[BPF] fix bypassing linux conntrack option

Author: tomastigera

felix/fv/bpf_test.go

@@ -462,6 +462,7 @@ func describeBPFTests(opts ...bpfTestOpt) bool {
 					felix.Exec("conntrack", "-L")
 					felix.Exec("calico-bpf", "policy", "dump", "cali8d1e69e5f89", "all", "--asm")
 					if testOpts.ipv6 {
+						felix.Exec("conntrack", "-L", "-f", "ipv6")
 						felix.Exec("ip6tables-save", "-c")
 						felix.Exec("ip", "-6", "link")
 						felix.Exec("ip", "-6", "addr")

felix/rules/static.go

@@ -1152,18 +1152,23 @@ func (r *DefaultRuleRenderer) StaticBPFModeRawChains(ipVersion uint8,
 			Action:  GotoAction{Target: ChainRawBPFUntrackedPolicy},
 			Comment: []string{"Jump to target for packets with Bypass mark"},
 		},
-		Rule{
-			Match:   Match().DestAddrType(AddrTypeLocal),
-			Action:  SetMaskedMarkAction{Mark: tcdefs.MarkSeenSkipFIB, Mask: tcdefs.MarkSeenSkipFIB},
-			Comment: []string{"Mark traffic towards the host - it is TRACKed"},
-		},
-		Rule{
-			Match:   Match().NotDestAddrType(AddrTypeLocal),
-			Action:  GotoAction{Target: ChainRawUntrackedFlows},
-			Comment: []string{"Check if forwarded traffic needs to be TRACKed"},
-		},
 	)
 
+	if bypassHostConntrack {
+		rawRules = append(rawRules,
+			Rule{
+				Match:   Match().DestAddrType(AddrTypeLocal),
+				Action:  SetMaskedMarkAction{Mark: tcdefs.MarkSeenSkipFIB, Mask: tcdefs.MarkSeenSkipFIB},
+				Comment: []string{"Mark traffic towards the host - it is TRACKed"},
+			},
+			Rule{
+				Match:   Match().NotDestAddrType(AddrTypeLocal),
+				Action:  GotoAction{Target: ChainRawUntrackedFlows},
+				Comment: []string{"Check if forwarded traffic needs to be TRACKed"},
+			},
+		)
+	}
+
 	rawPreroutingChain := &Chain{
 		Name:  ChainRawPrerouting,
 		Rules: rawRules,