wireguard: avoid in-kernel conntrack for wireguard connections

[julianwiedmann]

Background:
Cilium has been installing no-track rules for its own IPsec traffic for a long time, and recently also started to exclude its own overlay traffic (#38782). But its own Wireguard traffic is still unncessarily tracked by the kernel:

kubectl exec -it -n kube-system cilium-hm9wh -- cat /proc/net/nf_conntrack | grep udp
ipv4     2 udp      17 116 src=172.18.0.2 dst=172.18.0.3 sport=51871 dport=51871 src=172.18.0.3 dst=172.18.0.2 sport=51871 dport=51871 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2

Proposal:
Also exclude Wireguard from in-kernel conntrack. On egress this could simply re-use IPsec's mark-based matching.

[bersoare]

👀

[smagnani96]

I was chatting with Bernardo and we were wondering whether it would make sense to:

• mark ingress WG traffic (l4 ports 51871 or whatever non-default value is set): we already have the code in-place here for tracing (runs before iptables)
• add no-track rule with the matching mark: would work for both in/egress

Maybe in that case we'd need to make sure we clear the mark after WG decryption (or set it to some other value if needed, as in this draft PR for wg strict mode).

[julianwiedmann]

I was chatting with Bernardo and we were wondering whether it would make sense to:

* mark ingress WG traffic (l4 ports 51871 or whatever non-default value is set): we already have the code in-place [here](https://github.com/cilium/cilium/blob/v1.18/bpf/bpf_host.c#L1155) for tracing (runs before iptables)

* add no-track rule with the matching mark: would work for both in/egress

Maybe in that case we'd need to make sure we clear the mark after WG decryption (or set it to some other value if needed, as in this draft PR for wg strict mode).

ack, I had the same thought for ingress - relying on the classification you added a while ago, and marking the same way that IPsec would do on ingress.