From d4615701b653f06108321da42ee2f4a50bf11eab Mon Sep 17 00:00:00 2001
From: Andrei Kvapil <kvapss@gmail.com>
Date: Thu, 6 Mar 2025 21:28:24 +0100
Subject: [PATCH] cilium: disable antispoofing

---
 .../system/cilium/images/cilium/Dockerfile    | 11 +++++++++
 .../cilium/patches/disable-antispoofing.diff  | 24 +++++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 packages/system/cilium/images/cilium/patches/disable-antispoofing.diff

diff --git a/packages/system/cilium/images/cilium/Dockerfile b/packages/system/cilium/images/cilium/Dockerfile
index 4541770f..caeb758c 100644
--- a/packages/system/cilium/images/cilium/Dockerfile
+++ b/packages/system/cilium/images/cilium/Dockerfile
@@ -1,2 +1,13 @@
 ARG VERSION=v1.16.7
+FROM quay.io/cilium/cilium-builder:714cfc3420a53a154dba0df63a43bc1378bebffd@sha256:13345d46c1a5b24e3b64c46ff4b334c5bbbbf784b769f1adbb8fad094f177f03 as builder
+RUN curl -L https://github.com/cilium/cilium/archive/refs/tags/v1.16.7.tar.gz | tar --strip-components=1 -xzvf -
+
+COPY patches /patches
+RUN git apply /patches/*.diff
+
+RUN make -C bpf
+#RUN make -C daemon
+
 FROM quay.io/cilium/cilium:${VERSION}
+#COPY --from=builder /go/src/github.com/cilium/cilium/daemon/cilium-agent /usr/bin/cilium-agent
+COPY --from=builder /go/src/github.com/cilium/cilium/bpf /var/lib/cilium/bpf
diff --git a/packages/system/cilium/images/cilium/patches/disable-antispoofing.diff b/packages/system/cilium/images/cilium/patches/disable-antispoofing.diff
new file mode 100644
index 00000000..a7eb2fdd
--- /dev/null
+++ b/packages/system/cilium/images/cilium/patches/disable-antispoofing.diff
@@ -0,0 +1,24 @@
+diff --git a/bpf/bpf_lxc.c b/bpf/bpf_lxc.c
+index 36ecfde895..39872d35c5 100644
+--- a/bpf/bpf_lxc.c
++++ b/bpf/bpf_lxc.c
+@@ -796,9 +796,6 @@ static __always_inline int __tail_handle_ipv6(struct __ctx_buff *ctx,
+ 	if (unlikely(is_icmp6_ndp(ctx, ip6, ETH_HLEN)))
+ 		return icmp6_ndp_handle(ctx, ETH_HLEN, METRIC_EGRESS, ext_err);
+ 
+-	if (unlikely(!is_valid_lxc_src_ip(ip6)))
+-		return DROP_INVALID_SIP;
+-
+ #ifdef ENABLE_PER_PACKET_LB
+ 	/* will tailcall internally or return error */
+ 	return __per_packet_lb_svc_xlate_6(ctx, ip6, ext_err);
+@@ -1361,9 +1358,6 @@ static __always_inline int __tail_handle_ipv4(struct __ctx_buff *ctx,
+ 		return DROP_FRAG_NOSUPPORT;
+ #endif
+ 
+-	if (unlikely(!is_valid_lxc_src_ipv4(ip4)))
+-		return DROP_INVALID_SIP;
+-
+ #ifdef ENABLE_MULTICAST
+ 	if (mcast_ipv4_is_igmp(ip4)) {
+ 		/* note: