[GH-41867][Part-1][eBPF] Add support for hybrid routing in datapath

[anubhabMajumdar]

Description

The motivation behind adding a new routing mode is discussed in this CFP .

This is Part 1 of feature:

• adds the subnet map in datapath
• add lookup functions for getting subnet id
• skip tunneling if IPs belong to same subnet ID
• won't interfere with how datapath works today (allows checking this PR in as a standalone change)

For reference, here's a draft PR with the entire feature implemented - #41405 .

Overview

This feature would allow user to configure Cilium cluster(s) with multiple subnets, and benefit from both tunnel and native routing mode for maximum efficiency (no overhead of tunneling when not needed).

Motivation

1. Given that tunneling can always route a packet as long as nodes have connectivity, the entire change is designed to use tunnel as default, with exceptions built in to skip tunneling when IPs belong to same subnet.
2. I have tried to adhere to existing patterns that I could identify - the eBPF map and lookup function closely resembles the IPCache library.

Changes Overview

Datapath

This covers all the C code changes. Files edited/added:

1. bpf/lib/subnet.h - This has the LPM trie based subnet map, similar to the IPCache map. Has functions for lookup.
2. bpf_lxc.c - Added an extra check to skip_tunnel. Now, skip tunneling if IPs belong to same subnet.
3. bpf_host.c - Added an extra check to skip_tunnel. Now, skip tunneling if IPs belong to same subnet.
4. Added two debug keys - DBG_SUBNET_CHECK and DBG_TUNNEL_TRACE for debugging purposes. Will remove these before merging.

Testing Done

The full feature is tested using the change draft PR.
I tested this change against a cluster and verified:

• the subnet map doesn't exist
• all IPs return ID=0
• No packet skips tunneling

Please ensure your pull request adheres to the following guidelines:

• For first time contributors, read Submitting a pull request
• All code is covered by unit and/or runtime tests where feasible.
• All commits contain a well written commit description including a title,
  description and a Fixes: #XXX line if the commit addresses a particular
  GitHub issue.
• If your commit description contains a Fixes: <commit-id> tag, then
  please add the commit author[s] as reviewer[s] to this issue.
• All commits are signed off. See the section Developer’s Certificate of Origin
• Provide a title or release-note blurb suitable for the release notes.
• Are you a user of Cilium? Please add yourself to the Users doc
• Thanks for contributing!

Fixes: #41867

Add support for hybrid routing in datapath

[anubhabMajumdar]

/test

[YutaroHayakawa]

Thanks! Made an initial review. I have some questions and nits.

[anubhabMajumdar]

Thanks! Made an initial review. I have some questions and nits.

Thank you @YutaroHayakawa for your review. I have addressed your comments. Would appreciate another pass.
P.S. I had to rebase to remove style issues in the older commit.

[YutaroHayakawa]

Thanks! Almost there.

[dylandreimerink]

Changes look good from the loader perspective. Will let Yutaro handle the datapath review.

[YutaroHayakawa]

@anubhabMajumdar Seems like you re-requested my review, but seems like there are some comments and suggestions which is not resolved yet. Let me request change. Please take a look whenever you have time.

[anubhabMajumdar]

@anubhabMajumdar Seems like you re-requested my review, but seems like there are some comments and suggestions which is not resolved yet. Let me request change. Please take a look whenever you have time.

Replied to the comment I missed. Let me know what you think. Thanks for your feedback.

[anubhabMajumdar]

Conversation around the pipeline failure - https://cilium.slack.com/archives/C7PE7V806/p1763051497549979
Based on suggestion, rebased the PR.

[anubhabMajumdar]

/test

[anubhabMajumdar]

/ci-ginkgo

[anubhabMajumdar]

/ci-e2e-upgrade

[anubhabMajumdar]

/ci-ginkgo

[anubhabMajumdar]

/ci-ipsec-e2e

[anubhabMajumdar]

https://github.com/cilium/cilium/actions/runs/19340685839/job/55328009387

ci-ginkgo fails with provisioning LVH VMs.

[anubhabMajumdar]

/test

[anubhabMajumdar]

/ci-gateway-api

[anubhabMajumdar]

/ci-ipsec-e2e

[anubhabMajumdar]

@julianwiedmann Addressed your comments here - #43631 . Thanks!

[joestringer]

FYI given that this is only a portion of the infrastructure required for the feature, I have changed the release note category to misc. Minor or above are intended to inform users about changes and improvements that they can actively use, but it seems like this cannot be actively used just yet. Probably when we get to the final PR for this feature series we can mark that one as release-note/major and ensure it gets sufficient spotlight in the corresponding release announcement :)