bpf: exclude pod's reply traffic from egress gateway logic

[jibi]

Currently all pod traffic matching source IP and destination CIDR of an
egress policy will be forwarded to an egress gateway.

This means we will incorrectly forward to an egress gateway also all
reply traffic from connections destined to a pod, breaking said
connections.

This commit fixes this by adding an additional check to make sure reply
traffic (i.e. connections not originating from a pod) is excluded from
the egress gateway logic.

Fixes: #17866
Signed-off-by: Gilberto Bertin gilberto@isovalent.com

[brb]

I think we might want to have a CI test for it.

[jibi]

/test

double checked locally that without the actual fix the new test fails:

K8sEgressGatewayTest tunnel disabled with endpointRoutes enabled egress gw policy both egress gw and basic connectivity work
at /home/jibi/go/src/github.com/cilium/cilium/test/ginkgo-ext/scopes.go:527

[Expected command: kubectl exec -n kube-system log-gatherer-8rctj -- curl --path-as-is -s -D /dev/stderr --fail --connect-timeout 5 --max-time 20 http://10.0.0.176:80 -w "time-> DNS: '%{time_namelookup}(%{remote_ip})', Connect: '%{time_connect}',Transfer '%{time_starttransfer}', total '%{time_total}'"
To succeed, but it failed:
..

[jibi]

/test

[jibi]

/test-runtime

vm provisioning failed with

15:27:17  ==> runtime: Machine booted and ready!
15:27:17  ==> runtime: Checking for guest additions in VM...
15:27:17      runtime: The guest additions on this VM do not match the installed version of
15:27:17      runtime: VirtualBox! In most cases this is fine, but in rare cases it can
15:27:17      runtime: prevent things such as shared folders from working properly. If you see
15:27:17      runtime: shared folder errors, please make sure the guest additions within the
15:27:17      runtime: virtual machine match the version of VirtualBox you have installed on
15:27:17      runtime: your host and reload your VM.
15:27:17      runtime: 
15:27:17      runtime: Guest Additions Version: 6.0.0 r127566
15:27:17      runtime: VirtualBox Version: 6.1
15:27:17  ==> runtime: Setting hostname...
15:27:18  ==> runtime: Configuring and enabling network interfaces...
15:27:36  ==> runtime: Exporting NFS shared folders...
15:27:36  ==> runtime: Preparing to edit /etc/exports. Administrator privileges will be required...
15:27:36  ==> runtime: Mounting NFS shared folders...
15:53:02  Cancelling nested steps due to timeout
15:53:02  Sending interrupt signal to process

Job 'Cilium-PR-K8s-GKE' hit: #17545 (91.20% similarity)

[kkourt]

🚀

[brb]

One non-blocking nit. Besides that 🚀 🌔

[jibi]

/test

Job 'Cilium-PR-K8s-1.22-kernel-4.9' hit: #17919 (92.89% similarity)

Job 'Cilium-PR-K8s-GKE' failed and has not been observed before, so may be related to your PR:

Click to show.

Test Name

K8sDatapathConfig Host firewall With native routing and endpoint routes

Failure Output

FAIL: Kubernetes DNS did not become ready in time

If it is a flake, comment /mlh new-flake Cilium-PR-K8s-GKE so I can create a new GitHub issue to track it.

[jibi]

One last change: moved the

	if (ct_ret == CT_REPLY || ct_ret == CT_RELATED)
			goto skip_egress_gateway;

check in bpf_lxc before the policy lookup (to possibly avoid a non necessary map lookup)

[jibi]

/test

Job 'Cilium-PR-K8s-1.21-kernel-4.19' failed and has not been observed before, so may be related to your PR:

Click to show.

Test Name

K8sServicesTest Checks service across nodes Tests NodePort BPF Tests with direct routing Tests NodePort

Failure Output

FAIL: Request from testclient-hgtxh pod to service http://[fd04::12]:30084 failed

If it is a flake, comment /mlh new-flake Cilium-PR-K8s-1.21-kernel-4.19 so I can create a new GitHub issue to track it.

[jibi]

/test-4.19