bpf: wireguard: use overlay mark to detect tunnel traffic

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>

bpf/lib/wireguard.h

@@ -62,31 +62,17 @@ wg_maybe_redirect_to_encrypt(struct __ctx_buff *ctx)
 	case bpf_htons(ETH_P_IP):
 		if (!revalidate_data(ctx, &data, &data_end, &ip4))
 			return DROP_INVALID;
+
 # if defined(TUNNEL_MODE)
-		/* A rudimentary check (inspired by is_enap()) whether a pkt
-		 * is coming from tunnel device. In tunneling mode WG needs to
-		 * encrypt such pkts, so that src sec ID can be transferred.
+		/* In tunneling mode WG needs to encrypt tunnel traffic,
+		 * so that src sec ID can be transferred.
 		 *
 		 * This also handles IPv6, as IPv6 pkts are encapsulated w/
 		 * IPv4 tunneling.
 		 */
-		if (ip4->protocol == IPPROTO_UDP) {
-			int l4_off = ETH_HLEN + ipv4_hdrlen(ip4);
-			__be16 dport;
-
-			if (l4_load_port(ctx, l4_off + UDP_DPORT_OFF, &dport) < 0) {
-				/* IP fragmentation is not expected after the
-				 * encap. So this is non-Cilium's pkt.
-				 */
-				break;
-			}
-
-			if (dport == bpf_htons(TUNNEL_PORT)) {
-				from_tunnel = true;
-				break;
-			}
-		}
+		from_tunnel = ctx_is_overlay(ctx);
 # endif /* TUNNEL_MODE */
+
 		dst = lookup_ip4_remote_endpoint(ip4->daddr, 0);
 		src = lookup_ip4_remote_endpoint(ip4->saddr, 0);
 		break;