Skip to content

ci:wireguard: enable Host Firewall in native routing e2e tests#43450

Merged
pchaigno merged 1 commit intomainfrom
pr/smagnani96/wg-hostfw-ci
Feb 12, 2026
Merged

ci:wireguard: enable Host Firewall in native routing e2e tests#43450
pchaigno merged 1 commit intomainfrom
pr/smagnani96/wg-hostfw-ci

Conversation

@smagnani96
Copy link
Copy Markdown
Contributor

@smagnani96 smagnani96 commented Dec 19, 2025
edited
Loading

This enabled Host Firewall in the wireguard-3 config.
This helps us validating that host-related packets go through the host
firewall hook in cilium_host when WireGuard is enabled in native routing.
In overlay, even if we'd miss a redirect we'd see the packet in bpf_overlay,
which will then redirect the packet to bpf_host for HostFW validation.

Fixes: #43374.

@smagnani96 smagnani96 self-assigned this Dec 19, 2025
@smagnani96 smagnani96 added area/CI Continuous Integration testing issue or flake area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. release-note/ci This PR makes changes to the CI. feature/wireguard Relates to Cilium's Wireguard feature labels Dec 19, 2025
@smagnani96 smagnani96 changed the title Pr/smagnani96/wg hostfw ci ci:wireguard: enable Host Firewall in native routing e2e tests Dec 19, 2025
@smagnani96 smagnani96 mentioned this pull request Dec 19, 2025
Merged
@smagnani96 smagnani96 force-pushed the pr/smagnani96/wg-hostfw-ci branch from 531ed05 to 61a9232 Compare December 22, 2025 17:06
@smagnani96 smagnani96 added the dont-merge/preview-only Only for preview or testing, don't merge it. label Jan 8, 2026
@smagnani96 smagnani96 force-pushed the pr/smagnani96/wg-hostfw-ci branch from 61a9232 to 563f6fd Compare January 8, 2026 16:44
@smagnani96
ci:wireguard: enable Host Firewall in native routing e2e tests
1a13aca 
This enabled Host Firewall in the `wireguard-3` config.
This helps us validating that host-related packets go through the host
firewall hook in `cilium_host` when WireGuard is enabled in native routing.
In overlay, even if we'd miss a redirect we'd see the packet in bpf_overlay,
which will then redirect the packet to bpf_host for HostFW validation.

Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
@smagnani96 smagnani96 force-pushed the pr/smagnani96/wg-hostfw-ci branch from 563f6fd to 1a13aca Compare February 3, 2026 11:01
@smagnani96 smagnani96 removed the dont-merge/preview-only Only for preview or testing, don't merge it. label Feb 3, 2026
@smagnani96
Copy link
Copy Markdown
Contributor Author

smagnani96 commented Feb 3, 2026
edited
Loading

/ci-l3-l4

HostFW tests are being executed with L3L4 Only 🍏
https://github.com/cilium/cilium/actions/runs/21634192876/job/62354942659#step:30:594

@smagnani96
Copy link
Copy Markdown
Contributor Author

smagnani96 commented Feb 3, 2026
edited
Loading

/ci-l7

HostFW tests are being skipped when L7 Only.

@smagnani96
Copy link
Copy Markdown
Contributor Author

smagnani96 commented Feb 3, 2026

/test

@smagnani96 smagnani96 marked this pull request as ready for review February 3, 2026 16:31
@smagnani96 smagnani96 requested review from a team as code owners February 3, 2026 16:31
@smagnani96 smagnani96 requested review from nbusseneau and rgo3 February 3, 2026 16:31
@smagnani96
Copy link
Copy Markdown
Contributor Author

smagnani96 commented Feb 10, 2026

@cilium/ci-structure @cilium/github-sec PTAL.

@smagnani96 smagnani96 removed the request for review from nbusseneau February 11, 2026 10:19
@pchaigno pchaigno added this pull request to the merge queue Feb 12, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Feb 12, 2026
@pchaigno pchaigno added this pull request to the merge queue Feb 12, 2026
Merged via the queue into main with commit 4b928bc Feb 12, 2026
432 of 433 checks passed
@pchaigno pchaigno deleted the pr/smagnani96/wg-hostfw-ci branch February 12, 2026 16:42
@maintainer-s-little-helper maintainer-s-little-helper bot added ready-to-merge This PR has passed all tests and received consensus from code owners to merge. labels Feb 12, 2026
@joestringer joestringer mentioned this pull request Feb 12, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Artyop Artyop Artyop approved these changes

@rgo3 rgo3 rgo3 approved these changes

Assignees

@smagnani96 smagnani96

Labels

area/CI Continuous Integration testing issue or flake area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. feature/wireguard Relates to Cilium's Wireguard feature ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/ci This PR makes changes to the CI.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

cli: Add coverage for HostFw + WireGuard + Native

5 participants

@smagnani96 @Artyop @rgo3 @pchaigno @msune