feat: eBPF ingress/egress TC program for cilium external LB

[camrynl]

Reason for Change:

This is a POC for fixing external load balancer services on Cilium dual stack clusters. This PR includes both ingress and egress tc programs that convert a link local address to global unicast and vice versa, respectively.

Issue Fixed:

https://github.com/cilium/cilium/issues/31326

Requirements:

• [ ] uses conventional commit messages
• [ ] includes documentation
• [ ] adds unit tests
• [ ] relevant PR labels added

Notes:

[rbtr]

Is this susceptible to the same ordering issues being discussed here? I notice you're trying to attach to Cilium's qdisc

[camrynl]

I've been testing these latest changes on a cluster with cilium's --bpf-filter-priority=2.

Previously, I did see that my filters would get removed if I tried using the same pref + handle as cilium and restarted pods. When my filters are set at prior 1 and cilium at prior 2, I haven't had any issues with the filters deleting after restarting cilium

filter protocol all pref 1 bpf chain 0
filter protocol all pref 1 bpf chain 0 handle 0x1 ingress_filter direct-action not_in_hw id 953 tag eedbf352a3397a97 jited
filter protocol all pref 2 bpf chain 0
filter protocol all pref 2 bpf chain 0 handle 0x1 cil_from_netdev-eth0 direct-action not_in_hw id 6373 tag 2929474d7184a654 jited

filter protocol all pref 1 bpf chain 0
filter protocol all pref 1 bpf chain 0 handle 0x1 egress_filter direct-action not_in_hw id 952 tag ae5bd94fad468f22 jited
filter protocol all pref 2 bpf chain 0
filter protocol all pref 2 bpf chain 0 handle 0x1 cil_to_netdev-eth0 direct-action not_in_hw id 6952 tag a0c933d81fd07f41 jited

Later I plan to install the program using an initcontainer from the cilium or cns daemonset, so I'm not sure if this will change the behavior.

[camrynl]

/azp run Azure Container Networking PR

[azure-pipelines[bot]]

Azure Pipelines successfully started running 1 pipeline(s).