feat(gateway): add fib_multipath_hash_policy support for L4-aware ECMP flow distribution

[MircoBarone]

Description

Part of the multi-tunnel WireGuard implementation. This is the second PR related to issue #3225.

This PR adds the enable-multipath-hash-policy flag to the gateway. When set to true, the gateway writes 1 to /proc/sys/net/ipv4/fib_multipath_hash_policy, enabling 5-tuple (src/dst IP, src/dst port, protocol) hashing for multipath routing instead of L3-only (src/dst IP) hashing.

This is necessary to properly exploit ECMP across multiple WireGuard tunnels: without this setting, traffic between the same src/dst IP pair will always hash to the same tunnel regardless of the port, limiting the effectiveness of ECMP for those flows.

The flag defaults to false. The intended usage is to set it to true via a proper template when the number of interfaces specified in the GatewayClient or GatewayServer CRD is greater than one.

Since /proc/sys/net/ipv4/fib_multipath_hash_policy is namespaced, this setting only affects the network namespace of the gateway pod and has no impact on the host node.

If the write fails, the gateway returns an error and stops the execution to ensure the policy is strictly applied

A new file pkg/utils/kernel/multipathpolicy.go was added to implement the low-level write.

[adamjensenbot]

Hi @MircoBarone. Thanks for your PR!

I am @adamjensenbot.
You can interact with me issuing a slash command in the first line of a comment.
Currently, I understand the following commands:

• /rebase: Rebase this PR onto the master branch (You can add the option test=true to launch the tests
  when the rebase operation is completed)
• /merge: Merge this PR into the master branch
• /build Build Liqo components
• /test Launch the E2E and Unit tests
• /hold, /unhold Add/remove the hold label to prevent merging with /merge

Make sure this PR appears in the liqo changelog, adding one of the following labels:

• feat: 🚀 New Feature
• fix: 🐛 Bug Fix
• refactor: 🧹 Code Refactoring
• docs: 📝 Documentation
• style: 💄 Code Style
• perf: 🐎 Performance Improvement
• test: ✅ Tests
• chore: 🚚 Dependencies Management
• build: 📦 Builds Management
• ci: 👷 CI/CD
• revert: ⏪ Reverts Previous Changes

[cheina97]

Can you temporarily enable the flag? Then I will run the e2e tests

[MircoBarone]

Can you temporarily enable the flag? Then I will run the e2e tests

@cheina97 Do you mean I should add a commit temporarily setting the default value of enable-multipath-hash-policy to true
?

[cheina97]

Can you temporarily enable the flag? Then I will run the e2e tests

@cheina97 Do you mean I should add a commit temporarily setting the default value of enable-multipath-hash-policy to true
?

Yep

[MircoBarone]

Can you temporarily enable the flag? Then I will run the e2e tests

@cheina97 Do you mean I should add a commit temporarily setting the default value of enable-multipath-hash-policy to true
?

Yep

@cheina97 done

[cheina97]

/rebase test=true

[cheina97]

/rebase test=true

[fra98]

/rebase test=true

[fra98]

@MircoBarone test passed!

Can you switch flag to false and squash all commits? After that I will merge it

[fra98]

/test

[fra98]

/rebase test=true

[fra98]

/merge