bpf:wireguard: delivery host packets to bpf_host for ingress policies

[smagnani96]

This effectively restores HostFw for WireGuard.
Prior to this, we were erroneously always returning to the stack all
packets destined for local host, skipping the HostFw policies if enabled.

With this patch, packets for local host will always be delivered to
cilium_net@egress, similarly to what we do in bpf_overlay after decap.
With HostFw enabled, the to-host program in cilium_host@ingress will
then enforce policies.

This patch does not affect packets for local endpoint:

• With BPF Host Routing: will be directly delivered to the pod, tail
  calling into its ep->lxc_id function to enforce ingress policies.
• Without BPF Host Routing: will return to stack, which then goes to its
  to-container installed program to match ingress policies.

Trying to pull-in the whole host_firewall.h and policy.h would require
to set bpf_wireguard similarly as we do for bpf_host, meaning assigning
an endpoint ID, otherwise host policies would block all host related
packets (ep id == 0). For this reason, we decide here to go through cilium_host.

From a bpf test perspective:

• no changes for packet to/from local endpoint INGRESS/EGRESS
• no changes for packet from local host EGRESS
• packet to local host INGRESS: differently than bpf_host, in WireGuard
  we always redirect to cilium_host@ingress.

While fixing this bits, let's move the superfluous revalidate_data
post NodePort inside the NodePort code, as not needed otherwise.

[smagnani96]

/test

[smagnani96]

fyi: given I'll backport this to v1.18 once finished, bpf tests have not been written in scapy-like language.

[julianwiedmann]

For the last patch:

Given we've done a legimitate lookup, let's make use of that identity.

I believe that's not accurate - bpf_wireguard currently still respects secctx_from_ipcache, and only resolves the source identity when BPF Host-Routing is enabled.

So if we now want to always forward an identity, then we also need to unconditionally resolve it (which feels like a reasonable choice to me).

[smagnani96]

Many many thanks Julian. Your input was essential here. It took me a while, but I think we're close now.

I believe that's not accurate - bpf_wireguard currently still respects secctx_from_ipcache, and only resolves the source identity when BPF Host-Routing is enabled.

So if we now want to always forward an identity, then we also need to unconditionally resolve it (which feels like a reasonable choice to me).

I moved the whole removal of secctx_from_ipcache and setting the identity into separate PRs.

But with Wireguard we do have the case (when BPF Host Routing is disabled) where a local pod's traffic first passes through netfilter, and only in to-netdev gets redirected to cilium_wg. And so the from-wireguard path also needs to traverse netfilter, and can't unconditionally redirect straight to the pod.

It was not easy for me, but I think now I understand it slightly better.
So I've updated PR accordingly, adding new codepaths and comments to both the code and commit. Will update PR description as well 🙏🏼

Will need to update the BPF test accordingly, doing it right now.

[smagnani96]

I tried to enable HostFirewall in CI in the unique config in which we have WireGuard+NativeRouting+NodeEncryption.
This should be the minimal test to make sure this PR restores HostFw with WireGuard (see #43374): the CLI host-firewall-ingress test already exists (--include-unsafe-tests), we just need a valid config to run it.

EDIT: branched off CI tests into a separate PR, which will be used for testing this feature. (#43450)

[smagnani96]

Cherry-picked this commit and enabled testing in wireguard-3 config #43450.
Test can't be merged, as I did a trick to only run it after upgrade, otherwise would obviously fail because w/o this HostFW is broken.
ci-l7, and in particular host-firewall-{ingress,egress} tests, successfully passed https://github.com/cilium/cilium/actions/runs/20824455539/job/59823165980#step:30:515.
Going to rebase this and re-run CI, then it can be merge IMHO.

[smagnani96]

/test