NodePort BPF service cannot be reached when L7 policy is applied / L7 visibility is enabled

[brb]

A NodePort BPF service cannot be reached when:

• and L7 allow all policy is applied,
• and a request to the service is sent to a host which runs the service endpoint pod.

Sending the request to a host which SNATs the request and forwards it to the destination host works as expected.

The request (TCP SYN) enters the relevant TPROXY rule at the receiving host, and then disappears:

IN=cilium_net OUT= MAC=16:6a:8a:0b:7c:e0:36:d7:19:cb:ee:ec:08:00 SRC=192.168.34.11 DST=10.217.1.215 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=15285 DF PROTO=TCP SPT
=56576 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x1927020

[brb]

Just checked that it's still an issue. Might be related to #9284.

[jrajahalme]

@brb Similar problem existed also with kube-proxy in non-tunneled modes, where SYN/ACK would be lost due to NodePort SNAT not being reversed due to overtly broad NOTRACK rule. This was fixed by #11899.

Have you traced how far in the datapath the SYN/ACK gets in this NodePort BPF case?

[brb]

@jrajahalme According to #12434, it seems to be fixed! I'm going to close this issue once I've extended BPF NodePort tests to include L7 policy.