From 539be2df2719276a615770754cd43a61b4220ff3 Mon Sep 17 00:00:00 2001
From: chez-shanpu <tomoki-sugiura@cybozu.co.jp>
Date: Wed, 20 Sep 2023 17:51:28 +0900
Subject: [PATCH 1/6] Update cilium components to v1.13.6

Add Geneve patch to cilium bpf

Signed-off-by: chez-shanpu <tomoki-sugiura@cybozu.co.jp>
---
 .circleci/config.yml               |   23 +-
 cilium-certgen/Dockerfile          |    2 +-
 cilium-certgen/TAG                 |    2 +-
 cilium-operator-generic/BRANCH     |    2 +-
 cilium-operator-generic/Dockerfile |    4 +-
 cilium-operator-generic/TAG        |    2 +-
 cilium/18449.patch                 |  553 -----------
 cilium/BRANCH                      |    2 +-
 cilium/Dockerfile                  |    9 +-
 cilium/TAG                         |    2 +-
 cilium/cilium.patch                | 1442 ++++++++++++++++++++++++++++
 hubble-relay/BRANCH                |    2 +-
 hubble-relay/Dockerfile            |    4 +-
 hubble-relay/TAG                   |    2 +-
 14 files changed, 1470 insertions(+), 581 deletions(-)
 delete mode 100644 cilium/18449.patch
 create mode 100644 cilium/cilium.patch

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 38b0c4d82..489134cc5 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -468,7 +468,7 @@ jobs:
       version:
         type: string
     docker:
-      - image: quay.io/cybozu/ubuntu-dev:20.04
+      - image: quay.io/cybozu/ubuntu-dev:22.04
     resource_class: 2xlarge+
     steps:
       - checkout
@@ -486,14 +486,14 @@ jobs:
           command: |
             if [ ! -f BUILDS ]; then exit 0; fi
             cat > /etc/apt/sources.list \<< EOF
-            deb [arch=amd64] http://archive.ubuntu.com/ubuntu focal main restricted universe multiverse
-            deb [arch=amd64] http://security.ubuntu.com/ubuntu focal-updates main restricted universe multiverse
-            deb [arch=amd64] http://security.ubuntu.com/ubuntu focal-security main restricted universe multiverse
-            deb [arch=amd64] http://archive.ubuntu.com/ubuntu focal-backports main restricted universe multiverse
-            deb [arch=arm64] http://ports.ubuntu.com/ focal main restricted universe multiverse
-            deb [arch=arm64] http://ports.ubuntu.com/ focal-updates main restricted universe multiverse
-            deb [arch=arm64] http://ports.ubuntu.com/ focal-security main restricted universe multiverse
-            deb [arch=arm64] http://ports.ubuntu.com/ focal-backports main restricted universe multiverse
+            deb [arch=amd64] http://archive.ubuntu.com/ubuntu jammy main restricted universe multiverse
+            deb [arch=amd64] http://security.ubuntu.com/ubuntu jammy-updates main restricted universe multiverse
+            deb [arch=amd64] http://security.ubuntu.com/ubuntu jammy-security main restricted universe multiverse
+            deb [arch=amd64] http://archive.ubuntu.com/ubuntu jammy-backports main restricted universe multiverse
+            deb [arch=arm64] http://ports.ubuntu.com/ jammy main restricted universe multiverse
+            deb [arch=arm64] http://ports.ubuntu.com/ jammy-updates main restricted universe multiverse
+            deb [arch=arm64] http://ports.ubuntu.com/ jammy-security main restricted universe multiverse
+            deb [arch=arm64] http://ports.ubuntu.com/ jammy-backports main restricted universe multiverse
             EOF
             dpkg --add-architecture arm64
             apt-get update
@@ -521,7 +521,6 @@ jobs:
               make \
               ninja-build \
               pkg-config \
-              pkg-config-aarch64-linux-gnu \
               python2 \
               python3 \
               python3-pip \
@@ -722,11 +721,11 @@ workflows:
           name: build-chrony
           container-image: chrony
       - build-cilium-envoy:
-          version: ca87bee70e40bfa681d5859e7da4cba6b8ba4e8c
+          version: ad831bdec4c93feeb2378aa9e1847c936ada6ef7
       - build-cilium-image-tools:
           # https://github.com/cilium/image-tools/commits/master
           # From this commit, cilium/image-tools stops building iproute2 because of cilium v1.14 doesn't depend on iproute2.
-          # But, we use v1.12.11, so we still have to build iproute2.
+          # But, we use v1.13.6, so we still have to build iproute2.
           # So we use an older version of image-tools which builds iproute2.
           # https://github.com/cilium/image-tools/commit/8a2f099f14330221848c14808f3208e4dd2469bb
           version: ff22ba3bff1010f4a2dd76ede789663c3beaf8d2
diff --git a/cilium-certgen/Dockerfile b/cilium-certgen/Dockerfile
index 24bfc409b..865086073 100644
--- a/cilium-certgen/Dockerfile
+++ b/cilium-certgen/Dockerfile
@@ -1,5 +1,5 @@
 ARG BASE_IMAGE=scratch
-ARG GOLANG_IMAGE=quay.io/cybozu/golang:1.17-focal
+ARG GOLANG_IMAGE=quay.io/cybozu/golang:1.20-jammy
 
 # Stage1: build
 FROM ${GOLANG_IMAGE} as build
diff --git a/cilium-certgen/TAG b/cilium-certgen/TAG
index 973334b4c..756bb3a64 100644
--- a/cilium-certgen/TAG
+++ b/cilium-certgen/TAG
@@ -1 +1 @@
-0.1.8.1
+0.1.9.1
diff --git a/cilium-operator-generic/BRANCH b/cilium-operator-generic/BRANCH
index 809bdcb85..d3456a90f 100644
--- a/cilium-operator-generic/BRANCH
+++ b/cilium-operator-generic/BRANCH
@@ -1 +1 @@
-1.12
+1.13
diff --git a/cilium-operator-generic/Dockerfile b/cilium-operator-generic/Dockerfile
index 219054479..873994cf3 100644
--- a/cilium-operator-generic/Dockerfile
+++ b/cilium-operator-generic/Dockerfile
@@ -1,6 +1,6 @@
 ARG BASE_IMAGE=scratch
-ARG GOLANG_IMAGE=quay.io/cybozu/golang:1.18-focal
-ARG UBUNTU_IMAGE=quay.io/cybozu/ubuntu:20.04
+ARG GOLANG_IMAGE=quay.io/cybozu/golang:1.20-jammy
+ARG UBUNTU_IMAGE=quay.io/cybozu/ubuntu:22.04
 
 # Stage1: build
 FROM ${GOLANG_IMAGE} as build
diff --git a/cilium-operator-generic/TAG b/cilium-operator-generic/TAG
index a94055c67..adb1349e5 100644
--- a/cilium-operator-generic/TAG
+++ b/cilium-operator-generic/TAG
@@ -1 +1 @@
-1.12.11.1
+1.13.6.1
diff --git a/cilium/18449.patch b/cilium/18449.patch
deleted file mode 100644
index a3d26e58d..000000000
--- a/cilium/18449.patch
+++ /dev/null
@@ -1,553 +0,0 @@
-diff --git a/bpf/Makefile b/bpf/Makefile
-index 3f6929bd78..390223383f 100644
---- a/bpf/Makefile
-+++ b/bpf/Makefile
-@@ -215,8 +215,10 @@ XDP_OPTIONS = $(LB_OPTIONS) \
- 	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_SOCKET_LB_UDP:-DENABLE_SOCKET_LB_TCP:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_DSR_HYBRID: \
- 	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DDSR_ENCAP_MODE:-DDSR_ENCAP_NONE:-DDSR_ENCAP_IPIP=2 \
- 	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DDSR_ENCAP_MODE:-DDSR_ENCAP_IPIP:-DDSR_ENCAP_NONE=2 \
-+	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DDSR_ENCAP_MODE:-DDSR_ENCAP_IPIP_CNI:-DDSR_ENCAP_NONE=2 \
- 	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_CAPTURE:-DDSR_ENCAP_MODE:-DDSR_ENCAP_NONE:-DDSR_ENCAP_IPIP=2 \
--	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_CAPTURE:-DDSR_ENCAP_MODE:-DDSR_ENCAP_IPIP:-DDSR_ENCAP_NONE=2
-+	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_CAPTURE:-DDSR_ENCAP_MODE:-DDSR_ENCAP_IPIP:-DDSR_ENCAP_NONE=2 \
-+	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_CAPTURE:-DDSR_ENCAP_MODE:-DDSR_ENCAP_IPIP_CNI:-DDSR_ENCAP_NONE=2
- 
- ifndef MAX_XDP_OPTIONS
- MAX_XDP_OPTIONS = $(MAX_BASE_OPTIONS) -DENABLE_PREFILTER=1
-diff --git a/bpf/complexity-tests/54/bpf_lxc.txt b/bpf/complexity-tests/54/bpf_lxc.txt
-index 454e5cad46..2b4b7b3d82 100644
---- a/bpf/complexity-tests/54/bpf_lxc.txt
-+++ b/bpf/complexity-tests/54/bpf_lxc.txt
-@@ -1,3 +1,4 @@
- -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_SOCKET_LB_TCP=1 -DENABLE_SOCKET_LB_UDP=1 -DENABLE_ROUTING=1 -DNO_REDIRECT=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1
- -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_SOCKET_LB_TCP=1 -DENABLE_SOCKET_LB_UDP=1 -DENABLE_ROUTING=1 -DNO_REDIRECT=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1
- -DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_SOCKET_LB_TCP=1 -DENABLE_SOCKET_LB_UDP=1 -DENABLE_ROUTING=1 -DNO_REDIRECT=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1
-+-DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_HOST_SERVICES_TCP=1 -DENABLE_HOST_SERVICES_UDP=1 -DENABLE_HOST_REDIRECT=1 -DENABLE_ROUTING=1 -DNO_REDIRECT=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DDSR_ENCAP_IPIP_CNI=1
-diff --git a/bpf/lib/common.h b/bpf/lib/common.h
-index ae39f64a9f..e45dc55cc5 100644
---- a/bpf/lib/common.h
-+++ b/bpf/lib/common.h
-@@ -633,9 +633,11 @@ enum {
- 	CB_POLICY,
- #define	CB_ADDR_V6_2		CB_POLICY	/* Alias, non-overlapping */
- #define	CB_BACKEND_ID		CB_POLICY	/* Alias, non-overlapping */
-+#define CB_SRC_PORT			CB_POLICY	/* Alias, non-overlapping */
- 	CB_NAT,
- #define	CB_ADDR_V6_3		CB_NAT		/* Alias, non-overlapping */
- #define	CB_FROM_HOST		CB_NAT		/* Alias, non-overlapping */
-+#define CB_ADDR_V4_2		CB_NAT		/* Alias, non-overlapping */
- 	CB_CT_STATE,
- #define	CB_ADDR_V6_4		CB_CT_STATE	/* Alias, non-overlapping */
- #define	CB_ENCRYPT_IDENTITY	CB_CT_STATE	/* Alias, non-overlapping,
-diff --git a/bpf/lib/nodeport.h b/bpf/lib/nodeport.h
-index 412956047c..95fff016f0 100644
---- a/bpf/lib/nodeport.h
-+++ b/bpf/lib/nodeport.h
-@@ -514,6 +514,9 @@ int tail_nodeport_ipv6_dsr(struct __ctx_buff *ctx)
- #elif DSR_ENCAP_MODE == DSR_ENCAP_NONE
- 	port = (__u16)ctx_load_meta(ctx, CB_PORT);
- 	ret = dsr_set_ext6(ctx, ip6, &addr, port, &ohead);
-+#elif DSR_ENCAP_MODE == DSR_ENCAP_IPIP_CNI
-+	/* To do, add support for ipv6 */
-+	ret = 0;
- #else
- # error "Invalid load balancer DSR encapsulation mode!"
- #endif
-@@ -746,7 +749,11 @@ static __always_inline int nodeport_lb6(struct __ctx_buff *ctx,
- 
- 	svc = lb6_lookup_service(&key, false, false);
- 	if (svc) {
--		const bool skip_l3_xlate = DSR_ENCAP_MODE == DSR_ENCAP_IPIP;
-+#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP
-+		const bool skip_l3_xlate = true;
-+#else
-+		const bool skip_l3_xlate = false;
-+#endif
- 
- 		if (!lb6_src_range_ok(svc, (union v6addr *)&ip6->saddr))
- 			return DROP_NOT_IN_SRC_RANGE;
-@@ -1117,7 +1124,7 @@ static __always_inline int nodeport_nat_ipv4_fwd(struct __ctx_buff *ctx)
- }
- 
- #ifdef ENABLE_DSR
--#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP
-+#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP || DSR_ENCAP_MODE == DSR_ENCAP_IPIP_CNI
- static __always_inline __be32 rss_gen_src4(__be32 client, __be32 l4_hint)
- {
- 	const __u32 bits = 32 - IPV4_RSS_PREFIX_BITS;
-@@ -1127,6 +1134,163 @@ static __always_inline __be32 rss_gen_src4(__be32 client, __be32 l4_hint)
- 		src |= bpf_htonl(hash_32(client ^ l4_hint, bits));
- 	return src;
- }
-+#endif /*DSR_ENCAP_MODE */
-+
-+#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP_CNI
-+/*
-+ * Original packet: [clientIP:clientPort -> serviceIP:servicePort] } IP/L4
-+ *
-+ * After DSR IPIP:  [rssSrcIP -> backendIP]                        } IP
-+ *                  [clientIP:clientPort -> backendIP:backendPort] } IP/L4
-+ */
-+static __always_inline int dsr_set_ipipcni4(struct __ctx_buff *ctx,
-+					    const struct iphdr *ip4,
-+					    __be32 backend_addr,
-+					    __be32 l4_hint,
-+					    __be32 svc_port,
-+					    __be32 svc_addr,
-+					    __be16 *ohead)
-+{
-+	__u16 tot_len = bpf_ntohs(ip4->tot_len) + sizeof(*ip4);
-+	const int l3_off = ETH_HLEN;
-+	const int l4_off = ETH_HLEN + sizeof(struct iphdr);
-+	__be16 id, frag_off;
-+	__be32 sum, sum_old;
-+	__u8 ihlver, tos;
-+
-+	struct iphds {
-+#if defined(__LITTLE_ENDIAN_BITFIELD)
-+	__u8	ihl:4,
-+		version:4;
-+#elif defined(__BIG_ENDIAN_BITFIELD)
-+	__u8	version:4,
-+		ihl:4;
-+#else
-+#error	"Please fix <asm/byteorder.h>"
-+#endif
-+	__u8	tos;
-+	__be16	tot_len;
-+	__be16	id;
-+	__u8	ttl;
-+	__u8	protocol;
-+	__be32	saddr;
-+	__be32	daddr;
-+	__be32	opt0;
-+	__be32	opt1;
-+	};
-+
-+	struct iphds tp_old = {
-+		.ihl		= ip4->ihl,
-+		.version	= ip4->version,
-+		.tot_len	= ip4->tot_len,
-+		.ttl		= ip4->ttl,
-+		.protocol	= ip4->protocol,
-+		.saddr		= ip4->saddr,
-+		.daddr		= ip4->daddr,
-+		.opt0		= bpf_htonl(DSR_IPV4_OPT_32 | svc_port),
-+		.opt1		= bpf_htonl(svc_addr),
-+	}, tp_new = {
-+		.ihl		= 5,
-+		.version	= ip4->version,
-+		.tot_len	= bpf_htons(tot_len),
-+		.ttl		= IPDEFTTL,
-+		.protocol	= IPPROTO_IPIP,
-+		.saddr		= rss_gen_src4(ip4->saddr, l4_hint),
-+		.daddr		= backend_addr,
-+		.opt0		= 0x0,
-+		.opt1		= 0x0,
-+	};
-+
-+	if (ip4->protocol == IPPROTO_TCP) {
-+		union tcp_flags tcp_flags = { .value = 0 };
-+
-+		if (ctx_load_bytes(ctx, ETH_HLEN + ip4->ihl * 4 + 12,
-+				   &tcp_flags, 2) < 0)
-+			return DROP_CT_INVALID_HDR;
-+
-+		/* Encap with IP-in-IP is required only for the first packet
-+		 * (SYN), in the case of TCP, as for further packets of the
-+		 * same connection a remote node will use a NAT entry to
-+		 * reverse xlate a reply.
-+		 */
-+		if (!(tcp_flags.value & (TCP_FLAG_SYN)))
-+			return 0;
-+	}
-+
-+	if (dsr_is_too_big(ctx, tot_len)) {
-+		*ohead = sizeof(*ip4);
-+		return DROP_FRAG_NEEDED;
-+	}
-+
-+	if (ip4->ihl == 0x5) {
-+		tp_old.opt0 = 0;
-+		tp_old.opt1 = 0;
-+	}
-+
-+	if (ctx_adjust_hroom(ctx, sizeof(*ip4), BPF_ADJ_ROOM_NET,
-+			     ctx_adjust_hroom_dsr_flags()))
-+		return DROP_INVALID;
-+
-+	sum = csum_diff(&tp_old, 24, &tp_new, 24, 0);
-+	if (ctx_load_bytes(ctx, l3_off + offsetof(struct iphdr, tos),
-+			     &tos, sizeof(tos)) < 0)
-+		return DROP_CT_INVALID_HDR;
-+	if (ctx_load_bytes(ctx, l3_off + offsetof(struct iphdr, id),
-+			     &id, sizeof(id)) < 0)
-+		return DROP_CT_INVALID_HDR;
-+	if (ctx_load_bytes(ctx, l3_off + offsetof(struct iphdr, frag_off),
-+			     &frag_off, sizeof(frag_off)) < 0)
-+		return DROP_CT_INVALID_HDR;
-+	if (ctx_load_bytes(ctx, l3_off + offsetof(struct iphdr, check),
-+			     &sum_old, sizeof(sum_old)) < 0)
-+		return DROP_CT_INVALID_HDR;
-+
-+	ihlver = *((__u8 *)&tp_new);
-+	if (ctx_store_bytes(ctx, l3_off,
-+			    &ihlver, 1, 0) < 0)
-+		return DROP_WRITE_ERROR;
-+	if (ctx_store_bytes(ctx, l3_off + offsetof(struct iphdr, tot_len),
-+			    &tp_new.tot_len, 2, 0) < 0)
-+		return DROP_WRITE_ERROR;
-+	if (ctx_store_bytes(ctx, l3_off + offsetof(struct iphdr, ttl),
-+			    &tp_new.ttl, 2, 0) < 0)
-+		return DROP_WRITE_ERROR;
-+	if (ctx_store_bytes(ctx, l3_off + offsetof(struct iphdr, saddr),
-+			    &tp_new.saddr, 8, 0) < 0)
-+		return DROP_WRITE_ERROR;
-+	if (l3_csum_replace(ctx, l3_off + offsetof(struct iphdr, check),
-+			    0, sum, 0) < 0)
-+		return DROP_CSUM_L3;
-+
-+	ihlver = *((__u8 *)&tp_old);
-+	if (ctx_store_bytes(ctx, l4_off,
-+			    &ihlver, 1, 0) < 0)
-+		return DROP_WRITE_ERROR;
-+	if (ctx_store_bytes(ctx, l4_off + offsetof(struct iphdr, tos),
-+			    &tos, 1, 0) < 0)
-+		return DROP_WRITE_ERROR;
-+	if (ctx_store_bytes(ctx, l4_off + offsetof(struct iphdr, tot_len),
-+			    &tp_old.tot_len, 2, 0) < 0)
-+		return DROP_WRITE_ERROR;
-+	if (ctx_store_bytes(ctx, l4_off + offsetof(struct iphdr, id),
-+			    &id, 2, 0) < 0)
-+		return DROP_WRITE_ERROR;
-+	if (ctx_store_bytes(ctx, l4_off + offsetof(struct iphdr, frag_off),
-+			    &frag_off, 2, 0) < 0)
-+		return DROP_WRITE_ERROR;
-+	if (ctx_store_bytes(ctx, l4_off + offsetof(struct iphdr, ttl),
-+			    &tp_old.ttl, 2, 0) < 0)
-+		return DROP_WRITE_ERROR;
-+	if (ctx_store_bytes(ctx, l4_off + offsetof(struct iphdr, check),
-+			    &sum_old, 2, 0) < 0)
-+		return DROP_WRITE_ERROR;
-+	if (ctx_store_bytes(ctx, l4_off + offsetof(struct iphdr, saddr),
-+			    &tp_old.saddr, 8, 0) < 0)
-+		return DROP_WRITE_ERROR;
-+	return 0;
-+}
-+
-+#elif DSR_ENCAP_MODE == DSR_ENCAP_IPIP
- 
- /*
-  * Original packet: [clientIP:clientPort -> serviceIP:servicePort] } IP/L4
-@@ -1187,7 +1351,9 @@ static __always_inline int dsr_set_ipip4(struct __ctx_buff *ctx,
- 		return DROP_CSUM_L3;
- 	return 0;
- }
--#elif DSR_ENCAP_MODE == DSR_ENCAP_NONE
-+#endif /* DSR_ENCAP_MODE */
-+
-+#if DSR_ENCAP_MODE == DSR_ENCAP_NONE || DSR_ENCAP_MODE == DSR_ENCAP_IPIP_CNI
- static __always_inline int dsr_set_opt4(struct __ctx_buff *ctx,
- 					struct iphdr *ip4, __be32 svc_addr,
- 					__be32 svc_port, __be16 *ohead)
-@@ -1283,6 +1449,30 @@ static __always_inline int handle_dsr_v4(struct __ctx_buff *ctx, bool *dsr)
- 	return 0;
- }
- 
-+#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP_CNI
-+static __always_inline int decap_ipip_v4(struct __ctx_buff *ctx)
-+{
-+	void *data, *data_end;
-+	struct iphdr *ip4;
-+
-+	if (!revalidate_data(ctx, &data, &data_end, &ip4))
-+		return DROP_INVALID;
-+
-+	if (ip4->protocol == IPPROTO_IPIP) {
-+		if (ip4->ihl != 0x5)
-+			return DROP_INVALID;
-+
-+		/* This will remove outer iph. Fix me: Not working with XDP */
-+		if (ctx_adjust_hroom(ctx, -(ip4->ihl * 4),
-+						     BPF_ADJ_ROOM_MAC,
-+						     ctx_adjust_hroom_dsr_flags()) < 0) {
-+			return DROP_INVALID;
-+		}
-+	}
-+	return 0;
-+}
-+#endif /* DSR_ENCAP_MODE */
-+
- static __always_inline int xlate_dsr_v4(struct __ctx_buff *ctx,
- 					const struct ipv4_ct_tuple *tuple,
- 					int l4_off, bool has_l4_header)
-@@ -1406,7 +1596,28 @@ int tail_nodeport_ipv4_dsr(struct __ctx_buff *ctx)
- 		goto drop_err;
- 	}
- 
--#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP
-+#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP_CNI
-+	ret = dsr_set_opt4(ctx, ip4,
-+			   ctx_load_meta(ctx, CB_ADDR_V4_2),
-+			   ctx_load_meta(ctx, CB_SRC_PORT), &ohead);
-+	if (unlikely(ret)) {
-+		if (dsr_fail_needs_reply(ret))
-+			return dsr_reply_icmp4(ctx, ip4, ret, ohead);
-+		goto drop_err;
-+	}
-+
-+	if (!revalidate_data(ctx, &data, &data_end, &ip4)) {
-+		ret = DROP_INVALID;
-+		goto drop_err;
-+	}
-+
-+	ret = dsr_set_ipipcni4(ctx, ip4,
-+			       ctx_load_meta(ctx, CB_ADDR_V4),
-+			       ctx_load_meta(ctx, CB_HINT),
-+			       ctx_load_meta(ctx, CB_SRC_PORT),
-+			       ctx_load_meta(ctx, CB_ADDR_V4_2),
-+			       &ohead);
-+#elif DSR_ENCAP_MODE == DSR_ENCAP_IPIP
- 	ret = dsr_set_ipip4(ctx, ip4,
- 			    ctx_load_meta(ctx, CB_ADDR_V4),
- 			    ctx_load_meta(ctx, CB_HINT), &ohead);
-@@ -1624,6 +1835,12 @@ static __always_inline int nodeport_lb4(struct __ctx_buff *ctx,
- 
- 	cilium_capture_in(ctx);
- 
-+#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP_CNI
-+	ret = decap_ipip_v4(ctx);
-+	if (ret != 0)
-+		return ret;
-+#endif /* DSR_ENCAP_MODE */
-+
- 	if (!revalidate_data(ctx, &data, &data_end, &ip4))
- 		return DROP_INVALID;
- 
-@@ -1645,7 +1862,11 @@ static __always_inline int nodeport_lb4(struct __ctx_buff *ctx,
- 
- 	svc = lb4_lookup_service(&key, false, false);
- 	if (svc) {
--		const bool skip_l3_xlate = DSR_ENCAP_MODE == DSR_ENCAP_IPIP;
-+#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP
-+		const bool skip_l3_xlate = true;
-+#else
-+		const bool skip_l3_xlate = false;
-+#endif
- 
- 		if (!lb4_src_range_ok(svc, ip4->saddr))
- 			return DROP_NOT_IN_SRC_RANGE;
-@@ -1770,7 +1991,13 @@ redo:
- 	if (!backend_local) {
- 		edt_set_aggregate(ctx, 0);
- 		if (nodeport_uses_dsr4(&tuple)) {
--#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP
-+#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP_CNI
-+			ctx_store_meta(ctx, CB_HINT,
-+				       ((__u32)tuple.sport << 16) | tuple.dport);
-+			ctx_store_meta(ctx, CB_ADDR_V4, tuple.daddr);
-+			ctx_store_meta(ctx, CB_ADDR_V4_2, key.address);
-+			ctx_store_meta(ctx, CB_SRC_PORT, key.dport);
-+#elif DSR_ENCAP_MODE == DSR_ENCAP_IPIP
- 			ctx_store_meta(ctx, CB_HINT,
- 				       ((__u32)tuple.sport << 16) | tuple.dport);
- 			ctx_store_meta(ctx, CB_ADDR_V4, tuple.daddr);
-diff --git a/bpf/lib/stubs.h b/bpf/lib/stubs.h
-index 205bc0461c..a43eb8a894 100644
---- a/bpf/lib/stubs.h
-+++ b/bpf/lib/stubs.h
-@@ -12,6 +12,7 @@
- # ifndef DSR_ENCAP_MODE
- #  define DSR_ENCAP_MODE 0
- #  define DSR_ENCAP_IPIP 2
-+# define DSR_ENCAP_IPIP_CNI 3
- # endif
- # if defined(ENABLE_IPV4) && defined(ENABLE_MASQUERADE) && !defined(IPV4_MASQUERADE)
- #  define IPV4_MASQUERADE 0
-diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go
-index c39ca94383..ed775bc870 100644
---- a/daemon/cmd/daemon_main.go
-+++ b/daemon/cmd/daemon_main.go
-@@ -636,7 +636,7 @@ func initializeFlags() {
- 	flags.String(option.LoadBalancerAlg, option.NodePortAlgRandom, "BPF load balancing algorithm (\"random\", \"maglev\")")
- 	option.BindEnv(option.LoadBalancerAlg)
- 
--	flags.String(option.LoadBalancerDSRDispatch, option.DSRDispatchOption, "BPF load balancing DSR dispatch method (\"opt\", \"ipip\")")
-+	flags.String(option.LoadBalancerDSRDispatch, option.DSRDispatchOption, "BPF load balancing DSR dispatch method (\"opt\", \"ipip\", \"ipipcni\")")
- 	option.BindEnv(option.LoadBalancerDSRDispatch)
- 
- 	flags.String(option.LoadBalancerDSRL4Xlate, option.DSRL4XlateFrontend, "BPF load balancing DSR L4 DNAT method for IPIP (\"frontend\", \"backend\")")
-diff --git a/daemon/cmd/kube_proxy_replacement.go b/daemon/cmd/kube_proxy_replacement.go
-index 9f0fbc0ef8..f2d427e425 100644
---- a/daemon/cmd/kube_proxy_replacement.go
-+++ b/daemon/cmd/kube_proxy_replacement.go
-@@ -117,7 +117,8 @@ func initKubeProxyReplacementOptions() (bool, error) {
- 
- 		if option.Config.NodePortMode == option.NodePortModeDSR &&
- 			option.Config.LoadBalancerDSRDispatch != option.DSRDispatchOption &&
--			option.Config.LoadBalancerDSRDispatch != option.DSRDispatchIPIP ||
-+			option.Config.LoadBalancerDSRDispatch != option.DSRDispatchIPIP &&
-+			option.Config.LoadBalancerDSRDispatch != option.DSRDispatchIPIPCNI ||
- 			option.Config.NodePortMode == option.NodePortModeHybrid &&
- 				option.Config.LoadBalancerDSRDispatch != option.DSRDispatchOption {
- 			return false, fmt.Errorf("Invalid value for --%s: %s", option.LoadBalancerDSRDispatch, option.Config.LoadBalancerDSRDispatch)
-diff --git a/install/kubernetes/cilium/templates/cilium-configmap.yaml b/install/kubernetes/cilium/templates/cilium-configmap.yaml
-index 78b406e9d1..ea40fa3863 100644
---- a/install/kubernetes/cilium/templates/cilium-configmap.yaml
-+++ b/install/kubernetes/cilium/templates/cilium-configmap.yaml
-@@ -625,6 +625,9 @@ data:
- {{- if hasKey .Values.loadBalancer "acceleration" }}
-   bpf-lb-acceleration: {{ .Values.loadBalancer.acceleration | quote }}
- {{- end }}
-+{{- if hasKey .Values.loadBalancer "dsrL4Translate" }}
-+  bpf-lb-dsr-l4-xlate: {{ .Values.loadBalancer.dsrL4Translate | quote }}
-+{{- end }}
- {{- if hasKey .Values.loadBalancer "dsrDispatch" }}
-   bpf-lb-dsr-dispatch: {{ .Values.loadBalancer.dsrDispatch | quote }}
- {{- end }}
-diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml
-index 32d305094c..6d3006fb1a 100644
---- a/install/kubernetes/cilium/values.yaml
-+++ b/install/kubernetes/cilium/values.yaml
-@@ -1367,6 +1367,10 @@ monitor:
-   # used to pass a service IP and port to remote backend
-   # dsrDispatch: opt
- 
-+  # -- dsrL4Translate configures whether use frontend or backend to
-+  # translate service port
-+  # dsrL4Translate: frontend
-+
-   # -- serviceTopology enables K8s Topology Aware Hints -based service
-   # endpoints filtering
-   # serviceTopology: false
-diff --git a/pkg/datapath/linux/config/config.go b/pkg/datapath/linux/config/config.go
-index 71ee9d3f53..d89f07396d 100644
---- a/pkg/datapath/linux/config/config.go
-+++ b/pkg/datapath/linux/config/config.go
-@@ -319,6 +319,7 @@ func (h *HeaderfileWriter) WriteNodeConfig(w io.Writer, cfg *datapath.LocalNodeC
- 			dsrEncapInv = iota
- 			dsrEncapNone
- 			dsrEncapIPIP
-+			dsrEncapIPIPCNI
- 		)
- 		const (
- 			dsrL4XlateInv = iota
-@@ -326,6 +327,7 @@ func (h *HeaderfileWriter) WriteNodeConfig(w io.Writer, cfg *datapath.LocalNodeC
- 			dsrL4XlateBackend
- 		)
- 		cDefinesMap["DSR_ENCAP_IPIP"] = fmt.Sprintf("%d", dsrEncapIPIP)
-+		cDefinesMap["DSR_ENCAP_IPIP_CNI"] = fmt.Sprintf("%d", dsrEncapIPIPCNI)
- 		cDefinesMap["DSR_ENCAP_NONE"] = fmt.Sprintf("%d", dsrEncapNone)
- 		cDefinesMap["DSR_XLATE_FRONTEND"] = fmt.Sprintf("%d", dsrL4XlateFrontend)
- 		cDefinesMap["DSR_XLATE_BACKEND"] = fmt.Sprintf("%d", dsrL4XlateBackend)
-@@ -342,8 +344,11 @@ func (h *HeaderfileWriter) WriteNodeConfig(w io.Writer, cfg *datapath.LocalNodeC
- 				cDefinesMap["DSR_ENCAP_MODE"] = fmt.Sprintf("%d", dsrEncapNone)
- 			} else if option.Config.LoadBalancerDSRDispatch == option.DSRDispatchIPIP {
- 				cDefinesMap["DSR_ENCAP_MODE"] = fmt.Sprintf("%d", dsrEncapIPIP)
-+			} else if option.Config.LoadBalancerDSRDispatch == option.DSRDispatchIPIPCNI {
-+				cDefinesMap["DSR_ENCAP_MODE"] = fmt.Sprintf("%d", dsrEncapIPIPCNI)
- 			}
--			if option.Config.LoadBalancerDSRDispatch == option.DSRDispatchIPIP {
-+			if option.Config.LoadBalancerDSRDispatch == option.DSRDispatchIPIP ||
-+				option.Config.LoadBalancerDSRDispatch == option.DSRDispatchIPIPCNI {
- 				if option.Config.LoadBalancerDSRL4Xlate == option.DSRL4XlateFrontend {
- 					cDefinesMap["DSR_XLATE_MODE"] = fmt.Sprintf("%d", dsrL4XlateFrontend)
- 				} else if option.Config.LoadBalancerDSRL4Xlate == option.DSRL4XlateBackend {
-diff --git a/pkg/option/config.go b/pkg/option/config.go
-index 7c0eaa8932..5730e3ba2c 100644
---- a/pkg/option/config.go
-+++ b/pkg/option/config.go
-@@ -1204,6 +1204,9 @@ const (
- 	// DSR dispatch mode to encapsulate to IPIP
- 	DSRDispatchIPIP = "ipip"
- 
-+	// DSR dispatch mode to encapsulate to IPIP
-+	DSRDispatchIPIPCNI = "ipipcni"
-+
- 	// DSR L4 translation to frontend port
- 	DSRL4XlateFrontend = "frontend"
- 
-@@ -1866,7 +1869,7 @@ type DaemonConfig struct {
- 	NodePortAlg string
- 
- 	// LoadBalancerDSRDispatch indicates the method for pushing packets to
--	// backends under DSR ("opt" or "ipip")
-+	// backends under DSR ("opt", "ipip", or "ipipcni")
- 	LoadBalancerDSRDispatch string
- 
- 	// LoadBalancerDSRL4Xlate indicates the method for L4 DNAT translation
-diff --git a/test/k8s/service_helpers.go b/test/k8s/service_helpers.go
-index 05d9209b76..8c918be42c 100644
---- a/test/k8s/service_helpers.go
-+++ b/test/k8s/service_helpers.go
-@@ -686,6 +686,45 @@ func testNodePortExternal(kubectl *helpers.Kubectl, ni *helpers.NodesInfo, testS
- 	}
- }
- 
-+func testNodePortExternalIPv4Only(kubectl *helpers.Kubectl, ni *helpers.NodesInfo, testSecondaryNodePortIP, checkTCP, checkUDP bool) {
-+	type svc struct {
-+		name   string
-+		nodeIP string
-+	}
-+
-+	var (
-+		data            v1.Service
-+		nodePortService = "test-nodeport"
-+	)
-+
-+	services := []svc{{nodePortService, ni.K8s1IP}}
-+
-+	if testSecondaryNodePortIP {
-+		services = append(services, svc{name: nodePortService, nodeIP: ni.SecondaryK8s1IPv4})
-+	}
-+
-+	for _, svc := range services {
-+		err := kubectl.Get(helpers.DefaultNamespace, fmt.Sprintf("service %s", svc.name)).Unmarshal(&data)
-+		ExpectWithOffset(1, err).Should(BeNil(), "Cannot retrieve service")
-+
-+		httpURL := getHTTPLink(svc.nodeIP, data.Spec.Ports[0].NodePort)
-+		tftpURL := getTFTPLink(svc.nodeIP, data.Spec.Ports[1].NodePort)
-+
-+		// Test from external connectivity
-+		// Note:
-+		//   In case of SNAT checkSourceIP is false here since the HTTP request
-+		//   won't have the client IP but the service IP (given the request comes
-+		//   from the Cilium node to the backend, not from the client directly).
-+		//   Same in case of Hybrid mode for UDP.
-+		testCurlFromOutside(kubectl, ni, httpURL, 10, checkTCP)
-+		testCurlFromOutside(kubectl, ni, tftpURL, 10, checkUDP)
-+
-+		// Clear CT tables on all Cilium nodes
-+		kubectl.CiliumExecMustSucceedOnAll(context.TODO(),
-+			"cilium bpf ct flush global", "Unable to flush CT maps")
-+	}
-+}
-+
- // fromOutside=true tests session affinity implementation from lb.h, while
- // fromOutside=false tests from  bpf_sock.c.
- func testSessionAffinity(kubectl *helpers.Kubectl, ni *helpers.NodesInfo, fromOutside, vxlan bool) {
-diff --git a/test/k8s/services.go b/test/k8s/services.go
-index e4abeb520b..6ff965b280 100644
---- a/test/k8s/services.go
-+++ b/test/k8s/services.go
-@@ -716,6 +716,20 @@ Secondary Interface %s :: IPv4: (%s, %s), IPv6: (%s, %s)`,
- 			testNodePortExternal(kubectl, ni, false, true, false)
- 		})
- 
-+		It("Tests with TC, direct routing, DSR in IPIP", func() {
-+			DeployCiliumOptionsAndDNS(kubectl, ciliumFilename, map[string]string{
-+				"loadBalancer.acceleration":   "disabled",
-+				"loadBalancer.mode":           "dsr",
-+				"loadBalancer.algorithm":      "random",
-+				"tunnel":                      "disabled",
-+				"autoDirectNodeRoutes":        "true",
-+				"loadBalancer.dsrDispatch":    "ipipcni",
-+				"loadBalancer.dsrL4Translate": "backend",
-+				"devices":                     fmt.Sprintf(`'{%s}'`, ni.PrivateIface),
-+			})
-+			testNodePortExternalIPv4Only(kubectl, ni, false, true, true)
-+		})
-+
- 		// Run on net-next and 4.19 but not on old versions, because of
- 		// LRU requirement.
- 		SkipItIf(func() bool {
diff --git a/cilium/BRANCH b/cilium/BRANCH
index 809bdcb85..d3456a90f 100644
--- a/cilium/BRANCH
+++ b/cilium/BRANCH
@@ -1 +1 @@
-1.12
+1.13
diff --git a/cilium/Dockerfile b/cilium/Dockerfile
index 708d498fd..30f7b2094 100644
--- a/cilium/Dockerfile
+++ b/cilium/Dockerfile
@@ -1,5 +1,5 @@
-ARG GOLANG_IMAGE=quay.io/cybozu/golang:1.18-focal
-ARG UBUNTU_IMAGE=quay.io/cybozu/ubuntu:20.04
+ARG GOLANG_IMAGE=quay.io/cybozu/golang:1.20-jammy
+ARG UBUNTU_IMAGE=quay.io/cybozu/ubuntu:22.04
 ARG DESTDIR=/tmp/install/linux/amd64
 
 # Stage1: build common
@@ -7,14 +7,14 @@ FROM ${GOLANG_IMAGE} as build-base
 ARG DESTDIR
 ENV DESTDIR=${DESTDIR}
 COPY TAG /
-COPY 18449.patch /tmp/
+COPY cilium.patch /tmp/
 
 WORKDIR /go/src/github.com/cilium/cilium
 RUN mkdir -p ${DESTDIR} \
     && VERSION=$(cut -d \. -f 1,2,3 < /TAG ) \
     && curl -fsSL "https://github.com/cilium/cilium/archive/v${VERSION}.tar.gz" | \
       tar xzf - --strip-components 1 \
-    && patch -p1 --no-backup-if-mismatch < /tmp/18449.patch \
+    && patch -p1 --no-backup-if-mismatch < /tmp/cilium.patch \
     && make licenses-all \
     && mv LICENSE.all ${DESTDIR}/LICENSE \
     && apt-get update \
@@ -38,6 +38,7 @@ RUN mkdir -p ${DESTDIR} \
 
 FROM build-base as builder
 COPY workspace/bin/llvm-objcopy /bin/
+COPY workspace/bin/clang workspace/bin/llc /bin/
 WORKDIR /go/src/github.com/cilium/cilium
 ARG LIBNETWORK_PLUGIN
 ARG DESTDIR
diff --git a/cilium/TAG b/cilium/TAG
index a94055c67..adb1349e5 100644
--- a/cilium/TAG
+++ b/cilium/TAG
@@ -1 +1 @@
-1.12.11.1
+1.13.6.1
diff --git a/cilium/cilium.patch b/cilium/cilium.patch
new file mode 100644
index 000000000..ee7b965cc
--- /dev/null
+++ b/cilium/cilium.patch
@@ -0,0 +1,1442 @@
+diff --git a/Documentation/observability/metrics.rst b/Documentation/observability/metrics.rst
+index 6d165a185e..265d758b24 100644
+--- a/Documentation/observability/metrics.rst
++++ b/Documentation/observability/metrics.rst
+@@ -407,6 +407,17 @@ Name                                        Labels
+ ``k8s_terminating_endpoints_events_total``                                                     Enabled    Number of terminating endpoint events received from Kubernetes
+ =========================================== ================================================== ========== ========================================================
+ 
++Kubernetes Rest Client
++~~~~~~~~~~~~~~~~~~~~~~
++
++============================================= ============================================= ========== ===========================================================
++Name                                          Labels                                        Default    Description
++============================================= ============================================= ========== ===========================================================
++``k8s_client_api_latency_time_seconds``       ``path``, ``method``                          Enabled    Duration of processed API calls labeled by path and method
++``k8s_client_rate_limiter_duration_seconds``  ``path``, ``method``                          Enabled    Kubernetes client rate limiter latency in seconds. Broken down by path and method
++``k8s_client_api_calls_total``                ``host``, ``method``, ``return_code``         Enabled    Number of API calls made to kube-apiserver labeled by host, method and return code
++============================================= ============================================= ========== ===========================================================
++
+ IPAM
+ ~~~~
+ 
+diff --git a/bpf/Makefile b/bpf/Makefile
+index ee516eea21..eb4f530ab7 100644
+--- a/bpf/Makefile
++++ b/bpf/Makefile
+@@ -213,8 +213,12 @@ XDP_OPTIONS = $(LB_OPTIONS) \
+ 	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_DSR_HYBRID: \
+ 	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DDSR_ENCAP_MODE:-DDSR_ENCAP_NONE:-DDSR_ENCAP_IPIP=2 \
+ 	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DDSR_ENCAP_MODE:-DDSR_ENCAP_IPIP:-DDSR_ENCAP_NONE=2 \
++	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DDSR_ENCAP_MODE:-DDSR_ENCAP_GENEVE:-DDSR_ENCAP_IPIP=2 \
++	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DDSR_ENCAP_MODE:-DDSR_ENCAP_IPIP_CNI:-DDSR_ENCAP_NONE=2 \
+ 	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_CAPTURE:-DDSR_ENCAP_MODE:-DDSR_ENCAP_NONE:-DDSR_ENCAP_IPIP=2 \
+-	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_CAPTURE:-DDSR_ENCAP_MODE:-DDSR_ENCAP_IPIP:-DENABLE_SCTP:-DDSR_ENCAP_NONE=2
++	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_CAPTURE:-DDSR_ENCAP_MODE:-DDSR_ENCAP_IPIP_CNI:-DDSR_ENCAP_NONE=2 \
++	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_CAPTURE:-DDSR_ENCAP_MODE:-DDSR_ENCAP_IPIP:-DENABLE_SCTP:-DDSR_ENCAP_NONE=2 \
++	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_CAPTURE:-DDSR_ENCAP_MODE:-DDSR_ENCAP_GENEVE:-DENABLE_SCTP:-DDSR_ENCAP_IPIP=2
+ 
+ ifndef MAX_XDP_OPTIONS
+ MAX_XDP_OPTIONS = $(MAX_BASE_OPTIONS) -DENABLE_PREFILTER=1
+diff --git a/bpf/bpf_host.c b/bpf/bpf_host.c
+index f9bc648ebf..b6129f6620 100644
+--- a/bpf/bpf_host.c
++++ b/bpf/bpf_host.c
+@@ -552,7 +552,8 @@ handle_ipv4(struct __ctx_buff *ctx, __u32 secctx,
+ 		if (vtep->vtep_mac && vtep->tunnel_endpoint) {
+ 			if (eth_store_daddr(ctx, (__u8 *)&vtep->vtep_mac, 0) < 0)
+ 				return DROP_WRITE_ERROR;
+-			return __encap_and_redirect_with_nodeid(ctx, vtep->tunnel_endpoint,
++			return __encap_and_redirect_with_nodeid(ctx,
++								vtep->tunnel_endpoint,
+ 								secctx, WORLD_ID, WORLD_ID, &trace);
+ 		}
+ 	}
+@@ -562,7 +563,8 @@ skip_vtep:
+ #ifdef TUNNEL_MODE
+ 	info = ipcache_lookup4(&IPCACHE_MAP, ip4->daddr, V4_CACHE_KEY_LEN);
+ 	if (info != NULL && info->tunnel_endpoint != 0) {
+-		return encap_and_redirect_with_nodeid(ctx, info->tunnel_endpoint,
++		return encap_and_redirect_with_nodeid(ctx,
++							  info->tunnel_endpoint,
+ 						      secctx, info->sec_label,
+ 						      &trace);
+ 	} else {
+@@ -1052,9 +1054,9 @@ int cil_from_netdev(struct __ctx_buff *ctx)
+ 		edt_set_aggregate(ctx, 0);
+ 
+ 		ret = __encap_and_redirect_with_nodeid(ctx, ctx_get_xfer(ctx, XFER_ENCAP_NODEID),
+-							ctx_get_xfer(ctx, XFER_ENCAP_SECLABEL),
+-							ctx_get_xfer(ctx, XFER_ENCAP_DSTID),
+-							NOT_VTEP_DST, &trace);
++						       ctx_get_xfer(ctx, XFER_ENCAP_SECLABEL),
++						       ctx_get_xfer(ctx, XFER_ENCAP_DSTID),
++						       NOT_VTEP_DST, &trace);
+ 
+ 		if (IS_ERR(ret))
+ 			goto drop_err;
+diff --git a/bpf/complexity-tests/419/bpf_host.txt b/bpf/complexity-tests/419/bpf_host.txt
+index 76404252d6..0d7b3ac3c5 100644
+--- a/bpf/complexity-tests/419/bpf_host.txt
++++ b/bpf/complexity-tests/419/bpf_host.txt
+@@ -1,3 +1,6 @@
+ -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1
++-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1
+ -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1
++-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1
+ -DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1
++-DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1
+diff --git a/bpf/complexity-tests/419/bpf_lxc.txt b/bpf/complexity-tests/419/bpf_lxc.txt
+index 76404252d6..76683a1480 100644
+--- a/bpf/complexity-tests/419/bpf_lxc.txt
++++ b/bpf/complexity-tests/419/bpf_lxc.txt
+@@ -1,3 +1,6 @@
+ -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1
++-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_CLUSTER_AWARE_ADDRESSING=1
+ -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1
++-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_CLUSTER_AWARE_ADDRESSING=1
+ -DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1
++-DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1
+diff --git a/bpf/complexity-tests/419/bpf_overlay.txt b/bpf/complexity-tests/419/bpf_overlay.txt
+index 851b907098..3684ec9729 100644
+--- a/bpf/complexity-tests/419/bpf_overlay.txt
++++ b/bpf/complexity-tests/419/bpf_overlay.txt
+@@ -1 +1,2 @@
+ -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1
++-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_CLUSTER_AWARE_ADDRESSING=1 -DENABLE_INTER_CLUSTER_SNAT=1
+diff --git a/bpf/complexity-tests/419/bpf_sock.txt b/bpf/complexity-tests/419/bpf_sock.txt
+index b0324fb85a..ed0d508a96 100644
+--- a/bpf/complexity-tests/419/bpf_sock.txt
++++ b/bpf/complexity-tests/419/bpf_sock.txt
+@@ -1 +1,2 @@
+ -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_NAT_46X64=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_NAT_46X64_GATEWAY=1
++-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_NAT_46X64=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_NAT_46X64_GATEWAY=1
+diff --git a/bpf/complexity-tests/419/bpf_xdp.txt b/bpf/complexity-tests/419/bpf_xdp.txt
+index ce88402a08..c07ac041d1 100644
+--- a/bpf/complexity-tests/419/bpf_xdp.txt
++++ b/bpf/complexity-tests/419/bpf_xdp.txt
+@@ -1 +1,2 @@
+ -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_PREFILTER=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1
++-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_PREFILTER=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1
+diff --git a/bpf/complexity-tests/54/bpf_host.txt b/bpf/complexity-tests/54/bpf_host.txt
+index d843f2646a..1c7e786f8d 100644
+--- a/bpf/complexity-tests/54/bpf_host.txt
++++ b/bpf/complexity-tests/54/bpf_host.txt
+@@ -1,3 +1,6 @@
+ -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
++-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
+ -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
++-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
+ -DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
++-DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
+diff --git a/bpf/complexity-tests/54/bpf_lxc.txt b/bpf/complexity-tests/54/bpf_lxc.txt
+index 7b1df33478..afc1d0d9fa 100644
+--- a/bpf/complexity-tests/54/bpf_lxc.txt
++++ b/bpf/complexity-tests/54/bpf_lxc.txt
+@@ -1,3 +1,7 @@
+ -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP
++-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1 -DENABLE_CLUSTER_AWARE_ADDRESSING=1
+ -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP
++-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1 -DENABLE_CLUSTER_AWARE_ADDRESSING=1
+ -DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP
++-DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
++-DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_HOST_SERVICES_TCP=1 -DENABLE_HOST_SERVICES_UDP=1 -DENABLE_HOST_REDIRECT=1 -DENABLE_ROUTING=1 -DNO_REDIRECT=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DDSR_ENCAP_IPIP_CNI=1
+diff --git a/bpf/complexity-tests/54/bpf_overlay.txt b/bpf/complexity-tests/54/bpf_overlay.txt
+index 906b7c10bf..04083bfd57 100644
+--- a/bpf/complexity-tests/54/bpf_overlay.txt
++++ b/bpf/complexity-tests/54/bpf_overlay.txt
+@@ -1 +1,2 @@
+ -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_VTEP=1 -DENABLE_SCTP
++-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1 -DENABLE_CLUSTER_AWARE_ADDRESSING=1 -DENABLE_INTER_CLUSTER_SNAT=1
+diff --git a/bpf/complexity-tests/54/bpf_sock.txt b/bpf/complexity-tests/54/bpf_sock.txt
+index 9cb3a62cf9..63a421d814 100644
+--- a/bpf/complexity-tests/54/bpf_sock.txt
++++ b/bpf/complexity-tests/54/bpf_sock.txt
+@@ -1 +1,2 @@
+ -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENABLE_NAT_46X64=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_SCTP -DENABLE_NAT_46X64_GATEWAY=1
++-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENABLE_NAT_46X64=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_SCTP=1 -DENABLE_NAT_46X64_GATEWAY=1
+diff --git a/bpf/complexity-tests/54/bpf_xdp.txt b/bpf/complexity-tests/54/bpf_xdp.txt
+index a7bc3cc0c8..b80fdc21c3 100644
+--- a/bpf/complexity-tests/54/bpf_xdp.txt
++++ b/bpf/complexity-tests/54/bpf_xdp.txt
+@@ -1 +1,2 @@
+ -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENABLE_PREFILTER=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_SCTP
++-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENABLE_PREFILTER=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_SCTP=1
+diff --git a/bpf/complexity-tests/netnext/bpf_host.txt b/bpf/complexity-tests/netnext/bpf_host.txt
+index c8b73222ef..625dfad6bd 100644
+--- a/bpf/complexity-tests/netnext/bpf_host.txt
++++ b/bpf/complexity-tests/netnext/bpf_host.txt
+@@ -1,3 +1,6 @@
+ -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
++-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
+ -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
++-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
+ -DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
++-DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
+diff --git a/bpf/complexity-tests/netnext/bpf_lxc.txt b/bpf/complexity-tests/netnext/bpf_lxc.txt
+index fc2dc5ffbf..c662d69709 100644
+--- a/bpf/complexity-tests/netnext/bpf_lxc.txt
++++ b/bpf/complexity-tests/netnext/bpf_lxc.txt
+@@ -1,3 +1,6 @@
+ -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_WIREGUARD=1 -DENABLE_VTEP=1 -DENABLE_SCTP
++-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1 -DENABLE_CLUSTER_AWARE_ADDRESSING=1
+ -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_WIREGUARD=1 -DENABLE_VTEP=1 -DENABLE_SCTP
++-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1 -DENABLE_CLUSTER_AWARE_ADDRESSING=1
+ -DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_WIREGUARD=1 -DENABLE_VTEP=1 -DENABLE_SCTP
++-DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
+diff --git a/bpf/complexity-tests/netnext/bpf_overlay.txt b/bpf/complexity-tests/netnext/bpf_overlay.txt
+index ccbfa1d0a1..c01f2c2a9d 100644
+--- a/bpf/complexity-tests/netnext/bpf_overlay.txt
++++ b/bpf/complexity-tests/netnext/bpf_overlay.txt
+@@ -1 +1,2 @@
+ -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_VTEP=1 -DENABLE_SCTP
++-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1 -DENABLE_CLUSTER_AWARE_ADDRESSING=1 -DENABLE_INTER_CLUSTER_SNAT=1
+diff --git a/bpf/complexity-tests/netnext/bpf_sock.txt b/bpf/complexity-tests/netnext/bpf_sock.txt
+index 59630d1f58..09100196f3 100644
+--- a/bpf/complexity-tests/netnext/bpf_sock.txt
++++ b/bpf/complexity-tests/netnext/bpf_sock.txt
+@@ -1 +1,2 @@
+ -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENABLE_NAT_46X64=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_SCTP -DENABLE_NAT_46X64_GATEWAY=1
++-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENABLE_NAT_46X64=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_SCTP=1 -DENABLE_NAT_46X64_GATEWAY=1
+diff --git a/bpf/complexity-tests/netnext/bpf_xdp.txt b/bpf/complexity-tests/netnext/bpf_xdp.txt
+index 790c69a73d..c928c7ca8a 100644
+--- a/bpf/complexity-tests/netnext/bpf_xdp.txt
++++ b/bpf/complexity-tests/netnext/bpf_xdp.txt
+@@ -1 +1,2 @@
+ -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENABLE_PREFILTER=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_SCTP
++-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENABLE_PREFILTER=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_SCTP=1
+diff --git a/bpf/include/bpf/ctx/common.h b/bpf/include/bpf/ctx/common.h
+index ca64a1c817..ad012df18c 100644
+--- a/bpf/include/bpf/ctx/common.h
++++ b/bpf/include/bpf/ctx/common.h
+@@ -33,4 +33,9 @@ static __always_inline bool ctx_no_room(const void *needed, const void *limit)
+ 	return unlikely(needed > limit);
+ }
+ 
++static __always_inline bool ctx_is_skb(void)
++{
++    return __ctx_is == __ctx_skb;
++}
++
+ #endif /* __BPF_CTX_COMMON_H_ */
+diff --git a/bpf/include/bpf/ctx/skb.h b/bpf/include/bpf/ctx/skb.h
+index 01fa3f78fc..1a315242ab 100644
+--- a/bpf/include/bpf/ctx/skb.h
++++ b/bpf/include/bpf/ctx/skb.h
+@@ -46,6 +46,9 @@
+ #define ctx_get_tunnel_key	skb_get_tunnel_key
+ #define ctx_set_tunnel_key	skb_set_tunnel_key
+ 
++#define ctx_get_tunnel_opt	skb_get_tunnel_opt
++#define ctx_set_tunnel_opt	skb_set_tunnel_opt
++
+ #define ctx_event_output	skb_event_output
+ 
+ #define ctx_adjust_meta		({ -ENOTSUPP; })
+diff --git a/bpf/include/bpf/ctx/xdp.h b/bpf/include/bpf/ctx/xdp.h
+index 13aa821e48..3ff617e030 100644
+--- a/bpf/include/bpf/ctx/xdp.h
++++ b/bpf/include/bpf/ctx/xdp.h
+@@ -100,6 +100,9 @@ xdp_store_bytes(const struct xdp_md *ctx, __u64 off, const void *from,
+ #define ctx_get_tunnel_key		xdp_get_tunnel_key__stub
+ #define ctx_set_tunnel_key		xdp_set_tunnel_key__stub
+ 
++#define ctx_get_tunnel_opt		xdp_get_tunnel_opt__stub
++#define ctx_set_tunnel_opt		xdp_set_tunnel_opt__stub
++
+ #define ctx_event_output		xdp_event_output
+ 
+ #define ctx_adjust_meta			xdp_adjust_meta
+diff --git a/bpf/include/bpf/helpers_skb.h b/bpf/include/bpf/helpers_skb.h
+index d4bce19723..b3b3e47c24 100644
+--- a/bpf/include/bpf/helpers_skb.h
++++ b/bpf/include/bpf/helpers_skb.h
+@@ -49,6 +49,11 @@ static int BPF_FUNC(skb_set_tunnel_key, struct __sk_buff *skb,
+ 		    const struct bpf_tunnel_key *from, __u32 size,
+ 		    __u32 flags);
+ 
++static int BPF_FUNC(skb_get_tunnel_opt, struct __sk_buff *skb,
++		    void *opt, __u32 size);
++static int BPF_FUNC(skb_set_tunnel_opt, struct __sk_buff *skb,
++		    void *opt, __u32 size);
++
+ /* Events for user space */
+ static int BPF_FUNC_REMAP(skb_event_output, struct __sk_buff *skb, void *map,
+ 			  __u64 index, const void *data, __u32 size) =
+diff --git a/bpf/include/bpf/helpers_xdp.h b/bpf/include/bpf/helpers_xdp.h
+index 98500a5407..3da9c95955 100644
+--- a/bpf/include/bpf/helpers_xdp.h
++++ b/bpf/include/bpf/helpers_xdp.h
+@@ -47,6 +47,11 @@ static int BPF_STUB(xdp_set_tunnel_key, struct xdp_md *xdp,
+ 		    const struct bpf_tunnel_key *from, __u32 size,
+ 		    __u32 flags);
+ 
++static int BPF_STUB(xdp_get_tunnel_opt, struct xdp_md *xdp, void *opt,
++		    __u32 size);
++static int BPF_STUB(xdp_set_tunnel_opt, struct xdp_md *xdp, void *opt,
++		    __u32 size);
++
+ /* Events for user space */
+ static int BPF_FUNC_REMAP(xdp_event_output, struct xdp_md *xdp, void *map,
+ 			  __u64 index, const void *data, __u32 size) =
+diff --git a/bpf/lib/common.h b/bpf/lib/common.h
+index 866a60c852..5620b76612 100644
+--- a/bpf/lib/common.h
++++ b/bpf/lib/common.h
+@@ -46,7 +46,8 @@
+ #define CONDITIONAL_PREALLOC BPF_F_NO_PREALLOC
+ #endif
+ 
+-#if defined(ENCAP_IFINDEX) || defined(ENABLE_EGRESS_GATEWAY)
++#if defined(ENCAP_IFINDEX) || defined(ENABLE_EGRESS_GATEWAY) || \
++    (defined(ENABLE_DSR) && DSR_ENCAP_MODE == DSR_ENCAP_GENEVE)
+ #define HAVE_ENCAP
+ 
+ /* NOT_VTEP_DST is passed to an encapsulation function when the
+@@ -75,6 +76,8 @@ enum {
+ 	XFER_ENCAP_NODEID = 1,
+ 	XFER_ENCAP_SECLABEL = 2,
+ 	XFER_ENCAP_DSTID = 3,
++	XFER_ENCAP_PORT = 4,
++	XFER_ENCAP_ADDR = 5,
+ };
+ 
+ /* These are shared with test/bpf/check-complexity.sh, when modifying any of
+@@ -534,6 +537,7 @@ enum {
+ #define DROP_NAT46		-187
+ #define DROP_NAT64		-188
+ #define DROP_POLICY_AUTH_REQUIRED	-189
++#define DROP_DSR_ENCAP_UNSUPP_PROTO -193
+ #define DROP_NO_EGRESS_GATEWAY	-194
+ #define DROP_TTL_EXCEEDED	-196
+ #define DROP_NO_NODE_ID		-197
+@@ -641,6 +645,27 @@ enum metric_dir {
+ #define DSR_IPV6_OPT_LEN	(sizeof(struct dsr_opt_v6) - 4)
+ #define DSR_IPV6_EXT_LEN	((sizeof(struct dsr_opt_v6) - 8) / 8)
+ 
++/* The high-order bit of the Geneve option type indicates that
++ * this is a critical option.
++ *
++ * https://www.rfc-editor.org/rfc/rfc8926.html#name-tunnel-options
++ */
++#define GENEVE_OPT_TYPE_CRIT	0x80
++
++/* Geneve option used to carry service addr and port for DSR.
++ *
++ * Class = 0x014B (Cilium according to [1])
++ * Type  = 0x1   (vendor-specific)
++ *
++ * [1]: https://www.iana.org/assignments/nvo3/nvo3.xhtml#geneve-option-class
++ */
++#define DSR_GENEVE_OPT_CLASS	0x014B
++#define DSR_GENEVE_OPT_TYPE	(GENEVE_OPT_TYPE_CRIT | 0x01)
++#define DSR_IPV4_GENEVE_OPT_LEN	\
++	((sizeof(struct geneve_dsr_opt4) - sizeof(struct geneve_opt_hdr)) / 4)
++#define DSR_IPV6_GENEVE_OPT_LEN	\
++	((sizeof(struct geneve_dsr_opt6) - sizeof(struct geneve_opt_hdr)) / 4)
++
+ /* We cap key index at 4 bits because mark value is used to map ctx to key */
+ #define MAX_KEY_INDEX 15
+ 
+@@ -698,12 +723,17 @@ enum {
+ 	CB_POLICY,
+ #define	CB_ADDR_V6_2		CB_POLICY	/* Alias, non-overlapping */
+ #define	CB_BACKEND_ID		CB_POLICY	/* Alias, non-overlapping */
++#define CB_SRC_PORT			CB_POLICY	/* Alias, non-overlapping */
+ #define CB_SRV6_SID_3		CB_POLICY	/* Alias, non-overlapping */
+ #define CB_ENCAP_DSTID		CB_POLICY	/* XDP */
++#define CB_DSR_SRC_LABEL	CB_POLICY	/* Alias, non-overlapping */
+ 	CB_NAT,
+ #define	CB_ADDR_V6_3		CB_NAT		/* Alias, non-overlapping */
+ #define	CB_FROM_HOST		CB_NAT		/* Alias, non-overlapping */
++#define CB_ADDR_V4_2		CB_NAT		/* Alias, non-overlapping */
+ #define CB_SRV6_SID_4		CB_NAT		/* Alias, non-overlapping */
++#define CB_ENCAP_PORT		CB_NAT		/* XDP */
++#define CB_DSR_L3_OFF		CB_NAT		/* Alias, non-overlapping */
+ 	CB_CT_STATE,
+ #define	CB_ADDR_V6_4		CB_CT_STATE	/* Alias, non-overlapping */
+ #define	CB_ENCRYPT_IDENTITY	CB_CT_STATE	/* Alias, non-overlapping,
+@@ -715,6 +745,7 @@ enum {
+ 						 */
+ #define	CB_CUSTOM_CALLS		CB_CT_STATE	/* Alias, non-overlapping */
+ #define	CB_SRV6_VRF_ID		CB_CT_STATE	/* Alias, non-overlapping */
++#define CB_ENCAP_ADDR		CB_CT_STATE /* XDP */
+ };
+ 
+ /* Magic values for CB_FROM_HOST.
+@@ -1090,6 +1121,51 @@ struct lpm_val {
+ 	__u8 flags;
+ };
+ 
++struct geneve_opt_hdr {
++	__be16 opt_class;
++	__u8 type;
++#ifdef __LITTLE_ENDIAN_BITFIELD
++	__u8 length:5,
++	     rsvd:3;
++#else
++	__u8 rsvd:3,
++	     length:5;
++#endif
++};
++
++struct geneve_dsr_opt4 {
++	struct geneve_opt_hdr hdr;
++	__be32	addr;
++	__be16	port;
++	__u16	pad;
++};
++
++struct geneve_dsr_opt6 {
++	struct geneve_opt_hdr hdr;
++	union v6addr addr;
++	__be16	port;
++	__u16	pad;
++};
++
++struct genevehdr {
++#ifdef __LITTLE_ENDIAN_BITFIELD
++	__u8 opt_len:6,
++	     ver:2;
++	__u8 rsvd:6,
++	     critical:1,
++	     control:1;
++#else
++	__u8 ver:2,
++	     opt_len:6;
++	__u8 control:1,
++	     critical:1,
++	     rsvd:6;
++#endif
++	__be16 protocol_type;
++	__u8 vni[3];
++	__u8 reserved;
++};
++
+ #include "overloadable.h"
+ 
+ #endif /* __LIB_COMMON_H_ */
+diff --git a/bpf/lib/encap.h b/bpf/lib/encap.h
+index 982128d3d1..74c7260195 100644
+--- a/bpf/lib/encap.h
++++ b/bpf/lib/encap.h
+@@ -92,7 +92,8 @@ __encap_with_nodeid(struct __ctx_buff *ctx, __u32 tunnel_endpoint,
+ 
+ 	cilium_dbg(ctx, DBG_ENCAP, node_id, seclabel);
+ 
+-	ret = ctx_set_encap_info(ctx, node_id, seclabel, dstid, vni, ifindex);
++	ret = ctx_set_encap_info(ctx, node_id, seclabel, dstid, vni,
++				 NULL, 0, ifindex);
+ 	if (ret == CTX_ACT_REDIRECT)
+ 		send_trace_notify(ctx, TRACE_TO_OVERLAY, seclabel, dstid, 0, *ifindex,
+ 				  ct_reason, monitor);
+@@ -126,7 +127,8 @@ encap_and_redirect_with_nodeid(struct __ctx_buff *ctx, __u32 tunnel_endpoint,
+ 			       __u32 seclabel, __u32 dstid,
+ 			       const struct trace_ctx *trace)
+ {
+-	return __encap_and_redirect_with_nodeid(ctx, tunnel_endpoint, seclabel, dstid, NOT_VTEP_DST,
++	return __encap_and_redirect_with_nodeid(ctx, tunnel_endpoint, seclabel,
++						dstid, NOT_VTEP_DST,
+ 						trace);
+ }
+ 
+@@ -155,6 +157,7 @@ __encap_and_redirect_lxc(struct __ctx_buff *ctx, __u32 tunnel_endpoint,
+ 	 * apply the correct reverse DNAT.
+ 	 * See #14674 for details.
+ 	 */
++
+ 	ret = __encap_with_nodeid(ctx, tunnel_endpoint, seclabel, dstid, NOT_VTEP_DST,
+ 				  trace->reason, trace->monitor, &ifindex);
+ 	if (ret != CTX_ACT_REDIRECT)
+@@ -222,5 +225,58 @@ encap_and_redirect_netdev(struct __ctx_buff *ctx, struct tunnel_key *k,
+ }
+ #endif /* TUNNEL_MODE */
+ 
++#if defined(ENABLE_DSR) && DSR_ENCAP_MODE == DSR_ENCAP_GENEVE
++static __always_inline int
++__encap_with_nodeid_opt(struct __ctx_buff *ctx,
++			__u32 tunnel_endpoint,
++			__u32 seclabel, __u32 dstid, __u32 vni,
++			void *opt, __u32 opt_len,
++			enum trace_reason ct_reason,
++			__u32 monitor, __u32 *ifindex)
++{
++	__u32 node_id;
++
++	/* When encapsulating, a packet originating from the local host is
++	 * being considered as a packet from a remote node as it is being
++	 * received.
++	 */
++	if (seclabel == HOST_ID)
++		seclabel = LOCAL_NODE_ID;
++
++	node_id = bpf_ntohl(tunnel_endpoint);
++
++	cilium_dbg(ctx, DBG_ENCAP, node_id, seclabel);
++
++	send_trace_notify(ctx, TRACE_TO_OVERLAY, seclabel, dstid, 0, *ifindex,
++			  ct_reason, monitor);
++
++	/* dstid is unused. */
++	return ctx_set_encap_info(ctx, node_id, seclabel, 0, vni, opt,
++				  opt_len, ifindex);
++}
++
++static __always_inline void
++set_geneve_dsr_opt4(__be16 port, __be32 addr, struct geneve_dsr_opt4 *gopt)
++{
++	memset(gopt, 0, sizeof(*gopt));
++	gopt->hdr.opt_class = bpf_htons(DSR_GENEVE_OPT_CLASS);
++	gopt->hdr.type = DSR_GENEVE_OPT_TYPE;
++	gopt->hdr.length = DSR_IPV4_GENEVE_OPT_LEN;
++	gopt->addr = addr;
++	gopt->port = port;
++}
++
++static __always_inline void
++set_geneve_dsr_opt6(__be16 port, const union v6addr *addr,
++		    struct geneve_dsr_opt6 *gopt)
++{
++	memset(gopt, 0, sizeof(*gopt));
++	gopt->hdr.opt_class = bpf_htons(DSR_GENEVE_OPT_CLASS);
++	gopt->hdr.type = DSR_GENEVE_OPT_TYPE;
++	gopt->hdr.length = DSR_IPV6_GENEVE_OPT_LEN;
++	ipv6_addr_copy((union v6addr *)&gopt->addr, addr);
++	gopt->port = port;
++}
++#endif /* ENABLE_DSR && DSR_ENCAP_GENEVE */
+ #endif /* HAVE_ENCAP */
+ #endif /* __LIB_ENCAP_H_ */
+diff --git a/bpf/lib/nodeport.h b/bpf/lib/nodeport.h
+index b247fcb6c9..63e52ab936 100644
+--- a/bpf/lib/nodeport.h
++++ b/bpf/lib/nodeport.h
+@@ -59,6 +59,31 @@ static __always_inline bool nodeport_uses_dsr(__u8 nexthdr __maybe_unused)
+ # endif
+ }
+ 
++#ifdef HAVE_ENCAP
++static __always_inline int
++nodeport_add_tunnel_encap(struct __ctx_buff *ctx,
++			  __be32 dst_ip, __u32 src_sec_identity, __u32 dst_sec_identity,
++			  enum trace_reason ct_reason, __u32 monitor, __u32 *ifindex)
++{
++	return __encap_with_nodeid(ctx, dst_ip,
++				   src_sec_identity, dst_sec_identity, NOT_VTEP_DST,
++				   ct_reason, monitor, ifindex);
++}
++
++# if defined(ENABLE_DSR) && DSR_ENCAP_MODE == DSR_ENCAP_GENEVE
++static __always_inline int
++nodeport_add_tunnel_encap_opt(struct __ctx_buff *ctx,
++			      __be32 dst_ip, __u32 src_sec_identity, __u32 dst_sec_identity,
++			      void *opt, __u32 opt_len, enum trace_reason ct_reason,
++			      __u32 monitor, __u32 *ifindex)
++{
++	return __encap_with_nodeid_opt(ctx, dst_ip,
++				       src_sec_identity, dst_sec_identity, NOT_VTEP_DST,
++				       opt, opt_len, ct_reason, monitor, ifindex);
++}
++# endif
++#endif /* HAVE_ENCAP */
++
+ static __always_inline bool
+ bpf_skip_recirculation(const struct __ctx_buff *ctx __maybe_unused)
+ {
+@@ -528,10 +553,15 @@ int tail_nodeport_ipv6_dsr(struct __ctx_buff *ctx)
+ 			    ctx_load_meta(ctx, CB_HINT), &ohead);
+ #elif DSR_ENCAP_MODE == DSR_ENCAP_NONE
+ 	ret = dsr_set_ext6(ctx, ip6, &addr, port, &ohead);
++#elif DSR_ENCAP_MODE == DSR_ENCAP_IPIP_CNI
++	/* To do, add support for ipv6 */
++	ret = 0;
++#elif DSR_ENCAP_MODE == DSR_ENCAP_GENEVE
++	ret = 0;
+ #else
+ # error "Invalid load balancer DSR encapsulation mode!"
+ #endif
+-	if (unlikely(ret)) {
++	if (IS_ERR(ret)) {
+ 		if (dsr_fail_needs_reply(ret))
+ 			return dsr_reply_icmp6(ctx, ip6, &addr, port, ret, ohead);
+ 		goto drop_err;
+@@ -850,6 +880,7 @@ int tail_nodeport_nat_egress_ipv6(struct __ctx_buff *ctx)
+ 	dst = (union v6addr *)&ip6->daddr;
+ 	info = ipcache_lookup6(&IPCACHE_MAP, dst, V6_CACHE_KEY_LEN);
+ 	if (info && info->tunnel_endpoint != 0) {
++		/* FIX ME: IPv6 is not used, so src_ip and src_port are 0 as a dummy value. */
+ 		ret = __encap_with_nodeid(ctx, info->tunnel_endpoint,
+ 					  WORLD_ID,
+ 					  info->sec_label,
+@@ -967,7 +998,11 @@ static __always_inline int nodeport_lb6(struct __ctx_buff *ctx,
+ 
+ 	svc = lb6_lookup_service(&key, false, false);
+ 	if (svc) {
+-		const bool skip_l3_xlate = DSR_ENCAP_MODE == DSR_ENCAP_IPIP;
++#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP
++		const bool skip_l3_xlate = true;
++#else
++		const bool skip_l3_xlate = false;
++#endif
+ 
+ 		if (!lb6_src_range_ok(svc, (union v6addr *)&ip6->saddr))
+ 			return DROP_NOT_IN_SRC_RANGE;
+@@ -1217,6 +1252,7 @@ static __always_inline int rev_nodeport_lb6(struct __ctx_buff *ctx, __u32 *ifind
+ 
+ 			info = ipcache_lookup6(&IPCACHE_MAP, dst, V6_CACHE_KEY_LEN);
+ 			if (info != NULL && info->tunnel_endpoint != 0) {
++				/* FIX ME: IPv6 is not used, so src_ip and src_port are 0 as a dummy value. */
+ 				return __encap_with_nodeid(ctx, info->tunnel_endpoint,
+ 							   SECLABEL, info->sec_label,
+ 							   NOT_VTEP_DST,
+@@ -1466,7 +1502,7 @@ static __always_inline int nodeport_snat_fwd_ipv4(struct __ctx_buff *ctx)
+ }
+ 
+ #ifdef ENABLE_DSR
+-#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP
++#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP || DSR_ENCAP_MODE == DSR_ENCAP_IPIP_CNI
+ static __always_inline __be32 rss_gen_src4(__be32 client, __be32 l4_hint)
+ {
+ 	const __u32 bits = 32 - IPV4_RSS_PREFIX_BITS;
+@@ -1476,6 +1512,237 @@ static __always_inline __be32 rss_gen_src4(__be32 client, __be32 l4_hint)
+ 		src |= bpf_htonl(hash_32(client ^ l4_hint, bits));
+ 	return src;
+ }
++#endif /*DSR_ENCAP_MODE*/
++
++#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP_CNI
++/*
++ * Original packet: [clientIP:clientPort -> serviceIP:servicePort] } IP/L4
++ *
++ * After DSR IPIP:  [rssSrcIP -> backendIP]                        } IP
++ *                  [clientIP:clientPort -> backendIP:backendPort] } IP/L4
++ */
++static __always_inline int dsr_set_ipipcni4(struct __ctx_buff *ctx,
++					    const struct iphdr *ip4,
++					    __be32 backend_addr,
++					    __be32 l4_hint,
++					    __be16 svc_port,
++					    __be32 svc_addr,
++					    __be16 *ohead)
++{
++	__u16 tot_len = bpf_ntohs(ip4->tot_len) + sizeof(*ip4);
++	const int l3_off = ETH_HLEN;
++	const int l4_off = ETH_HLEN + sizeof(struct iphdr);
++	__be16 id, frag_off;
++	__be32 sum, sum_old;
++	__u8 ihlver, tos;
++
++	struct iphds {
++#if defined(__LITTLE_ENDIAN_BITFIELD)
++	__u8	ihl:4,
++		version:4;
++#elif defined(__BIG_ENDIAN_BITFIELD)
++	__u8	version:4,
++		ihl:4;
++#else
++#error	"Please fix <asm/byteorder.h>"
++#endif
++	__u8	tos;
++	__be16	tot_len;
++	__be16	id;
++	__u8	ttl;
++	__u8	protocol;
++	__be32	saddr;
++	__be32	daddr;
++	struct dsr_opt_v4 opt;
++	};
++
++	struct iphds tp_old = {
++		.ihl		= ip4->ihl,
++		.version	= ip4->version,
++		.tot_len	= ip4->tot_len,
++		.ttl		= ip4->ttl,
++		.protocol	= ip4->protocol,
++		.saddr		= ip4->saddr,
++		.daddr		= ip4->daddr,
++		.opt = {
++			.type = DSR_IPV4_OPT_TYPE,
++			.len = sizeof(struct dsr_opt_v4),
++			.port = bpf_htons(svc_port),
++			.addr = bpf_htonl(svc_addr),
++		},
++	}, tp_new = {
++		.ihl		= 5,
++		.version	= ip4->version,
++		.tot_len	= bpf_htons(tot_len),
++		.ttl		= IPDEFTTL,
++		.protocol	= IPPROTO_IPIP,
++		.saddr		= rss_gen_src4(ip4->saddr, l4_hint),
++		.daddr		= backend_addr,
++		.opt = {
++			.type = 0,
++			.len = 0,
++			.port = 0,
++			.addr = 0,
++		},
++	};
++
++	if (ip4->protocol == IPPROTO_TCP) {
++		union tcp_flags tcp_flags = { .value = 0 };
++
++		if (ctx_load_bytes(ctx, ETH_HLEN + ip4->ihl * 4 + 12,
++				   &tcp_flags, 2) < 0)
++			return DROP_CT_INVALID_HDR;
++
++		/* Encap with IP-in-IP is required only for the first packet
++		 * (SYN), in the case of TCP, as for further packets of the
++		 * same connection a remote node will use a NAT entry to
++		 * reverse xlate a reply.
++		 */
++		if (!(tcp_flags.value & (TCP_FLAG_SYN)))
++			return 0;
++	}
++
++	if (dsr_is_too_big(ctx, tot_len)) {
++		*ohead = sizeof(*ip4);
++		return DROP_FRAG_NEEDED;
++	}
++
++	if (ip4->ihl == 0x5) {
++		tp_old.opt.type = 0;
++		tp_old.opt.len = 0;
++		tp_old.opt.port = 0;
++		tp_old.opt.addr = 0;
++	}
++
++	if (ctx_adjust_hroom(ctx, sizeof(*ip4), BPF_ADJ_ROOM_NET,
++			     ctx_adjust_hroom_dsr_flags()))
++		return DROP_INVALID;
++
++	sum = csum_diff(&tp_old, 24, &tp_new, 24, 0);
++	if (ctx_load_bytes(ctx, l3_off + offsetof(struct iphdr, tos),
++			   &tos, sizeof(tos)) < 0)
++		return DROP_CT_INVALID_HDR;
++	if (ctx_load_bytes(ctx, l3_off + offsetof(struct iphdr, id),
++			   &id, sizeof(id)) < 0)
++		return DROP_CT_INVALID_HDR;
++	if (ctx_load_bytes(ctx, l3_off + offsetof(struct iphdr, frag_off),
++			   &frag_off, sizeof(frag_off)) < 0)
++		return DROP_CT_INVALID_HDR;
++	if (ctx_load_bytes(ctx, l3_off + offsetof(struct iphdr, check),
++			   &sum_old, sizeof(sum_old)) < 0)
++		return DROP_CT_INVALID_HDR;
++
++	ihlver = *((__u8 *)&tp_new);
++	if (ctx_store_bytes(ctx, l3_off,
++			    &ihlver, 1, 0) < 0)
++		return DROP_WRITE_ERROR;
++	if (ctx_store_bytes(ctx, l3_off + offsetof(struct iphdr, tot_len),
++			    &tp_new.tot_len, 2, 0) < 0)
++		return DROP_WRITE_ERROR;
++	if (ctx_store_bytes(ctx, l3_off + offsetof(struct iphdr, ttl),
++			    &tp_new.ttl, 2, 0) < 0)
++		return DROP_WRITE_ERROR;
++	if (ctx_store_bytes(ctx, l3_off + offsetof(struct iphdr, saddr),
++			    &tp_new.saddr, 8, 0) < 0)
++		return DROP_WRITE_ERROR;
++	if (l3_csum_replace(ctx, l3_off + offsetof(struct iphdr, check),
++			    0, sum, 0) < 0)
++		return DROP_CSUM_L3;
++
++	ihlver = *((__u8 *)&tp_old);
++	if (ctx_store_bytes(ctx, l4_off,
++			    &ihlver, 1, 0) < 0)
++		return DROP_WRITE_ERROR;
++	if (ctx_store_bytes(ctx, l4_off + offsetof(struct iphdr, tos),
++			    &tos, 1, 0) < 0)
++		return DROP_WRITE_ERROR;
++	if (ctx_store_bytes(ctx, l4_off + offsetof(struct iphdr, tot_len),
++			    &tp_old.tot_len, 2, 0) < 0)
++		return DROP_WRITE_ERROR;
++	if (ctx_store_bytes(ctx, l4_off + offsetof(struct iphdr, id),
++			    &id, 2, 0) < 0)
++		return DROP_WRITE_ERROR;
++	if (ctx_store_bytes(ctx, l4_off + offsetof(struct iphdr, frag_off),
++			    &frag_off, 2, 0) < 0)
++		return DROP_WRITE_ERROR;
++	if (ctx_store_bytes(ctx, l4_off + offsetof(struct iphdr, ttl),
++			    &tp_old.ttl, 2, 0) < 0)
++		return DROP_WRITE_ERROR;
++	if (ctx_store_bytes(ctx, l4_off + offsetof(struct iphdr, check),
++			    &sum_old, 2, 0) < 0)
++		return DROP_WRITE_ERROR;
++	if (ctx_store_bytes(ctx, l4_off + offsetof(struct iphdr, saddr),
++			    &tp_old.saddr, 8, 0) < 0)
++		return DROP_WRITE_ERROR;
++	return 0;
++}
++#elif DSR_ENCAP_MODE == DSR_ENCAP_GENEVE
++static __always_inline int encap_geneve_dsr_opt4(struct __ctx_buff *ctx, int l3_off __maybe_unused,
++						 struct iphdr *ip4, __be32 svc_addr,
++						 __be16 svc_port, __u32 *ifindex, __be16 *ohead)
++{
++	struct remote_endpoint_info *info __maybe_unused;
++	struct geneve_dsr_opt4 gopt;
++	bool need_opt = true;
++	__u16 encap_len = sizeof(struct iphdr) + sizeof(struct udphdr) +
++		sizeof(struct genevehdr) + ETH_HLEN;
++	__u16 total_len = bpf_ntohs(ip4->tot_len);
++	__u32 src_sec_identity = WORLD_ID;
++	__u32 dst_sec_identity;
++	__be32 tunnel_endpoint;
++
++	info = ipcache_lookup4(&IPCACHE_MAP, ip4->daddr, V4_CACHE_KEY_LEN);
++	if (!info || info->tunnel_endpoint == 0)
++		return DROP_NO_TUNNEL_ENDPOINT;
++
++	tunnel_endpoint = info->tunnel_endpoint;
++	dst_sec_identity = info->sec_label;
++
++	if (ip4->protocol == IPPROTO_TCP) {
++		union tcp_flags tcp_flags = { .value = 0 };
++
++		if (l4_load_tcp_flags(ctx, l3_off + ipv4_hdrlen(ip4), &tcp_flags) < 0)
++			return DROP_CT_INVALID_HDR;
++
++		/* The GENEVE option is required only for the first packet
++		 * (SYN), in the case of TCP, as for further packets of the
++		 * same connection a remote node will use a NAT entry to
++		 * reverse xlate a reply.
++		 */
++		if (!(tcp_flags.value & (TCP_FLAG_SYN)))
++			need_opt = false;
++	}
++
++	if (need_opt) {
++		encap_len += sizeof(struct geneve_dsr_opt4);
++		set_geneve_dsr_opt4(svc_port, svc_addr, &gopt);
++	}
++
++	if (dsr_is_too_big(ctx, total_len + encap_len)) {
++		*ohead = encap_len;
++		return DROP_FRAG_NEEDED;
++	}
++
++	if (need_opt)
++		return nodeport_add_tunnel_encap_opt(ctx,
++						     tunnel_endpoint,
++						     src_sec_identity,
++						     dst_sec_identity,
++						     &gopt,
++						     sizeof(gopt),
++						     (enum trace_reason)CT_NEW,
++						     TRACE_PAYLOAD_LEN,
++						     ifindex);
++
++	return nodeport_add_tunnel_encap(ctx,
++					 tunnel_endpoint,
++					 src_sec_identity,
++					 dst_sec_identity,
++					 (enum trace_reason)CT_NEW,
++					 TRACE_PAYLOAD_LEN,
++					 ifindex);
++}
++#elif DSR_ENCAP_MODE == DSR_ENCAP_IPIP
+ 
+ /*
+  * Original packet: [clientIP:clientPort -> serviceIP:servicePort] } IP/L4
+@@ -1536,7 +1803,9 @@ static __always_inline int dsr_set_ipip4(struct __ctx_buff *ctx,
+ 		return DROP_CSUM_L3;
+ 	return 0;
+ }
+-#elif DSR_ENCAP_MODE == DSR_ENCAP_NONE
++#endif /* DSR_ENCAP_MODE */
++
++#if DSR_ENCAP_MODE == DSR_ENCAP_NONE || DSR_ENCAP_MODE == DSR_ENCAP_IPIP_CNI
+ static __always_inline int dsr_set_opt4(struct __ctx_buff *ctx,
+ 					struct iphdr *ip4, __be32 svc_addr,
+ 					__be16 svc_port, __be16 *ohead)
+@@ -1595,7 +1864,7 @@ static __always_inline int dsr_set_opt4(struct __ctx_buff *ctx,
+ #endif /* DSR_ENCAP_MODE */
+ 
+ static __always_inline int
+-nodeport_extract_dsr_v4(struct __ctx_buff *ctx, struct iphdr *ip4,
++nodeport_extract_dsr_v4(struct __ctx_buff *ctx, struct iphdr *ip4 __maybe_unused,
+ 			struct ipv4_ct_tuple *tuple, int l4_off, __be32 *addr,
+ 			__be16 *port, bool *dsr)
+ {
+@@ -1627,6 +1896,25 @@ nodeport_extract_dsr_v4(struct __ctx_buff *ctx, struct iphdr *ip4,
+ 		}
+ 	}
+ 
++#if defined(IS_BPF_OVERLAY)
++	{
++		struct geneve_dsr_opt4 gopt;
++		int ret = 0;
++
++		ret = ctx_get_tunnel_opt(ctx, &gopt, sizeof(gopt));
++
++		if (ret > 0) {
++			if (gopt.hdr.opt_class == bpf_htons(DSR_GENEVE_OPT_CLASS) &&
++			    gopt.hdr.type == DSR_GENEVE_OPT_TYPE) {
++				*dsr = true;
++				*port = gopt.port;
++				*addr = gopt.addr;
++				return 0;
++			}
++		}
++	}
++#else
++
+ 	/* Check whether IPv4 header contains a 64-bit option (IPv4 header
+ 	 * w/o option (5 x 32-bit words) + the DSR option (2 x 32-bit words)).
+ 	 */
+@@ -1644,6 +1932,7 @@ nodeport_extract_dsr_v4(struct __ctx_buff *ctx, struct iphdr *ip4,
+ 			return 0;
+ 		}
+ 	}
++ #endif
+ 
+ 	/* SYN for a new connection that's not / no longer DSR.
+ 	 * If it's reopened, avoid sending subsequent traffic down the DSR path.
