Enforce host policies when using per-endpoint routes

[pchaigno]

The host firewall currently doesn't work with per-endpoint routes (global.endpointRoutes & --enable-endpoint-routes) because host policies are only enforced in the bpf_host program attached to cilium_host/cilium_net (for hostns<->local pods) and native devices (for hostns<->remote pods/remote nodes/world). When per-endpoint routes are enabled, the first two devices do not exist. Allowing the host firewall to be enabled with per-endpoint routes would thus result in a bypass of policies on paths hostns<->local pods.

High-level idea is to perform a tail call to a BPF program in bpf_host from bpf_lxc when packets ingress and egress of local pods. On egress from pods, we need to jump to bpf_host program, enforce ingress host policies and deliver as usual. On ingress to pods, we need to jump to bpf_host program, enforce egress host policies, then jump back to bpf_lxc program.

• Implement basic support: Support host policies with per-endpoint routes #15217
  • Define a entrypoint function in bpf_host to be called for packets egressing local pods and destined to the hostns. Should be similar to equivalent in bpf_lxc program.
  • Add "host endpoint to policy call map" mapping in policy map.
  • Jump from bpf_lxc program to entrypoint function via policy call map, in the same way as is currently done for pods.
  • Handle reverse path (egress from hostns to local pod) with a first tail call from ingress of bpf_lxc to entrypoint in bpf_host and second tail call to come back to bpf_lxc. May need to use the same entrypoint as before with metadata bit to differentiate. A metadata bit or other skb bit will also be needed to avoid looping in tail calls.
  • Remove fatal when host firewall is set with per-endpoint routes.
• Test: Support host policies with per-endpoint routes #15217
  • Reenable host firewall in tests with per-endpoint routes and run CI tests with ci/host-firewall.
  • Add variation of service+host firewall test with per-endpoint routes enabled.
• Optimize:
  • Given that the host endpoint's secID is static, it may be possible to avoid the policy call map lookup by using an array map or static data.
  • Try to avoid use of metadata bit to differentiate between ingress and egress cases on entrypoint.
• Document: Follow ups for host firewall support of endpoint routes #15942
  • Remove the related note added in docs: improve Host Firewall GSG #13673, assuming it gets merged.
• Follow ups: Follow ups for host firewall support of endpoint routes #15942
  • Double check if HOST_EP_ID needs to be static data, Support host policies with per-endpoint routes #15217 (comment).
    • If it does, then we may want to use tail_call_dynamic for static data, Support host policies with per-endpoint routes #15217 (comment). It doesn't need to be static data.
  • Restrict to enable-remote-node-identity, Support host policies with per-endpoint routes #15217 (comment).
  • Add a comment on ingress explaining why we won't process the packet twice, Support host policies with per-endpoint routes #15217 (comment).

[pchaigno]

All release blocker items have been addressed. I'm not planning to implement the optimization item at this time since it's unclear whether it would make a big difference.