cilium: disable antispoofing

2026-01-28 18:18:41 +00:00 · 2025-03-06 21:28:44 +01:00
2 changed files with 35 additions and 0 deletions
--- a/packages/system/cilium/images/cilium/Dockerfile
+++ b/packages/system/cilium/images/cilium/Dockerfile
@@ -1,2 +1,13 @@
 ARG VERSION=v1.16.7
+FROM quay.io/cilium/cilium-builder:714cfc3420a53a154dba0df63a43bc1378bebffd@sha256:13345d46c1a5b24e3b64c46ff4b334c5bbbbf784b769f1adbb8fad094f177f03 as builder
+RUN curl -L https://github.com/cilium/cilium/archive/refs/tags/v1.16.7.tar.gz | tar --strip-components=1 -xzvf -
+
+COPY patches /patches
+RUN git apply /patches/*.diff
+
+RUN make -C bpf
+#RUN make -C daemon
+
 FROM quay.io/cilium/cilium:${VERSION}
+#COPY --from=builder /go/src/github.com/cilium/cilium/daemon/cilium-agent /usr/bin/cilium-agent
+COPY --from=builder /go/src/github.com/cilium/cilium/bpf /var/lib/cilium/bpf
--- a/packages/system/cilium/images/cilium/patches/disable-antispoofing.diff
+++ b/packages/system/cilium/images/cilium/patches/disable-antispoofing.diff
@@ -0,0 +1,24 @@
+diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c
+index 36ecfde895..39872d35c5 100644
+--- a/bpf/bpf_lxc.c
+++ b/bpf/bpf_lxc.c
+@@ -796,9 +796,6 @@ static __always_inline int __tail_handle_ipv6(struct __ctx_buff *ctx,
+ 	if (unlikely(is_icmp6_ndp(ctx, ip6, ETH_HLEN)))
+ 		return icmp6_ndp_handle(ctx, ETH_HLEN, METRIC_EGRESS, ext_err);
+ 
+-	if (unlikely(!is_valid_lxc_src_ip(ip6)))
+-		return DROP_INVALID_SIP;
+-
+ #ifdef ENABLE_PER_PACKET_LB
+ 	/* will tailcall internally or return error */
+ 	return __per_packet_lb_svc_xlate_6(ctx, ip6, ext_err);
+@@ -1361,9 +1358,6 @@ static __always_inline int __tail_handle_ipv4(struct __ctx_buff *ctx,
+ 		return DROP_FRAG_NOSUPPORT;
+ #endif
+ 
+-	if (unlikely(!is_valid_lxc_src_ipv4(ip4)))
+-		return DROP_INVALID_SIP;
+-
+ #ifdef ENABLE_MULTICAST
+ 	if (mcast_ipv4_is_igmp(ip4)) {
+ 		/* note: