Skip to content

cli: Add coverage for HostFw + WireGuard + Native #43374

Closed
#43450
Closed
cli: Add coverage for HostFw + WireGuard + Native#43374
#43450
Assignees
smagnani96
Labels
area/CIContinuous Integration testing issue or flakearea/encryptionImpacts encryption support such as IPSec, WireGuard, or kTLS.area/host-firewallImpacts the host firewall or the host endpoint.feature/wireguardRelates to Cilium's Wireguard featurekind/enhancementThis would improve or streamline existing functionality.
@smagnani96

Description

@smagnani96
smagnani96
opened on Dec 16, 2025

#38077 we moved from attaching bpf_host to cilium_wg0@ingress to a dedicated bpf_wireguard program. Unfortunately, we did not catch that we broke HostFw ingress path: pod-destined packets were correctly running their policies, while host-related packets (eg., with node encryption) were left to the stack w/o running HostFw first.

#42892 re-established HostFw by routing host-related packets to cilium_net@egress / cilium_host@ingress, where policies are checked.

The reason why we did not catch this before is because we're not testing NativeRouting+WireGuard+HostFw in CI. The closest one is wireguard-4, but it runs TunnelMode.

Metadata

Metadata

Assignees

Labels

area/CIContinuous Integration testing issue or flakearea/encryptionImpacts encryption support such as IPSec, WireGuard, or kTLS.area/host-firewallImpacts the host firewall or the host endpoint.feature/wireguardRelates to Cilium's Wireguard featurekind/enhancementThis would improve or streamline existing functionality.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions