cilium · jrajahalme · Feb 16, 2026 · Jan 9, 2026 · Jan 9, 2026 · Jan 9, 2026
@@ -47,7 +47,7 @@ CheckOptions:
 - key: bugprone-dangling-handle.HandleClasses
   value: 'std::basic_string_view;std::experimental::basic_string_view;absl::string_view'
 - key: misc-include-cleaner.IgnoreHeaders
-  value: 'fmt/format\.h;fmt/compile\.h;asm-generic/socket\.h;asm/unistd_32\.h;asm/unistd_64\.h;bits/.*;google/protobuf/.*;linux/in\.h;linux/in6\.h;mutex'
+  value: 'fmt/format\.h;fmt/compile\.h;asm-generic/socket\.h;asm/unistd_32\.h;asm/unistd_64\.h;bits/.*;google/protobuf/.*;linux/in\.h;linux/in6\.h;mutex;cstdint'
 - key: modernize-use-auto.MinTypeNameLength
   value: '10'
 - key: readability-identifier-naming.ClassCase

@@ -16,6 +16,7 @@ Diagnostics:
       - "linux/in\.h" # private -> use netinet/in.h
       - "linux/in6\.h" # private -> use netinet/in.h
       - "mutex" # checked by envoy linting -> use source/common/common/thread.h
+      - "cstdint" # Do not complain the uint64_t is not directly included
 # CompileFlags:
 #   CompilationDatabase: ./compile_commands.json
 #   # Unfortunately, above config isn't working as expected.

@@ -87,8 +87,8 @@ all: cilium-go-targets
 
 .PHONY: cilium-go-targets
 cilium-go-targets: $(CILIUM_PROTO_SOURCES) $(ENVOY_API_PROTO_PATH) Makefile.api
+	go install tool
 	$(QUIET)set -e; \
-	echo "NOTE: protoc tools referred to in go.mod tools section must be installed with "go install" for protoc to find them."; \
 	for path in $(CILIUM_PROTO_DIRS) ; do \
 		$(ECHO_GEN) envoy/$$path; \
 		$(PROTOC) -I $(ENVOY_API_PROTO_PATH) -I $(CILIUM_PROTO_PATH) $(PROTO_DEPS) "--go_out=plugins=grpc$(GO_MAPPINGS):$(GO_OUT)" --go_opt=module=github.com/cilium/proxy/go "--validate_out=lang=go$(GO_MAPPINGS):$(GO_OUT)" --validate_opt=module=github.com/cilium/proxy/go $${path}*.proto; \

@@ -52,7 +52,7 @@ TIDY_SOURCES ?= $(shell bazel query 'kind("source file", deps(//tests/...))' 2>/
 # Depend on the WORKSPACE and TIDY_SOURCES so that the database will be re-built if
 # Envoy dependency or any of the source files has changed.
 compile_commands.json: WORKSPACE $(TIDY_SOURCES) force-non-root
-	BAZEL_STARTUP_OPTION_LIST="$(BAZEL_OPTS)" BAZEL_BUILD_OPTION_LIST="$(BAZEL_BUILD_OPTS)" tools/gen_compilation_database.py --include_all //cilium/... //starter/... //tests/... @com_google_absl//absl/...
+	BAZEL_STARTUP_OPTION_LIST="$(BAZEL_OPTS)" BAZEL_BUILD_OPTION_LIST="$(BAZEL_BUILD_OPTS)" tools/gen_compilation_database.py --include_all //cilium/... //starter/... //tests/...
 
 # Default number of jobs, derived from available memory
 TIDY_JOBS ?= $$(( $(shell sed -n "s/^MemAvailable: *\([0-9]*\).*\$$/\1/p" /proc/meminfo) / 4500000 ))
@@ -63,9 +63,13 @@ tidy: compile_commands.json force-non-root
 	run-clang-tidy-17 -quiet -extra-arg="-Wno-unknown-pragmas" -checks=misc-include-cleaner -j $(TIDY_JOBS) $(TIDY_SOURCES) || echo "clang-tidy check failed, run 'make tidy-fix' locally to fix tidy errors."
 
 tidy-fix: compile_commands.json force-non-root
-	echo "clang-tidy fix results can contain duplicate includes, check before committing!"
+	echo "clang-tidy fix results can contain duplicate or misplaced includes, check before committing!"
 	run-clang-tidy-17 -fix -format -style=file -quiet -extra-arg="-Wno-unknown-pragmas" -checks=misc-include-cleaner -j $(TIDY_JOBS) $(TIDY_SOURCES) || echo "clang-tidy fix produced changes, please commit them."
 
+tidy-fix-head: compile_commands.json force-non-root
+	echo "clang-tidy fix results can contain duplicate or misplaced includes, check before committing!"
+	run-clang-tidy-17 -fix -format -style=file -quiet -extra-arg="-Wno-unknown-pragmas" -checks=misc-include-cleaner -j $(TIDY_JOBS) $(shell git diff-tree --no-commit-id --name-only -r --diff-filter=d HEAD) || echo "clang-tidy fix produced changes, please commit them."
+
 format: force-non-root
 	CARGO_BAZEL_REPIN=true $(BAZEL) $(BAZEL_OPTS) run $(BAZEL_BUILD_OPTS) @envoy//tools/code_format:check_format -- --path "$(PWD)" --skip_envoy_build_rule_check --add-excluded-prefixes $(FORMAT_EXCLUDED_PREFIXES) --bazel_tools_check_excluded_paths="./" --build_fixer_check_excluded_paths="./" check || echo "Format check failed, run 'make format-fix' locally to fix formatting errors."
 

@@ -80,7 +80,7 @@ CONST_STRING_VIEW(xRequestIdSV, "x-request-id");
 CONST_STRING_VIEW(statusSV, ":status");
 
 void AccessLog::Entry::initFromConnection(
-    const std::string& policy_name, uint32_t proxy_id, bool ingress, uint32_t source_identity,
+    const std::string& policy_name, uint16_t proxy_id, bool ingress, uint32_t source_identity,
     const Network::Address::InstanceConstSharedPtr& source_address, uint32_t destination_identity,
     const Network::Address::InstanceConstSharedPtr& destination_address, TimeSource* time_source) {
   request_logged_ = false;
@@ -143,7 +143,7 @@ bool AccessLog::Entry::updateFromMetadata(const std::string& l7proto,
   return changed;
 }
 
-void AccessLog::Entry::initFromRequest(const std::string& policy_name, uint32_t proxy_id,
+void AccessLog::Entry::initFromRequest(const std::string& policy_name, uint16_t proxy_id,
                                        bool ingress, uint32_t source_identity,
                                        const Network::Address::InstanceConstSharedPtr& src_address,
                                        uint32_t destination_identity,

@@ -32,7 +32,7 @@ class AccessLog : public UDSClient {
   // wrapper for protobuf
   class Entry : public StreamInfo::FilterState::Object {
   public:
-    void initFromRequest(const std::string& policy_name, uint32_t proxy_id, bool ingress,
+    void initFromRequest(const std::string& policy_name, uint16_t proxy_id, bool ingress,
                          uint32_t source_identity,
                          const Network::Address::InstanceConstSharedPtr& source_address,
                          uint32_t destination_identity,
@@ -43,7 +43,7 @@ class AccessLog : public UDSClient {
                            const Http::RequestHeaderMap&);
     void updateFromResponse(const Http::ResponseHeaderMap&, TimeSource&);
 
-    void initFromConnection(const std::string& policy_name, uint32_t proxy_id, bool ingress,
+    void initFromConnection(const std::string& policy_name, uint16_t proxy_id, bool ingress,
                             uint32_t source_identity,
                             const Network::Address::InstanceConstSharedPtr& source_address,
                             uint32_t destination_identity,

@@ -5,6 +5,7 @@ option go_package = "github.com/cilium/proxy/go/cilium/api;cilium";
 package cilium;
 
 import "google/protobuf/duration.proto";
+import "validate/validate.proto";
 
 message BpfMetadata {
   // File system root for bpf. Bpf will not be used if left empty.
@@ -45,7 +46,7 @@ message BpfMetadata {
 
   // proxy_id is passed to access log messages and allows relating access log messages to
   // listeners.
-  uint32 proxy_id = 8;
+  uint32 proxy_id = 8 [(validate.rules).uint32.lte = 65535];
 
   // policy_update_warning_limit is the time in milliseconds after which a warning is logged if
   // network policy update took longer

@@ -127,21 +127,26 @@ message TLSContext {
 // If all the predicates of a rule match a flow, the flow is matched by the
 // rule.
 message PortNetworkPolicyRule {
-  reserved 1; // used in Cilium versions upto 1.14
-
   // Precedence level for this rule. Rules with **higher** numeric values take
   // precedence, even over deny rules of lower precedence level.
   // The lowest precedence (zero) is used when not specified.
   uint32 precedence = 10;
 
-  // Traffic on this port is denied for all `remote_policies` if true
-  bool deny = 8;
+  // Optional verdict, mutually exclusive. If missing then the verdict is an allow.
+  oneof verdict {
+    // Precedence after which policy evaluation should be continued at for the selected
+    // remotes_policies.
+    uint32 pass_precedence = 1;
+
+    // Traffic on this port is denied for all `remote_policies` if true
+    bool deny = 8;
+  }
 
   // ProxyID is non-zero if the rule was an allow rule with an explicit listener reference.
   // The given value corresponds to the 'proxy_id' value in the BpfMetadata listener filter
   // configuration.
   // This rule should be ignored if not executing in the referred listener.
-  uint32 proxy_id = 9;
+  uint32 proxy_id = 9 [(validate.rules).uint32.lte = 65535];
 
   // Optional name for the rule, can be used in logging and error messages.
   string name = 5;

@@ -202,7 +202,7 @@ Config::Config(const ::cilium::BpfMetadata& config,
     : so_linger_(config.has_original_source_so_linger_time()
                      ? config.original_source_so_linger_time()
                      : -1),
-      proxy_id_(config.proxy_id()), is_ingress_(config.is_ingress()),
+      proxy_id_(uint16_t(config.proxy_id())), is_ingress_(config.is_ingress()),
       use_original_source_address_(config.use_original_source_address()),
       is_l7lb_(config.is_l7lb()),
       ipv4_source_address_(

@@ -42,7 +42,7 @@ struct SocketMetadata : public Logger::Loggable<Logger::Id::filter> {
                  Network::Address::InstanceConstSharedPtr source_address_ipv4,
                  Network::Address::InstanceConstSharedPtr source_address_ipv6,
                  Network::Address::InstanceConstSharedPtr original_dest_address,
-                 const PolicyResolverSharedPtr& policy_resolver, uint32_t proxy_id,
+                 const PolicyResolverSharedPtr& policy_resolver, uint16_t proxy_id,
                  std::string&& proxylib_l7_proto, absl::string_view sni)
       : ingress_source_identity_(ingress_source_identity), source_identity_(source_identity),
         ingress_(ingress), is_l7lb_(l7lb), port_(port), pod_ip_(std::move(pod_ip)),
@@ -120,7 +120,7 @@ struct SocketMetadata : public Logger::Loggable<Logger::Id::filter> {
   std::string pod_ip_; // pod policy to enforce, if any; empty only when there is no local pod (i.e.
                        // north/south l7lb)
   std::string ingress_policy_name_; // Ingress policy to enforce, if any
-  uint32_t proxy_id_;
+  uint16_t proxy_id_;
   std::string proxylib_l7_proto_;
   std::string sni_;
   const PolicyResolverSharedPtr policy_resolver_;
@@ -158,7 +158,7 @@ class Config : public Cilium::PolicyResolver,
   virtual bool addPrivilegedSocketOptions() { return true; };
 
   int so_linger_; // negative if disabled
-  uint32_t proxy_id_;
+  uint16_t proxy_id_;
   bool is_ingress_;
   bool use_original_source_address_;
   bool is_l7lb_;

@@ -40,7 +40,7 @@ class CiliumPolicyFilterState : public StreamInfo::FilterState::Object,
   CiliumPolicyFilterState(uint32_t ingress_source_identity, uint32_t source_identity, bool ingress,
                           bool l7lb, uint16_t port, std::string&& pod_ip,
                           std::string&& ingress_policy_name,
-                          const PolicyResolverSharedPtr& policy_resolver, uint32_t proxy_id,
+                          const PolicyResolverSharedPtr& policy_resolver, uint16_t proxy_id,
                           absl::string_view sni)
       : ingress_source_identity_(ingress_source_identity), source_identity_(source_identity),
         ingress_(ingress), is_l7lb_(l7lb), port_(port), pod_ip_(std::move(pod_ip)),
@@ -91,7 +91,7 @@ class CiliumPolicyFilterState : public StreamInfo::FilterState::Object,
   uint16_t port_;
   std::string pod_ip_;
   std::string ingress_policy_name_;
-  uint32_t proxy_id_;
+  uint16_t proxy_id_;
   std::string sni_;
 
 private:

@@ -7,12 +7,15 @@
 #include "envoy/buffer/buffer.h"
 #include "envoy/common/time.h"
 #include "envoy/json/json_object.h"
+#include "envoy/network/address.h"
 #include "envoy/network/filter.h"
 #include "envoy/server/factory_context.h"
+#include "envoy/stream_info/stream_info.h"
 
 #include "source/common/buffer/buffer_impl.h"
 #include "source/common/common/logger.h"
 
+#include "absl/strings/string_view.h"
 #include "cilium/accesslog.h"
 #include "cilium/api/accesslog.pb.h"
 #include "cilium/api/network_filter.pb.h"