CFP-12781: Host Firewall Before NodePort DNAT

[jakubhlavnicka]

Add CFP for enforcing host firewall ingress policy before NodePort DNAT/SNAT, which enables CiliumClusterwideNetworkPolicy to match on original external source IPs and NodePort destination ports.

Tracks: cilium/cilium#12781

[joestringer]

My gut feeling is this is not something we can add a flag for and reasonably continue maintaining and supporting. More likely we need to consider new API syntax to match the relevant hook point.

cc @cilium/sig-policy we discussed this during the most recent meeting.

[julianwiedmann]

I'm not seeing any consideration for loadBalancerSourceRanges. Can you describe why it's not sufficient for your purposes?

[jakubhlavnicka]

@julianwiedmann - I've added a section to the CFP addressing why loadBalancerSourceRanges is not sufficient for this use case: f3894a4

@joestringer - Thank you for the feedback. Are you suggesting a new policy API field on CiliumClusterwideNetworkPolicy, something like preSNATIngress with the same syntax as the existing ingress field, that would explicitly target the pre-SNAT hook point? Or rather an entirely new policy kind for this purpose?