Fix --exclude-local-address with eBPF Host-Routing

[antonipp]

Description

The problem is described in detail in the original issue #41241

This PR adds error-handling logic that fixes routing for local addresses which have been passed in --exclude-local-address. The routing code will always attempt a FIB lookup for packets destined to these addresses and it will always fail with BPF_FIB_LKUP_RET_NOT_FWDED because the addresses are local. The routing code will now remediate this by passing the packet to the kernel's routing stack when encountering this scenario.

Another idea I originally had was to keep track of excluded local addresses in a separate map ( DataDog@844f1c8 ) but this obviously introduces more complexity that the current PR.

Testing

Setup: deploy a pod with NLD bound to 169.254.20.10. Set --exclude-local-address="169.254.20.10/31" and enable eBPF Host-Routing on the Cilium Agent.

Before the PR:

# dig google.com
;; communications error to 169.254.20.10#53: timed out
;; communications error to 169.254.20.10#53: timed out
[...]

After the PR:

# dig google.com
; <<>> DiG 9.18.30-0ubuntu0.20.04.2-Ubuntu <<>> google.com
;; global options: +cmd
;; Got answer:
[...]

Fixes: #41241

Fix --exclude-local-address with eBPF Host-Routing

[antonipp]

/test

[pchaigno]

/test

[pchaigno]

/test

@antonipp It's strange that you couldn't trigger tests. Have you had this issue before?

[jrife]

Should something similar be done in handle_ipv6_from_lxc? Also just a heads up, you might want to rebase and test with #37725 which just got merged. AFAIK it shouldn't impact anything, but slightly changes how the fib lookup happens with the addition of the BPF_FIB_LOOKUP_SKIP_NEIGH flag.

[antonipp]

Thanks for the reviews, addressed the comments 👍

It's strange that you couldn't trigger tests. Have you had this issue before?

Yep, I did notice that this was quite flaky recently. For example in this PR, I was not able to run them consistently: #41154

I also noticed that the current PR has more failed E2E tests than usual 🤔 https://github.com/cilium/cilium/actions/runs/17077534336/job/48422818273

And this BPF complexity verifier failure looks legit as well: https://github.com/cilium/cilium/actions/runs/17077535162/job/48422742276 (need to look further into it)

[antonipp]

/test

[pchaigno]

/test

And this BPF complexity verifier failure looks legit as well: https://github.com/cilium/cilium/actions/runs/17077535162/job/48422742276 (need to look further into it)

Ouch, that's going to be tricky to work around. I'm guessing we're probably already quite "close" to the complexity limit and, since your change is adding new branches, it's enough to push complexity over the limit.

I also noticed that the current PR has more failed E2E tests than usual 🤔 https://github.com/cilium/cilium/actions/runs/17077534336/job/48422818273

Probably related to the complexity issue, no?

[pchaigno]

My bad, it's not a complexity issue but a good old verifier reject:

; if (ret == DROP_NO_FIB && *ext_err == BPF_FIB_LKUP_RET_NOT_FWDED) {
1849: (79) r1 = *(u64 *)(r10 -144)    ; R1_w=scalar() R10=fp0
; __u8 new_ttl, ttl = ip4->ttl;
1850: (71) r3 = *(u8 *)(r1 +22)
R1 invalid mem access 'scalar'
verification time 74405 usec

Are we sure ext_err is always defined on that code path?

[antonipp]

/ci-verifier

[jrife]

/ci-verifier

[antonipp]

/ci-verifier

[antonipp]

/test

[antonipp]

/test

[antonipp]

/test

[jrife]

• ci-ipsec-e2e failures look like a flake I've seen before: CI: Conformance IPsec E2E (ci-ipsec-e2e): no-interrupted-connections/no-interrupted-connections: restart count does not match 0 != 1 #41012
• ci-eks hit CI: Conformance IPsec E2E: no-ipsec-xfrm-errors: xfrm errors were changed - outbound_no_state #31097

I'll retrigger these.

[jrife]

/ci-ipsec-e2e

[jrife]

/ci-eks

[jrife]

/ci-clustermesh