Host firewall drops IPIP (protocol 4) traffic with no way to allow it via policy

[kvaps]

Description

When host firewall is enabled (enable-host-firewall: true), IPIP-encapsulated traffic (IP protocol 4) between nodes is dropped. There is currently no way to create a CiliumClusterwideNetworkPolicy that explicitly allows IPIP, because protocol 4 is not in the list of recognized protocols for toPorts rules.

Context

We use Kilo mesh networking alongside Cilium with VxLAN overlay. In this setup, IPIP tunnels carry traffic between nodes in the same location, and the IPIP outer packets are routed through Cilium's VxLAN overlay. When host firewall is disabled, everything works. When enabled, IPIP packets are dropped.

What was tried

• enable-extended-ip-protocols: "true" — this makes conntrack pass unknown protocols instead of dropping with DROP_CT_UNKNOWN_PROTO, but without a matching policy the traffic is still denied.
• enable-ipip-termination: "true" — does not affect host firewall behavior.
• Creating a CiliumClusterwideNetworkPolicy with toPorts — protocol IPIP or 4 is not accepted by the policy API validation.

Expected behavior

It should be possible to allow IPIP (protocol 4) and IP6IP6 (protocol 41) traffic via host firewall policies, similar to how VRRP and IGMP were added in #39872.

Proposed solution

Extend the mechanism introduced in #39872 to also support IPIP (4) and IP6IP6 (41):

• Add IPIP and IP6IP6 to pkg/u8proto/u8proto.go
• Add them to the valid protocols list in pkg/policy/api/l4.go
• This would allow users to write policies like:

  toPorts:
  - ports:
    - port: "0"
      protocol: IPIP

Environment

• Cilium: v1.19
• Also reproducible on v1.18
• Kernel: 6.12
• Related PR: Add support for VRRP and IGMP in host fw #39872

[kvaps]

Probably related issue #43730