OCPBUGS-31495: sanitize pin filenames to enable pinning subinterfaces

[bverschueren]

The BPF fs does not allow dots (".") in filenames, which prevents subinterfaces to be pinned correctly. By translating these dots before writing to bpffs this allows pinning subinterfaces (e.g. vlans).

- What this PR does and why is it needed
Without the change, using a subinterface (with a dot in its generated pinDir filename), an error is logged:

$ oc logs -n openshift-ingress-node-firewall ingress-node-firewall-daemon-xxx -c daemon
2025-11-03T20:32:22Z    ERROR   controllers.IngressNodeFirewall Fail to attach ingress firewall prog    {"error": "failed to pin link to pinDir /sys/fs/bpf/xdp_ingress_node_firewall_process/vlan.100_link: operation not permitted", "errorCauses": [{"error": "failed to pin link to pinDir /sys/fs/bpf/xdp_ingress_node_firewall_process/vlan.100_link: operation not permitted"}]}    

- How to verify it
Create an ingressnodefirewall targeting a vlan interface:

$ oc debug node/<node-name> -- ls -l /host/sys/fs/bpf/xdp_ingress_node_firewall_process/
Starting pod/<node-name>-debug-xxx ...
To use host binaries, run `chroot /host`. Instead, if you need to access host namespaces, run `nsenter -a -t 1`.
total 0
-rw-------. 1 root root 0 Nov  3 20:39 ingress_node_firewall_dbg_map
-rw-------. 1 root root 0 Nov  3 20:39 ingress_node_firewall_events_map
-rw-------. 1 root root 0 Nov  3 20:39 ingress_node_firewall_statistics_map
-rw-------. 1 root root 0 Nov  3 20:39 ingress_node_firewall_table_map
-rw-------. 1 root root 0 Nov  3 20:39 vlan_dot_100_link

Delete the rule again and see the link being upinned:

$ oc delete ingressnodefirewall vlan100
ingressnodefirewall.ingressnodefirewall.openshift.io "vlan100" deleted
$ oc logs -n openshift-ingress-node-firewall ingress-node-firewall-daemon-xxx -c daemon
<...>
2025/11/03 20:41:37 Detaching IngressNode Firewall program from interface "vlan.100"
2025/11/03 20:41:37 Running Unpin and Close for link &{{0xc002cc8b38 /sys/fs/bpf/xdp_ingress_node_firewall_process/vlan_dot_100_link}}

- Description for the changelog
Allow subinterfaces to be pinned by converting filename dots with a placeholder for writing to the BPF filesystem.

[openshift-ci-robot]

@bverschueren: This pull request references Jira Issue OCPBUGS-31495, which is invalid:

• expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

The BPF fs does not allow dots (".") in filenames [1], which prevents subinterfaces to be pinned correctly. By translating these dots before writing to bpffs this allows pinning subinterfaces (e.g. vlans).

- What this PR does and why is it needed
Without the change, using a subinterface (with a dot in its generated pinDir filename), an error is logged:

$ oc logs -n openshift-ingress-node-firewall ingress-node-firewall-daemon-xxx -c daemon
2025-11-03T20:32:22Z    ERROR   controllers.IngressNodeFirewall Fail to attach ingress firewall prog    {"error": "failed to pin link to pinDir /sys/fs/bpf/xdp_ingress_node_firewall_process/vlan.100_link: operation not permitted", "errorCauses": [{"error": "failed to pin link to pinDir /sys/fs/bpf/xdp_ingress_node_firewall_process/vlan.100_link: operation not permitted"}]}    

- How to verify it
Create an ingressnodefirewall targeting a vlan interface:

$ oc debug node/<node-name> -- ls -l /host/sys/fs/bpf/xdp_ingress_node_firewall_process/
Starting pod/<node-name>-debug-xxx ...
To use host binaries, run `chroot /host`. Instead, if you need to access host namespaces, run `nsenter -a -t 1`.
total 0
-rw-------. 1 root root 0 Nov  3 20:39 ingress_node_firewall_dbg_map
-rw-------. 1 root root 0 Nov  3 20:39 ingress_node_firewall_events_map
-rw-------. 1 root root 0 Nov  3 20:39 ingress_node_firewall_statistics_map
-rw-------. 1 root root 0 Nov  3 20:39 ingress_node_firewall_table_map
-rw-------. 1 root root 0 Nov  3 20:39 vlan_dot_100_link

Delete the rule again and see the link being upinned:

$ oc delete ingressnodefirewall vlan100
ingressnodefirewall.ingressnodefirewall.openshift.io "vlan100" deleted
$ oc logs -n openshift-ingress-node-firewall ingress-node-firewall-daemon-xxx -c daemon
<...>
2025/11/03 20:41:37 Detaching IngressNode Firewall program from interface "vlan.100"
2025/11/03 20:41:37 Running Unpin and Close for link &{{0xc002cc8b38 /sys/fs/bpf/xdp_ingress_node_firewall_process/vlan_dot_100_link}}

- Description for the changelog
Allow subinterfaces to be pinned by converting filename dots with a placeholder for writing to the BPF filesystem.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bverschueren]

/jira refresh

[openshift-ci-robot]

@bverschueren: This pull request references Jira Issue OCPBUGS-31495, which is invalid:

• expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bverschueren]

/jira refresh

[openshift-ci-robot]

@bverschueren: This pull request references Jira Issue OCPBUGS-31495, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @anuragthehatter

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Adds a pin-directory dot-placeholder constant (__dot__), a sanitize helper that maps dots to the placeholder and back, applies it in the eBPF loader, and updates webhook validation and tests to reject names containing the placeholder.

Changes

Cohort / File(s)	Change Summary
Constants definition pkg/constants/constants.go	New file exporting PinDirDotPlaceholder set to "__dot__".
eBPF loader implementation pkg/ebpf/ingress_node_firewall_loader.go	Imports pkg/constants, adds internal sanitizePinDir to convert . ↔ __dot__, and uses it when pinning XDP program paths and when loading pinned links.
eBPF loader tests pkg/ebpf/ingress_node_firewall_loader_test.go	Adds TestSanitizePinDir validating conversions like bond0.100 ↔ bond0__dot__100 and eth0__dot__100 ↔ eth0.100.
Webhook validation pkg/webhook/webhook.go	Imports pkg/constants and updates validateINFInterfaces to reject interface names that contain the placeholder string.
Webhook tests pkg/webhook/webhook_suite_test.go	Adds tests: one allows interface names with literal dots, the other ensures names containing the placeholder are rejected.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Areas to focus:
  • pkg/ebpf/ingress_node_firewall_loader.go — verify sanitizePinDir correctness for edge cases (multiple dots, existing placeholder substrings) and correct application when pinning/loading.
  • pkg/webhook/webhook.go & pkg/webhook/webhook_suite_test.go — ensure validation logic and tests align and error messaging is clear.
  • pkg/constants/constants.go — ensure placeholder value is consistent with usages and tests.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between adba87e and 0136fa7.

📒 Files selected for processing (5)

• pkg/constants/constants.go (1 hunks)
• pkg/ebpf/ingress_node_firewall_loader.go (4 hunks)
• pkg/ebpf/ingress_node_firewall_loader_test.go (1 hunks)
• pkg/webhook/webhook.go (2 hunks)
• pkg/webhook/webhook_suite_test.go (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/ebpf/ingress_node_firewall_loader.go
• pkg/webhook/webhook.go
• pkg/webhook/webhook_suite_test.go

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• pkg/constants/constants.go
• pkg/ebpf/ingress_node_firewall_loader_test.go

🔇 Additional comments (2)

pkg/constants/constants.go (1)

1-19: Centralizing the placeholder constant looks good

Defining PinDirDotPlaceholder in a dedicated constants package removes magic strings from callers and makes the bpffs filename contract explicit and easy to reuse.

pkg/ebpf/ingress_node_firewall_loader_test.go (1)

132-158: Good coverage of both directions of sanitizePinDir

The table-driven test exercises identity, dot→__dot__, and __dot__→dot, which matches the intended bpffs filename toggling behavior and should catch regressions in the sanitization logic.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/ebpf/ingress_node_firewall_loader_test.go (1)

132-158: Consider adding edge case tests.

The test covers the basic functionality well with the bidirectional conversion. Consider adding test cases for edge scenarios to ensure robustness:

• Multiple dots: "vlan.100.200" → "vlan_dot_100_dot_200"
• Empty string: ""
• Only dots: "."
• Interface with multiple components: "bond0.100.200"

Example additional test cases:

{
    in:       "vlan.100.200",
    expected: "vlan_dot_100_dot_200",
},
{
    in:       "vlan_dot_100_dot_200",
    expected: "vlan.100.200",
},

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 96727eb and d2d17e1.

📒 Files selected for processing (2)

• pkg/ebpf/ingress_node_firewall_loader.go (4 hunks)
• pkg/ebpf/ingress_node_firewall_loader_test.go (1 hunks)

🔇 Additional comments (3)

pkg/ebpf/ingress_node_firewall_loader.go (3)

41-41: LGTM! Clear constant for bpffs filename compatibility.

The pinDirDotPlaceholder constant is well-chosen and serves its purpose of replacing dots in filenames for bpffs compatibility.

---

323-323: LGTM! Correct sanitization before pinning to bpffs.

The sanitization is correctly applied to the pin path before writing to the BPF filesystem, enabling subinterfaces with dots (e.g., VLAN interfaces) to be pinned successfully.

---

481-481: LGTM! Correct desanitization when loading pinned links.

The sanitization is correctly applied to convert the filename back to the original interface name with dots, ensuring the in-memory links map uses the correct interface name as the key.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

pkg/ebpf/ingress_node_firewall_loader_test.go (1)

132-158: Consider additional edge case coverage.

The test covers the basic scenarios well, but consider adding test cases for:

• Multiple dots: "bond0.100.200" → "bond0_dot_100_dot_200"
• Empty string: "" → ""
• Edge cases with the placeholder at boundaries

These additional cases would ensure the bidirectional behavior is robust across all realistic interface naming scenarios.

Apply this diff to add edge case coverage:

 func TestSanitizePinDir(t *testing.T) {
 	tests := []struct {
+		name     string
 		in       string
 		expected string
 	}{
 		{
+			name:     "no dots or placeholder",
 			in:       "eth0",
 			expected: "eth0",
 		},
 		{
+			name:     "dot to placeholder",
 			in:       "bond0.100",
 			expected: "bond0_dot_100",
 		},
 		{
+			name:     "placeholder to dot",
 			in:       "eth0_dot_100",
 			expected: "eth0.100",
 		},
+		{
+			name:     "multiple dots",
+			in:       "bond0.100.200",
+			expected: "bond0_dot_100_dot_200",
+		},
+		{
+			name:     "empty string",
+			in:       "",
+			expected: "",
+		},
 	}
 
 	for _, tc := range tests {
-		result := sanitizePinDir(tc.in)
-		if result != tc.expected {
-			t.Fatalf("Failed to sanitize, expected %s, got %s",
-				tc.expected, result)
-		}
+		t.Run(tc.name, func(t *testing.T) {
+			result := sanitizePinDir(tc.in)
+			if result != tc.expected {
+				t.Fatalf("Failed to sanitize, expected %s, got %s",
+					tc.expected, result)
+			}
+		})
 	}
 }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 4be6b05 and f0aac00.

📒 Files selected for processing (5)

• pkg/ebpf/constants.go (1 hunks)
• pkg/ebpf/ingress_node_firewall_loader.go (3 hunks)
• pkg/ebpf/ingress_node_firewall_loader_test.go (1 hunks)
• pkg/webhook/webhook.go (2 hunks)
• pkg/webhook/webhook_suite_test.go (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/webhook/webhook.go
• pkg/webhook/webhook_suite_test.go
• pkg/ebpf/ingress_node_firewall_loader.go

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• pkg/ebpf/ingress_node_firewall_loader_test.go
• pkg/ebpf/constants.go

🔇 Additional comments (1)

pkg/ebpf/constants.go (1)

17-19: LGTM! Clean constant definition.

The constant is well-named and the value "_dot_" is a reasonable choice for the placeholder, as it's unlikely to naturally occur in interface names while remaining readable.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

pkg/constants/constants.go (1)

17-19: Consider adding a documentation comment for the exported constant.

Following Go conventions, exported identifiers should have documentation comments explaining their purpose and usage. This helps maintainers understand why this placeholder exists and how it relates to BPF filesystem constraints.

Example:

 const (
+	// PinDirDotPlaceholder is used to replace dots in interface names when creating
+	// BPF pin directory paths, since the BPF filesystem does not allow dots in filenames.
 	PinDirDotPlaceholder = "_dot_"
 )

pkg/ebpf/ingress_node_firewall_loader_test.go (1)

132-158: LGTM! Test coverage is adequate for the core functionality.

