@@ -35,6 +35,7 @@ struct match_context {
3535 __u8 policy_index ;
3636 bool need_tailcall_to_userspace ;
3737 __u8 n_rules ;
38+ int auth_result ;
3839 wl_policies_v * policies ;
3940 void * rulesPtr ;
4041};
@@ -573,7 +574,14 @@ int policies_check(struct xdp_md *ctx)
573574 }
574575 policy = map_lookup_authz (policyId );
575576 if (!policy ) {
576- return XDP_PASS ;
577+ // Currently, authz in xdp only support ip and port,
578+ // if any principal or namespace type policy is configured,
579+ // we need to tailcall to userspace.
580+ if (match_ctx -> need_tailcall_to_userspace ) {
581+ bpf_tail_call (ctx , & map_of_xdp_tailcall , TAIL_CALL_AUTH_IN_USER_SPACE );
582+ return XDP_PASS ;
583+ }
584+ return match_ctx -> auth_result ;
577585 } else {
578586 rulesPtr = KMESH_GET_PTR_VAL (policy -> rules , void * );
579587 if (!rulesPtr ) {
@@ -672,15 +680,10 @@ int policy_check(struct xdp_md *ctx)
672680 }
673681 return match_ctx -> action == ISTIO__SECURITY__ACTION__DENY ? XDP_DROP : XDP_PASS ;
674682 }
675-
676- match_ctx -> policy_index ++ ;
677- if (match_ctx -> policy_index >= MAX_MEMBER_NUM_PER_POLICY ) {
678- if (match_ctx -> need_tailcall_to_userspace ) {
679- bpf_tail_call (ctx , & map_of_xdp_tailcall , TAIL_CALL_AUTH_IN_USER_SPACE );
680- return XDP_PASS ;
681- }
682- return XDP_PASS ;
683+ if (match_ctx -> auth_result == XDP_PASS ) {
684+ match_ctx -> auth_result = match_ctx -> action == ISTIO__SECURITY__ACTION__DENY ? XDP_PASS : XDP_DROP ;
683685 }
686+ match_ctx -> policy_index ++ ;
684687
685688 ret = bpf_map_update_elem (& kmesh_tc_args , & tuple_key , match_ctx , BPF_ANY );
686689 if (ret < 0 ) {
0 commit comments