+@@ -1654,6 +1943,29 @@ nodeport_extract_dsr_v4(struct __ctx_buff *ctx, struct iphdr *ip4,
+ 	return 0;
+ }
+ 
++#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP_CNI
++static __always_inline int decap_ipip_v4(struct __ctx_buff *ctx)
++{
++	void *data, *data_end;
++	struct iphdr *ip4;
++
++	if (!revalidate_data(ctx, &data, &data_end, &ip4))
++		return DROP_INVALID;
++
++	if (ip4->protocol == IPPROTO_IPIP) {
++		if (ip4->ihl != 0x5)
++			return DROP_INVALID;
++		/* This will remove outer iph. Fix me: Not working with XDP */
++		if (ctx_adjust_hroom(ctx, -(ip4->ihl * 4),
++				     BPF_ADJ_ROOM_MAC,
++				     ctx_adjust_hroom_dsr_flags()) < 0) {
++			return DROP_INVALID;
++		}
++	}
++	return 0;
++}
++#endif /* DSR_ENCAP_MODE */
++
+ static __always_inline int xlate_dsr_v4(struct __ctx_buff *ctx,
+ 					const struct ipv4_ct_tuple *tuple,
+ 					int l4_off, bool has_l4_header)
+@@ -1806,6 +2118,7 @@ int tail_nodeport_ipv4_dsr(struct __ctx_buff *ctx)
+ 	__u16 port;
+ 	__be16 ohead = 0;
+ 	int ret, ext_err = 0;
++	__u32 oif __maybe_unused = 0;
+ 
+ 	if (!revalidate_data(ctx, &data, &data_end, &ip4)) {
+ 		ret = DROP_INVALID;
+@@ -1814,7 +2127,28 @@ int tail_nodeport_ipv4_dsr(struct __ctx_buff *ctx)
+ 
+ 	addr = ctx_load_meta(ctx, CB_ADDR_V4);
+ 	port = (__u16)ctx_load_meta(ctx, CB_PORT);
+-#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP
++# if DSR_ENCAP_MODE == DSR_ENCAP_IPIP_CNI
++	ret = dsr_set_opt4(ctx, ip4,
++			   ctx_load_meta(ctx, CB_ADDR_V4_2),
++			   (__u16)ctx_load_meta(ctx, CB_SRC_PORT), &ohead);
++	if (unlikely(ret)) {
++		if (dsr_fail_needs_reply(ret))
++			return dsr_reply_icmp4(ctx, ip4, addr, port, ret, ohead);
++		goto drop_err;
++	}
++
++	if (!revalidate_data(ctx, &data, &data_end, &ip4)) {
++		ret = DROP_INVALID;
++		goto drop_err;
++	}
++
++	ret = dsr_set_ipipcni4(ctx, ip4,
++			       ctx_load_meta(ctx, CB_ADDR_V4),
++			       ctx_load_meta(ctx, CB_HINT),
++			       (__u16)ctx_load_meta(ctx, CB_SRC_PORT),
++			       ctx_load_meta(ctx, CB_ADDR_V4_2),
++			       &ohead);
++#elif DSR_ENCAP_MODE == DSR_ENCAP_IPIP
+ 	ret = dsr_set_ipip4(ctx, ip4,
+ 			    addr,
+ 			    ctx_load_meta(ctx, CB_HINT), &ohead);
+@@ -1822,10 +2156,20 @@ int tail_nodeport_ipv4_dsr(struct __ctx_buff *ctx)
+ 	ret = dsr_set_opt4(ctx, ip4,
+ 			   addr,
+ 			   port, &ohead);
++#elif DSR_ENCAP_MODE == DSR_ENCAP_GENEVE
++    ret = encap_geneve_dsr_opt4(ctx, ctx_load_meta(ctx, CB_DSR_L3_OFF),
++				ip4, addr, port, &oif, &ohead);
++	if (!IS_ERR(ret)) {
++		if (ret == CTX_ACT_REDIRECT && oif) {
++			cilium_capture_out(ctx);
++			return ctx_redirect(ctx, oif, 0);
++		}
++	}
++
+ #else
+ # error "Invalid load balancer DSR encapsulation mode!"
+ #endif
+-	if (unlikely(ret)) {
++	if (IS_ERR(ret)) {
+ 		if (dsr_fail_needs_reply(ret))
+ 			return dsr_reply_icmp4(ctx, ip4, addr, port, ret, ohead);
+ 		goto drop_err;
+@@ -2033,11 +2377,14 @@ int tail_nodeport_nat_egress_ipv4(struct __ctx_buff *ctx)
+ 		.max_port = NODEPORT_PORT_MAX_NAT,
+ 		.src_from_world = true,
+ 	};
++	struct ipv4_ct_tuple tuple __maybe_unused = {};
+ 	int verdict = CTX_ACT_REDIRECT;
+ 	void *data, *data_end;
+ 	struct iphdr *ip4;
+ 	bool l2_hdr_required = true;
+ 	int ret, ext_err = 0;
++	int l4_off __maybe_unused = 0;
++	__be16 src_port __maybe_unused = 0;
+ 
+ #ifdef TUNNEL_MODE
+ 	struct remote_endpoint_info *info;
+@@ -2068,7 +2415,13 @@ int tail_nodeport_nat_egress_ipv4(struct __ctx_buff *ctx)
+ 		 * bypass any netpol which disallows LB requests from
+ 		 * outside.
+ 		 */
+-		ret = __encap_with_nodeid(ctx, info->tunnel_endpoint,
++
++		ret = lb4_extract_tuple(ctx, ip4, ETH_HLEN, &l4_off, &tuple);
++		if (IS_ERR(ret))
++			goto drop_err;
++
++		ret = __encap_with_nodeid(ctx,
++					  info->tunnel_endpoint,
+ 					  WORLD_ID,
+ 					  info->sec_label,
+ 					  NOT_VTEP_DST,
+@@ -2155,6 +2508,12 @@ static __always_inline int nodeport_lb4(struct __ctx_buff *ctx,
+ 
+ 	cilium_capture_in(ctx);
+ 
++#if __ctx_is != __ctx_xdp && DSR_ENCAP_MODE == DSR_ENCAP_IPIP_CNI
++	ret = decap_ipip_v4(ctx);
++	if (ret != 0)
++		return ret;
++#endif /* DSR_ENCAP_MODE */
++
+ 	if (!revalidate_data(ctx, &data, &data_end, &ip4))
+ 		return DROP_INVALID;
+ 
+@@ -2176,7 +2535,11 @@ static __always_inline int nodeport_lb4(struct __ctx_buff *ctx,
+ 
+ 	svc = lb4_lookup_service(&key, false, false);
+ 	if (svc) {
+-		const bool skip_l3_xlate = DSR_ENCAP_MODE == DSR_ENCAP_IPIP;
++#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP
++		const bool skip_l3_xlate = true;
++#else
++		const bool skip_l3_xlate = false;
++#endif
+ 
+ 		if (!lb4_src_range_ok(svc, ip4->saddr))
+ 			return DROP_NOT_IN_SRC_RANGE;
+@@ -2227,6 +2590,8 @@ skip_service_lookup:
+ 
+ #ifdef ENABLE_DSR
+ 		if (nodeport_uses_dsr4(&tuple)) {
++#if (defined(IS_BPF_OVERLAY) && DSR_ENCAP_MODE == DSR_ENCAP_GENEVE) || \
++	(!defined(IS_BPF_OVERLAY) && DSR_ENCAP_MODE != DSR_ENCAP_GENEVE)
+ 			bool dsr = false;
+ 
+ 			/* Check if packet has embedded DSR info, or belongs to
+@@ -2244,6 +2609,7 @@ skip_service_lookup:
+ 			if (IS_ERR(ret))
+ 				return ret;
+ 
++#endif
+ #ifndef ENABLE_MASQUERADE
+ 			/* The packet is DSR-eligible, so we know for sure that it is
+ 			 * not reply traffic by a remote backend which would require
+@@ -2327,15 +2693,23 @@ redo:
+ 	}
+ 
+ 	/* TX request to remote backend: */
+-	edt_set_aggregate(ctx, 0);
+ 	if (nodeport_uses_dsr4(&tuple)) {
+-#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP
++#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP_CNI
+ 		ctx_store_meta(ctx, CB_HINT,
+ 			       ((__u32)tuple.sport << 16) | tuple.dport);
+ 		ctx_store_meta(ctx, CB_ADDR_V4, tuple.daddr);
+-#elif DSR_ENCAP_MODE == DSR_ENCAP_NONE
++		ctx_store_meta(ctx, CB_ADDR_V4_2, key.address);
++		ctx_store_meta(ctx, CB_SRC_PORT, key.dport);
++#elif DSR_ENCAP_MODE == DSR_ENCAP_GENEVE
+ 		ctx_store_meta(ctx, CB_PORT, key.dport);
+ 		ctx_store_meta(ctx, CB_ADDR_V4, key.address);
++		ctx_store_meta(ctx, CB_DSR_SRC_LABEL, src_identity);
++		ctx_store_meta(ctx, CB_DSR_L3_OFF, l3_off);
++#elif DSR_ENCAP_MODE == DSR_ENCAP_IPIP
++		ctx_store_meta(ctx, CB_HINT,
++			       ((__u32)tuple.sport << 16) | tuple.dport);
++		ctx_store_meta(ctx, CB_ADDR_V4, tuple.daddr);
++#elif DSR_ENCAP_MODE == DSR_ENCAP_NONE
+ #endif /* DSR_ENCAP_MODE */
+ 		ep_tail_call(ctx, CILIUM_CALL_IPV4_NODEPORT_DSR);
+ 	} else {
+@@ -2427,6 +2801,7 @@ static __always_inline int rev_nodeport_lb4(struct __ctx_buff *ctx, __u32 *ifind
+ 	bool l2_hdr_required = true;
+ 	__u32 tunnel_endpoint __maybe_unused = 0;
+ 	__u32 dst_id __maybe_unused = 0;
++	__be16 src_port __maybe_unused = 0;
+ 	bool has_l4_header;
+ 
+ 	if (!revalidate_data(ctx, &data, &data_end, &ip4))
+@@ -2557,6 +2932,7 @@ out:
+ 
+ #if (defined(ENABLE_EGRESS_GATEWAY) || defined(TUNNEL_MODE))
+ encap_redirect:
++
+ 	return __encap_with_nodeid(ctx, tunnel_endpoint, SECLABEL, dst_id,
+ 				   NOT_VTEP_DST, reason, monitor, ifindex);
+ #endif
+diff --git a/bpf/lib/overloadable_skb.h b/bpf/lib/overloadable_skb.h
+index 07162ffd02..95afd87c06 100644
+--- a/bpf/lib/overloadable_skb.h
++++ b/bpf/lib/overloadable_skb.h
+@@ -165,9 +165,9 @@ static __always_inline bool ctx_snat_done(struct __sk_buff *ctx)
+ 
+ #ifdef HAVE_ENCAP
+ static __always_inline __maybe_unused int
+-ctx_set_encap_info(struct __sk_buff *ctx, __u32 node_id, __u32 seclabel,
+-		   __u32 dstid __maybe_unused, __u32 vni __maybe_unused,
+-		   __u32 *ifindex)
++ctx_set_encap_info(struct __sk_buff *ctx, __u32 node_id,
++		   __u32 seclabel, __u32 dstid __maybe_unused, __u32 vni __maybe_unused,
++		   void *opt, __u32 opt_len, __u32 *ifindex)
+ {
+ 	struct bpf_tunnel_key key = {};
+ 	int ret;
+@@ -186,6 +186,12 @@ ctx_set_encap_info(struct __sk_buff *ctx, __u32 node_id, __u32 seclabel,
+ 	if (unlikely(ret < 0))
+ 		return DROP_WRITE_ERROR;
+ 
++	if (opt && opt_len > 0) {
++		ret = ctx_set_tunnel_opt(ctx, opt, opt_len);
++		if (unlikely(ret < 0))
++			return DROP_WRITE_ERROR;
++	}
++
+ 	*ifindex = ENCAP_IFINDEX;
+ 
+ 	return CTX_ACT_REDIRECT;
+diff --git a/bpf/lib/overloadable_xdp.h b/bpf/lib/overloadable_xdp.h
+index 4049371ce8..91f0576a0a 100644
+--- a/bpf/lib/overloadable_xdp.h
++++ b/bpf/lib/overloadable_xdp.h
+@@ -146,7 +146,10 @@ ctx_set_encap_info(struct xdp_md *ctx __maybe_unused,
+ 		   __u32 node_id __maybe_unused,
+ 		   __u32 seclabel __maybe_unused,
+ 		   __u32 dstid __maybe_unused,
+-		   __u32 vni __maybe_unused, __u32 *ifindex __maybe_unused)
++		   __u32 vni __maybe_unused,
++		   void *opt __maybe_unused,
++		   __u32 opt_len __maybe_unused,
++		   __u32 *ifindex __maybe_unused)
+ {
+ 	ctx_store_meta(ctx, CB_ENCAP_NODEID, bpf_ntohl(node_id));
+ 	ctx_store_meta(ctx, CB_ENCAP_SECLABEL, seclabel);
+diff --git a/bpf/lib/stubs.h b/bpf/lib/stubs.h
+index 205bc0461c..9ffaa9d370 100644
+--- a/bpf/lib/stubs.h
++++ b/bpf/lib/stubs.h
+@@ -12,6 +12,8 @@
+ # ifndef DSR_ENCAP_MODE
+ #  define DSR_ENCAP_MODE 0
+ #  define DSR_ENCAP_IPIP 2
++#  define DSR_ENCAP_IPIP_CNI 3
++#  define DSR_ENCAP_GENEVE 4
+ # endif
+ # if defined(ENABLE_IPV4) && defined(ENABLE_MASQUERADE) && !defined(IPV4_MASQUERADE)
+ #  define IPV4_MASQUERADE 0
+diff --git a/bpf/tests/tc_nodeport_lb4_dsr_backend.c b/bpf/tests/tc_nodeport_lb4_dsr_backend.c
+index 32df51762f..207d521f3f 100644
+--- a/bpf/tests/tc_nodeport_lb4_dsr_backend.c
++++ b/bpf/tests/tc_nodeport_lb4_dsr_backend.c
+@@ -13,6 +13,7 @@
+ #define ENABLE_IPV4
+ #define ENABLE_NODEPORT
+ #define ENABLE_DSR		1
++#define DSR_ENCAP_GENEVE 4
+ #define ENABLE_HOST_ROUTING
+ 
+ #define DISABLE_LOOPBACK_LB
+diff --git a/bpf/tests/tc_nodeport_lb4_dsr_lb.c b/bpf/tests/tc_nodeport_lb4_dsr_lb.c
+index 9810fabcd2..559a4ec106 100644
+--- a/bpf/tests/tc_nodeport_lb4_dsr_lb.c
++++ b/bpf/tests/tc_nodeport_lb4_dsr_lb.c
+@@ -13,6 +13,7 @@
+ #define ENABLE_IPV4
+ #define ENABLE_NODEPORT
+ #define ENABLE_DSR
++#define DSR_ENCAP_GENEVE 4
+ 
+ #define DISABLE_LOOPBACK_LB
+ 
+diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go
+index 9572a830bc..98f3042763 100644
+--- a/daemon/cmd/daemon_main.go
++++ b/daemon/cmd/daemon_main.go
+@@ -568,7 +568,7 @@ func initializeFlags() {
+ 	flags.String(option.LoadBalancerAlg, option.NodePortAlgRandom, "BPF load balancing algorithm (\"random\", \"maglev\")")
+ 	option.BindEnv(Vp, option.LoadBalancerAlg)
+ 
+-	flags.String(option.LoadBalancerDSRDispatch, option.DSRDispatchOption, "BPF load balancing DSR dispatch method (\"opt\", \"ipip\")")
++	flags.String(option.LoadBalancerDSRDispatch, option.DSRDispatchOption, "BPF load balancing DSR dispatch method (\"opt\", \"ipip\", \"ipipcni\", \"geneve\")")
+ 	option.BindEnv(Vp, option.LoadBalancerDSRDispatch)
+ 
+ 	flags.String(option.LoadBalancerDSRL4Xlate, option.DSRL4XlateFrontend, "BPF load balancing DSR L4 DNAT method for IPIP (\"frontend\", \"backend\")")
+diff --git a/daemon/cmd/kube_proxy_replacement.go b/daemon/cmd/kube_proxy_replacement.go
+index b755d1aabe..731b4348aa 100644
