in pkg/ebpf/c/tc.v4egress.bpf.c [96:132]
static inline int evaluateByLookUp(struct keystruct trie_key, struct conntrack_key flow_key, struct pod_state *pst, struct data_t evt, struct iphdr *ip, __u32 l4_dst_port) {
struct lpm_trie_val *trie_val;
//Check if it's in the allowed list
trie_val = bpf_map_lookup_elem(&egress_map, &trie_key);
if (trie_val == NULL) {
evt.verdict = 0;
bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0);
return BPF_DROP;
}
for (int i = 0; i < MAX_PORT_PROTOCOL; i++, trie_val++){
if (trie_val->protocol == RESERVED_IP_PROTOCOL) {
evt.verdict = 0;
bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0);
return BPF_DROP;
}
if ((trie_val->protocol == ANY_IP_PROTOCOL) || (trie_val->protocol == ip->protocol &&
((trie_val->start_port == ANY_PORT) || (l4_dst_port == trie_val->start_port) ||
(l4_dst_port > trie_val->start_port && l4_dst_port <= trie_val->end_port)))) {
//Inject in to conntrack map
struct conntrack_value new_flow_val = {};
if (pst->state == DEFAULT_ALLOW) {
new_flow_val.val = CT_VAL_DEFAULT_ALLOW;
} else {
new_flow_val.val = CT_VAL_POLICIES_APPLIED;
}
bpf_map_update_elem(&aws_conntrack_map, &flow_key, &new_flow_val, 0); // 0 - BPF_ANY
evt.verdict = 1;
bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0);
return BPF_OK;
}
}
evt.verdict = 0;
bpf_ringbuf_output(&policy_events, &evt, sizeof(evt), 0);
return BPF_DROP;
}