bpf: nodeport: use hairpin redirect for L7 LB on bridge devices

[smagnani96]

l7lb: bpf: fix use hairpin redirect for L7 LB on bridge devices
Fix L7 proxy traffic disruption (DROP_REASON_NOSOCKET) on nodes where
the BPF program is attached to a Linux bridge device and the
br_netfilter module is loaded with net.bridge.bridge-nf-call-iptables=1.

With #36383, we changed the non-BPF-TPROXY L7 LB redirect path to mark
packets with MARK_MAGIC_TO_PROXY and punt them to the stack, relying on
an iptables TPROXY rule in PREROUTING to deliver the packet to the
proxy. This optimization avoids a hairpin redirect through cilium_net.

However, when br_netfilter is active on a bridge device, the kernel's
ip_sabotage_in() function interferes:

1. Packet arrives on bridge port -> br_netfilter evaluates PREROUTING
   (1st time, BPF hasn't run yet -> TPROXY rule doesn't match)
2. ip_sabotage_in() sets NF_HOOK_STATE_SABOTAGED on the packet
3. tc-ingress BPF runs, sets MARK_MAGIC_TO_PROXY, punts to stack
4. IP stack calls PREROUTING again, but ip_sabotage causes it to be
   SKIPPED entirely
5. TPROXY rule never fires -> no listening socket on VIP ->
   DROP_REASON_NOSOCKET

We therefore add a new datapath config variable that will be set to true
only when compiling the Netdev datapath program (cil_{from,to}_netdev)
and the network device is a bridge. This allows us to fall back to the
pre-#36383 hairpin redirect via cilium_net for L7 LB traffic, bypassing the
ip_sabotage_in() function and allowing the TPROXY rule to match as expected.

Non-bridge devices continue using the optimized punt-to-stack path.

[smagnani96]

/test

[julianwiedmann]

Thank you! Just a quick first look ...

[smagnani96]

I've created a follow-up PR for potentially migrating ENABLE_TPROXY #44719.
Kept this PR as simple as possible, local to our use case to fix.

[smagnani96]

@julianwiedmann I rebased on top of #44649.
I still keep introducing a separate variable as you suggested, but I'm not sure 100% (it has the same meaning of enable_tproxy, but more local to the program, and only used in bpf_host).
This will however ease the backport.
Otherwise, reusing enable_tproxy would require (1) making sure other codepaths are not affected and (2) backporting also #44649.

[smagnani96]

/test

[julianwiedmann]

@julianwiedmann I rebased on top of #44649. I still keep introducing a separate variable as you suggested, but I'm not sure 100% (it has the same meaning of enable_tproxy, but more local to the program, and only used in bpf_host). This will however ease the backport. Otherwise, reusing enable_tproxy would require (1) making sure other codepaths are not affected and (2) backporting also #44649.

+100 on not re-using enable_tproxy, that would get very confusing imo.

[julianwiedmann]

Thank you!