Skip to content

Network Policy traffic drop response feature improvements #41859

Open
Open
Network Policy traffic drop response feature improvements#41859
Assignees
antonipp
Labels
area/datapathImpacts bpf/ or low-level forwarding details, including map management and monitor messages.kind/enhancementThis would improve or streamline existing functionality.pinnedThese issues are not marked stale by our issue bot.sig/policyImpacts whether traffic is allowed or denied based on user-defined policies.
@antonipp

Description

@antonipp
antonipp
opened on Sep 23, 2025

This issue keeps track of future improvements for the --policy-deny-response feature implemented in #41406 to return ICMP responses when traffic gets denied by CNPs.

The first iteration of the feature only implemented ICMPv4 responses for egress IPv4 traffic. Next steps:

  • ICMPv4 responses for IPv4 ingress traffic
  • Don't send ICMPs as response to ICMP error messages
  • ICMPv6 responses for IPv6 egress traffic (requires rate-limiting!)
  • ICMPv6 responses for IPv6 ingress traffic (requires rate-limiting!)
  • Find a way to steer traffic back into the pod when the pod has ingress CNPs. Right now users have to explicitly allow ICMP traffic if they have ingress policies
  • Add support for TCP RST responses for TCP traffic
  • Add a per-policy flag to allow for more granular behavior tuning

Related issues: #17944, #40228

Metadata

Metadata

Assignees

Labels

area/datapathImpacts bpf/ or low-level forwarding details, including map management and monitor messages.kind/enhancementThis would improve or streamline existing functionality.pinnedThese issues are not marked stale by our issue bot.sig/policyImpacts whether traffic is allowed or denied based on user-defined policies.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions