From dc0529c15b3f8c5c6b7268dfdbece8baac0b2c8d Mon Sep 17 00:00:00 2001
From: Tam Mach <tam.mach@cilium.io>
Date: Wed, 14 May 2025 19:26:53 +1000
Subject: [PATCH] policy: Allow same source and destination egress

The incoming request could go back to the same destination to the
client. This commit is to allow such hair pinning case in L3/l$ and L7.

Signed-off-by: Tam Mach <tam.mach@cilium.io>
---
 cilium/l7policy.cc       |  7 +++++--
 cilium/network_filter.cc | 13 +++++++++----
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/cilium/l7policy.cc b/cilium/l7policy.cc
index e0cd30914..1605316af 100644
--- a/cilium/l7policy.cc
+++ b/cilium/l7policy.cc
@@ -209,8 +209,11 @@ Http::FilterHeadersStatus AccessFilter::decodeHeaders(Http::RequestHeaderMap& he
         callbacks_->streamInfo(), headers);
   }
 
-  allowed_ = policy_fs->enforceHTTPPolicy(conn.ref(), !config_->is_upstream_, destination_identity,
-                                          destination_port, headers, *log_entry_);
+  allowed_ =
+      dip->addressAsString() == policy_fs->pod_ip_
+          ? true
+          : policy_fs->enforceHTTPPolicy(conn.ref(), !config_->is_upstream_, destination_identity,
+                                         destination_port, headers, *log_entry_);
 
   ENVOY_CONN_LOG(
       debug, "cilium.l7policy: {} ({}->{}) {} policy lookup for endpoint {} for port {}: {}",
diff --git a/cilium/network_filter.cc b/cilium/network_filter.cc
index 4fd688e32..b53c9b75c 100644
--- a/cilium/network_filter.cc
+++ b/cilium/network_filter.cc
@@ -198,10 +198,15 @@ Network::FilterStatus Instance::onNewConnection() {
                                   destination_identity, dst_address, &config_->time_source_);
 
     bool use_proxy_lib;
-    if (!policy_fs->enforceNetworkPolicy(conn, destination_identity, destination_port_, sni,
-                                         use_proxy_lib, l7proto_, log_entry_)) {
-      ENVOY_CONN_LOG(debug, "cilium.network: policy DENY on id: {} port: {} sni: \"{}\"", conn,
-                     remote_id_, destination_port_, sni);
+    const bool allowed =
+        dip->addressAsString() == policy_fs->pod_ip_
+            ? true
+            : policy_fs->enforceNetworkPolicy(conn, destination_identity, destination_port_, sni,
+                                              use_proxy_lib, l7proto_, log_entry_);
+    if (!allowed) {
+      ENVOY_CONN_LOG(debug, "cilium.network: policy DENY {}->{} on id: {} port: {} sni: \"{}\"",
+                     conn, dip->addressAsString(), policy_fs->pod_ip_, remote_id_,
+                     destination_port_, sni);
       config_->log(log_entry_, ::cilium::EntryType::Denied);
       return false;
     }