The test correctly validates the bidirectional conversion behavior of sanitizePinDir. The table-driven approach is clean and the three test cases cover the essential scenarios: no change needed, dot-to-placeholder conversion, and placeholder-to-dot conversion.

Optionally, consider adding test cases for edge scenarios:

{
	in:       "bond0.100.200",
	expected: "bond0_dot_100_dot_200",
},
{
	in:       "",
	expected: "",
},

This would ensure robustness for interfaces with multiple dots or empty strings, though the current coverage is sufficient for the main use case.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between f0aac00 and 95397af.

📒 Files selected for processing (5)

• pkg/constants/constants.go (1 hunks)
• pkg/ebpf/ingress_node_firewall_loader.go (4 hunks)
• pkg/ebpf/ingress_node_firewall_loader_test.go (1 hunks)
• pkg/webhook/webhook.go (2 hunks)
• pkg/webhook/webhook_suite_test.go (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/ebpf/ingress_node_firewall_loader.go
• pkg/webhook/webhook_suite_test.go

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• pkg/constants/constants.go
• pkg/ebpf/ingress_node_firewall_loader_test.go
• pkg/webhook/webhook.go

🔇 Additional comments (2)

pkg/webhook/webhook.go (2)

11-11: LGTM!

The import is correctly added to support the new validation logic.

---

108-112: LGTM! Essential validation to prevent naming conflicts.

This validation correctly prevents users from specifying interface names containing the reserved placeholder string, which would otherwise create ambiguity in the bidirectional sanitization logic. The error message is clear and the check is placed appropriately alongside other interface name validations.

[msherif1234]

/LGTM

[openshift-ci]

@msherif1234: changing LGTM is restricted to collaborators

In response to this:

/LGTM

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[msherif1234]

Thanks for the fix!!

[openshift-ci]

@msherif1234: changing LGTM is restricted to collaborators

In response to this:

Thanks for the fix!!

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[bverschueren]

/retest

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

pkg/webhook/webhook_suite_test.go (1)

34-34: Import appears unused in new test cases.

The admissionv1beta1 import is marked as a new addition but doesn't appear to be used by the new test cases at lines 183-193. It's already used at line 104, so this may be a reorganization rather than a new requirement.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 95397af and adba87e.

📒 Files selected for processing (5)

• pkg/constants/constants.go (1 hunks)
• pkg/ebpf/ingress_node_firewall_loader.go (4 hunks)
• pkg/ebpf/ingress_node_firewall_loader_test.go (1 hunks)
• pkg/webhook/webhook.go (2 hunks)
• pkg/webhook/webhook_suite_test.go (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/ebpf/ingress_node_firewall_loader_test.go
• pkg/constants/constants.go

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• pkg/webhook/webhook.go
• pkg/ebpf/ingress_node_firewall_loader.go
• pkg/webhook/webhook_suite_test.go

🧬 Code graph analysis (1)

pkg/webhook/webhook.go (1)

pkg/constants/constants.go (1)

• PinDirDotPlaceholder (18-18)

🔇 Additional comments (3)

pkg/webhook/webhook.go (1)

108-112: LGTM! Validation correctly prevents edge case.

The validation logic properly rejects interface names containing the placeholder, preventing the bidirectional conversion issue in sanitizePinDir where an interface naturally named with "dot" could be misinterpreted.

pkg/ebpf/ingress_node_firewall_loader.go (1)

734-744: Bidirectional sanitization works correctly with webhook validation.

The bidirectional conversion (dots ↔ placeholder) correctly handles the common case: interface names with dots are sanitized for pinning and restored when loading. The webhook validation prevents the edge case where an interface naturally named with the placeholder substring could be misinterpreted.

For future consideration: explicit encodePinPath() and decodePinPath() functions would be more explicit than the heuristic, but the current approach is acceptable given the webhook safeguard.

pkg/webhook/webhook_suite_test.go (1)

183-193: LGTM! Test coverage validates both dot handling and placeholder rejection.

The two tests correctly verify:

1. Interface names with dots (e.g., "eth0.100") are accepted, enabling subinterface support
2. Interface names containing the placeholder string are rejected, preventing the edge case in sanitization logic

[bverschueren]

/retest

[openshift-ci]

@bverschueren: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[jcaamano]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bverschueren, jcaamano, msherif1234

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [jcaamano]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment