Skip to content

Publish proposal for connect authorization layer #4767

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Publish proposal for connect authorization layer #4767

wants to merge 4 commits into from

Conversation

@Alan-Jowett
Copy link
Member

@Alan-Jowett Alan-Jowett commented Oct 29, 2025

Description

Add proposal only for connect authorization proposal.

Testing

N/A

Documentation

Yes

Installation

No.

Publish proposal for connect authorization layer
849e248 
Signed-off-by: Alan Jowett <alan.jowett@microsoft.com>
dthaler
dthaler reviewed Oct 29, 2025
View reviewed changes
dthaler
dthaler reviewed Oct 29, 2025
View reviewed changes
Alan Jowett added 3 commits October 29, 2025 14:20
PR feedback
51c106b 
Signed-off-by: Alan Jowett <alan.jowett@microsoft.com>
PR feedback
1cb6c09 
Signed-off-by: Alan Jowett <alan.jowett@microsoft.com>
PR feedback
25ae309 
Signed-off-by: Alan Jowett <alan.jowett@microsoft.com>
shankarseal
shankarseal reviewed Oct 30, 2025
View reviewed changes
docs/ConnectAuthorizationAttachTypes.md
```c
// CONNECT layer program - handles redirection and basic filtering.
SEC("cgroup/connect4")
int redirect_and_basic_filter(struct bpf_sock_addr *ctx)
Copy link
Collaborator

@shankarseal shankarseal Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bpf_sock_addr is writable for linux INET_CONNECT attach types. In the new attach type they are effectively not. Should the extension reject the verdict of a program at this attach layer that changed the sock_addr context by modifying the source or destiantion IP/port?

shankarseal
shankarseal reviewed Oct 30, 2025
View reviewed changes
docs/ConnectAuthorizationAttachTypes.md
### Additional Helper Functions
CONNECT_AUTHORIZATION and AUTH_RECV_ACCEPT attach types provide access to additional network layer properties through specialized helper functions:

#### `bpf_sock_addr_get_interface_type(ctx)`
Copy link
Collaborator

@shankarseal shankarseal Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: a single helper function that returns a versioned struct that holds all the required information; with the provision new fields can be added for a future version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shankarseal shankarseal shankarseal left review comments

@dthaler dthaler dthaler approved these changes

@LakshK98 LakshK98 Awaiting requested review from LakshK98 LakshK98 is a code owner

@matthewige matthewige Awaiting requested review from matthewige matthewige is a code owner

@mikeagun mikeagun Awaiting requested review from mikeagun mikeagun is a code owner

@mtfriesen mtfriesen Awaiting requested review from mtfriesen mtfriesen is a code owner

@poornagmsft poornagmsft Awaiting requested review from poornagmsft poornagmsft is a code owner

@saxena-anurag saxena-anurag Awaiting requested review from saxena-anurag saxena-anurag is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Alan-Jowett @dthaler @shankarseal