test.go +++ b/pkg/fqdn/service/service_test.go @@ -49,6 +49,7 @@ var ( destIdentity = identity.NumericIdentity(2) destEndpointId = uint16(102) sourceIP = "1.2.3.4/32" + sourceIPV6 = "2001:db8::1/128" destIP = "5.6.7.8/32" ) @@ -319,11 +320,14 @@ func setupServer(t *testing.T, port int, enableL7Proxy bool, enableStandaloneDNS // addEndpointMapping adds source and destination endpoint to the server. func addEndpointMapping(t *testing.T, fqdnDataServer *FQDNDataServer) { - // Add the source endpoint mapping to the server + // Add the source endpoint mapping to the server with 2 IPs (IPv4 + IPv6) prefix := netip.MustParsePrefix(sourceIP) validCIDR := types.NewPrefixCluster(prefix, 0) dummyIdentity := ipcache.Identity{ID: sourceIdentity} fqdnDataServer.OnIPIdentityCacheChange(ipcache.Upsert, validCIDR, nil, nil, nil, dummyIdentity, 0, nil, 0) + prefix = netip.MustParsePrefix(sourceIPV6) + validCIDR = types.NewPrefixCluster(prefix, 0) + fqdnDataServer.OnIPIdentityCacheChange(ipcache.Upsert, validCIDR, nil, nil, nil, dummyIdentity, 0, nil, 0) // Add the destination endpoint mapping to the server prefix = netip.MustParsePrefix(destIP) validCIDR = types.NewPrefixCluster(prefix, 0) @@ -392,6 +396,15 @@ func TestSuccessfullyStreamPolicyState(t *testing.T) { }) // Increment the count for each response received if len(receivedResultClient.GetEgressL7DnsPolicy()) > 0 { + receivedRules := receivedResultClient.GetEgressL7DnsPolicy() + sourceEndpointIDPolicyCount := 0 + for _, r := range receivedRules { + if r.GetSourceEndpointId() == uint32(sourceEndpointId) { + sourceEndpointIDPolicyCount++ + } + } + // Ensure no duplicate policies for the same endpoint + require.Equal(t, 1, sourceEndpointIDPolicyCount) count++ } connected = true