bpf_lxc: support LB for nodeports in the per-packet LB (wildcard lookup)

[julianwiedmann]

Background:
When not using the SocketLB, in-cluster access to a remote node's nodeports is not handled by the per-packet LB in from-container. Instead it gets processed at the remote node's from-netdev program (the "N/S path").

This is different from the SocketLB, where Cilium supports wildcard lookups that match the nodeport and match the IP against node identities (either local or remote).

Proposal:
Let's harmonize the behaviour by consistently LBing such in-cluster access to nodeports at the source.

[pchaigno]

As noted by Julian in the bug issue, implementing this would cause the per-packet LB to be affected by bug #24692 (comment).

[julianwiedmann]

Tentatively targeting this for v1.20. Once #41963 has landed, extending it to cover non-DSR nodeport services should be straight forward.

[julianwiedmann]

From talking with @brb, we could also look at exposing the nodeport service on all local addresses (ID_HOST). Similar to how SocketLB does it.

[julianwiedmann]

Tentatively targeting this for v1.20. Once #41963 has landed, extending it to cover non-DSR nodeport services should be straight forward.

@gyutaeb If you want to give this a try, then I think it's really just about relaxing all the DSR checks we have right now, and replacing them with ENABLE_NODEPORT. Along with some thinking about test coverage.

One interesting aspect is that we're affecting Network Policy - previously requests for a non-DSR connection would arrive at the backend with the intermediate node's source IP. While if we now LB at the source, then the backend will see the actual client IP. Which is great, we should be applying proper identities for in-cluster traffic! But it needs documenting in the upgrade notes.

[gyutaeb]

@julianwiedmann Thanks for the detailed guidance. The approach regarding relaxing DSR checks and the implications for Network Policy make perfect sense.

I'm currently tied up with work, so I can't start the implementation immediately. However, I'd be happy to participate in code reviews if someone else picks this up - I have some context from working on #41963 that might be useful.

[julianwiedmann]

I've started to play around in #44507.