+--- a/daemon/cmd/kube_proxy_replacement.go
++++ b/daemon/cmd/kube_proxy_replacement.go
+@@ -96,7 +96,9 @@ func initKubeProxyReplacementOptions() error {
+ 
+ 		if option.Config.NodePortMode == option.NodePortModeDSR &&
+ 			option.Config.LoadBalancerDSRDispatch != option.DSRDispatchOption &&
+-			option.Config.LoadBalancerDSRDispatch != option.DSRDispatchIPIP ||
++			option.Config.LoadBalancerDSRDispatch != option.DSRDispatchIPIP &&
++			option.Config.LoadBalancerDSRDispatch != option.DSRDispatchIPIPCNI &&
++			option.Config.LoadBalancerDSRDispatch != option.DSRDispatchGeneve ||
+ 			option.Config.NodePortMode == option.NodePortModeHybrid &&
+ 				option.Config.LoadBalancerDSRDispatch != option.DSRDispatchOption {
+ 			return fmt.Errorf("Invalid value for --%s: %s", option.LoadBalancerDSRDispatch, option.Config.LoadBalancerDSRDispatch)
+@@ -190,9 +192,16 @@ func initKubeProxyReplacementOptions() error {
+ 	}
+ 
+ 	if option.Config.EnableNodePort {
+-		if option.Config.TunnelingEnabled() &&
++		if option.Config.Tunnel == option.TunnelVXLAN &&
+ 			option.Config.NodePortMode != option.NodePortModeSNAT {
+-			return fmt.Errorf("Node Port %q mode cannot be used with tunneling.", option.Config.NodePortMode)
++			return fmt.Errorf("Node Port %q mode cannot be used with %s tunneling.", option.Config.NodePortMode, option.Config.Tunnel)
++		}
++
++		if option.Config.Tunnel == option.TunnelGeneve &&
++			option.Config.NodePortMode != option.NodePortModeSNAT &&
++			option.Config.LoadBalancerDSRDispatch != option.DSRDispatchGeneve {
++			return fmt.Errorf("Node Port %q mode with %s dispatch cannot be used with %s tunneling.",
++				option.Config.NodePortMode, option.Config.LoadBalancerDSRDispatch, option.Config.Tunnel)
+ 		}
+ 
+ 		if option.Config.NodePortMode == option.NodePortModeDSR &&
+diff --git a/install/kubernetes/cilium/templates/cilium-configmap.yaml b/install/kubernetes/cilium/templates/cilium-configmap.yaml
+index 7ba092d5ea..81c6bbd0b1 100644
+--- a/install/kubernetes/cilium/templates/cilium-configmap.yaml
++++ b/install/kubernetes/cilium/templates/cilium-configmap.yaml
+@@ -649,6 +649,9 @@ data:
+ {{- if hasKey .Values.loadBalancer "acceleration" }}
+   bpf-lb-acceleration: {{ .Values.loadBalancer.acceleration | quote }}
+ {{- end }}
++{{- if hasKey .Values.loadBalancer "dsrL4Translate" }}
++  bpf-lb-dsr-l4-xlate: {{ .Values.loadBalancer.dsrL4Translate | quote }}
++{{- end }}
+ {{- if hasKey .Values.loadBalancer "dsrDispatch" }}
+   bpf-lb-dsr-dispatch: {{ .Values.loadBalancer.dsrDispatch | quote }}
+ {{- end }}
+diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml
+index 8528d3a660..5cfa20316f 100644
+--- a/install/kubernetes/cilium/values.yaml
++++ b/install/kubernetes/cilium/values.yaml
+@@ -1583,6 +1583,10 @@ loadBalancer:
+   # used to pass a service IP and port to remote backend
+   # dsrDispatch: opt
+ 
++  # -- dsrL4Translate configures whether use frontend or backend to
++  # translate service port
++  # dsrL4Translate: frontend
++
+   # -- serviceTopology enables K8s Topology Aware Hints -based service
+   # endpoints filtering
+   # serviceTopology: false
+diff --git a/pkg/datapath/linux/config/config.go b/pkg/datapath/linux/config/config.go
+index 811daec7c2..fa8f173c0c 100644
+--- a/pkg/datapath/linux/config/config.go
++++ b/pkg/datapath/linux/config/config.go
+@@ -343,6 +343,8 @@ func (h *HeaderfileWriter) WriteNodeConfig(w io.Writer, cfg *datapath.LocalNodeC
+ 			dsrEncapInv = iota
+ 			dsrEncapNone
+ 			dsrEncapIPIP
++			dsrEncapIPIPCNI
++			dsrEncapGeneve
+ 		)
+ 		const (
+ 			dsrL4XlateInv = iota
+@@ -351,6 +353,8 @@ func (h *HeaderfileWriter) WriteNodeConfig(w io.Writer, cfg *datapath.LocalNodeC
+ 		)
+ 		cDefinesMap["DSR_ENCAP_IPIP"] = fmt.Sprintf("%d", dsrEncapIPIP)
+ 		cDefinesMap["DSR_ENCAP_NONE"] = fmt.Sprintf("%d", dsrEncapNone)
++		cDefinesMap["DSR_ENCAP_IPIP_CNI"] = fmt.Sprintf("%d", dsrEncapIPIPCNI)
++		cDefinesMap["DSR_ENCAP_GENEVE"] = fmt.Sprintf("%d", dsrEncapGeneve)
+ 		cDefinesMap["DSR_XLATE_FRONTEND"] = fmt.Sprintf("%d", dsrL4XlateFrontend)
+ 		cDefinesMap["DSR_XLATE_BACKEND"] = fmt.Sprintf("%d", dsrL4XlateBackend)
+ 		if option.Config.NodePortMode == option.NodePortModeDSR ||
+@@ -366,8 +370,12 @@ func (h *HeaderfileWriter) WriteNodeConfig(w io.Writer, cfg *datapath.LocalNodeC
+ 				cDefinesMap["DSR_ENCAP_MODE"] = fmt.Sprintf("%d", dsrEncapNone)
+ 			} else if option.Config.LoadBalancerDSRDispatch == option.DSRDispatchIPIP {
+ 				cDefinesMap["DSR_ENCAP_MODE"] = fmt.Sprintf("%d", dsrEncapIPIP)
++			} else if option.Config.LoadBalancerDSRDispatch == option.DSRDispatchIPIPCNI {
++				cDefinesMap["DSR_ENCAP_MODE"] = fmt.Sprintf("%d", dsrEncapIPIPCNI)
++			} else if option.Config.LoadBalancerDSRDispatch == option.DSRDispatchGeneve {
++				cDefinesMap["DSR_ENCAP_MODE"] = fmt.Sprintf("%d", dsrEncapGeneve)
+ 			}
+-			if option.Config.LoadBalancerDSRDispatch == option.DSRDispatchIPIP {
++			if option.Config.LoadBalancerDSRDispatch == option.DSRDispatchIPIP || option.Config.LoadBalancerDSRDispatch == option.DSRDispatchIPIPCNI {
+ 				if option.Config.LoadBalancerDSRL4Xlate == option.DSRL4XlateFrontend {
+ 					cDefinesMap["DSR_XLATE_MODE"] = fmt.Sprintf("%d", dsrL4XlateFrontend)
+ 				} else if option.Config.LoadBalancerDSRL4Xlate == option.DSRL4XlateBackend {
+diff --git a/pkg/datapath/loader/base.go b/pkg/datapath/loader/base.go
+index 54842856a1..be992a028b 100644
+--- a/pkg/datapath/loader/base.go
++++ b/pkg/datapath/loader/base.go
+@@ -339,6 +339,13 @@ func (l *Loader) Reinitialize(ctx context.Context, o datapath.BaseProgramOwner,
+ 		args[initArgTunnelMode] = option.TunnelVXLAN
+ 	}
+ 
++	if option.Config.Tunnel == option.TunnelDisabled &&
++		option.Config.EnableNodePort &&
++		option.Config.NodePortMode == option.NodePortModeDSR &&
++		option.Config.LoadBalancerDSRDispatch == option.DSRDispatchGeneve {
++		args[initArgTunnelMode] = option.TunnelGeneve
++	}
++
+ 	args[initArgTunnelPort] = "<nil>"
+ 	switch args[initArgTunnelMode] {
+ 	case option.TunnelVXLAN, option.TunnelGeneve:
+diff --git a/pkg/k8s/watchers/watcher.go b/pkg/k8s/watchers/watcher.go
+index 7475dee96d..0217c2bf76 100644
+--- a/pkg/k8s/watchers/watcher.go
++++ b/pkg/k8s/watchers/watcher.go
+@@ -107,9 +107,9 @@ func init() {
+ 	registerOps := k8s_metrics.RegisterOpts{
+ 		ClientCertExpiry:      nil,
+ 		ClientCertRotationAge: nil,
+-		RequestLatency:        &k8sMetrics{},
+-		RateLimiterLatency:    nil,
+-		RequestResult:         &k8sMetrics{},
++		RequestLatency:        &requestLatencyAdapter{},
++		RateLimiterLatency:    &rateLimiterLatencyAdapter{},
++		RequestResult:         &resultAdapter{},
+ 	}
+ 	k8s_metrics.Register(registerOps)
+ 	k8s_metrics.RequestLatency = registerOps.RequestLatency
+@@ -334,15 +334,23 @@ func NewK8sWatcher(
+ 	}
+ }
+ 
+-// k8sMetrics implements the LatencyMetric and ResultMetric interface from
+-// k8s client-go package
+-type k8sMetrics struct{}
++// requestLatencyAdapter implements the LatencyMetric interface from k8s client-go package
++type requestLatencyAdapter struct{}
+ 
+-func (*k8sMetrics) Observe(_ context.Context, verb string, u url.URL, latency time.Duration) {
++func (*requestLatencyAdapter) Observe(_ context.Context, verb string, u url.URL, latency time.Duration) {
+ 	metrics.KubernetesAPIInteractions.WithLabelValues(u.Path, verb).Observe(latency.Seconds())
+ }
+ 
+-func (*k8sMetrics) Increment(_ context.Context, code string, method string, host string) {
++// rateLimiterLatencyAdapter implements the LatencyMetric interface from k8s client-go package
++type rateLimiterLatencyAdapter struct{}
++
++func (c *rateLimiterLatencyAdapter) Observe(_ context.Context, verb string, u url.URL, latency time.Duration) {
++	metrics.KubernetesAPIRateLimiterLatency.WithLabelValues(u.Path, verb).Observe(latency.Seconds())
++}
++
++type resultAdapter struct{}
++
++func (*resultAdapter) Increment(_ context.Context, code string, method string, host string) {
+ 	metrics.KubernetesAPICallsTotal.WithLabelValues(host, method, code).Inc()
+ 	// The 'code' is set to '<error>' in case an error is returned from k8s
+ 	// more info:
+diff --git a/pkg/metrics/metrics.go b/pkg/metrics/metrics.go
+index 0d02000f3a..afb5cd3495 100644
+--- a/pkg/metrics/metrics.go
++++ b/pkg/metrics/metrics.go
+@@ -412,6 +412,9 @@ var (
+ 	// to the kube-apiserver
+ 	KubernetesAPIInteractions = NoOpObserverVec
+ 
++	// KubernetesAPIRateLimiterLatency is the client side rate limiter latency metric
++	KubernetesAPIRateLimiterLatency = NoOpObserverVec
++
+ 	// KubernetesAPICallsTotal is the counter for all API calls made to
+ 	// kube-apiserver.
+ 	KubernetesAPICallsTotal = NoOpCounterVec
+@@ -1105,6 +1108,15 @@ func CreateConfiguration(metricsEnabled []string) (Configuration, []prometheus.C
+ 			collectors = append(collectors, KubernetesAPIInteractions)
+ 			c.KubernetesAPIInteractionsEnabled = true
+ 
++		case Namespace + "_" + SubsystemK8sClient + "_rate_limiter_duration_seconds":
++			KubernetesAPIRateLimiterLatency = prometheus.NewHistogramVec(prometheus.HistogramOpts{
++				Namespace: Namespace,
++				Subsystem: SubsystemK8sClient,
++				Name:      "rate_limiter_duration_seconds",
++				Help:      "Kubernetes client rate limiter latency in seconds. Broken down by path and method.",
++				Buckets:   []float64{0.005, 0.025, 0.1, 0.25, 0.5, 1.0, 2.0, 4.0, 8.0, 15.0, 30.0, 60.0},
++			}, []string{LabelPath, LabelMethod})
++
+ 		case Namespace + "_" + SubsystemK8sClient + "_api_calls_total":
+ 			KubernetesAPICallsTotal = prometheus.NewCounterVec(prometheus.CounterOpts{
+ 				Namespace: Namespace,
+diff --git a/pkg/monitor/api/drop.go b/pkg/monitor/api/drop.go
+index 7e02b7fee3..b10b6f85c0 100644
+--- a/pkg/monitor/api/drop.go
++++ b/pkg/monitor/api/drop.go
+@@ -85,6 +85,7 @@ var errors = map[uint8]string{
+ 	187: "L3 translation from IPv4 to IPv6 failed (NAT46)",
+ 	188: "L3 translation from IPv6 to IPv4 failed (NAT64)",
+ 	189: "Authentication required",
++	193: "Unsupported packet protocol for DSR encapsulation",
+ 	194: "No egress gateway found",
+ 	196: "TTL exceeded",
+ 	197: "No node ID found",
+diff --git a/pkg/option/config.go b/pkg/option/config.go
+index a50b4764bb..05c9063db1 100644
+--- a/pkg/option/config.go
++++ b/pkg/option/config.go
+@@ -1245,6 +1245,12 @@ const (
+ 	// DSR dispatch mode to encapsulate to IPIP
+ 	DSRDispatchIPIP = "ipip"
+ 
++	// DSR dispatch mod to encapsulate to IPIP
++	DSRDispatchIPIPCNI = "ipipcni"
++
++	// DSR dispatch mod to encapsulate to GENEVE
++	DSRDispatchGeneve = "geneve"
++
+ 	// DSR L4 translation to frontend port
+ 	DSRL4XlateFrontend = "frontend"
+ 
+@@ -1915,7 +1921,7 @@ type DaemonConfig struct {
+ 	NodePortAlg string
+ 
+ 	// LoadBalancerDSRDispatch indicates the method for pushing packets to
+-	// backends under DSR ("opt" or "ipip")
++	// backends under DSR ("opt", "ipip", or "ipipcni")
+ 	LoadBalancerDSRDispatch string
+ 
+ 	// LoadBalancerDSRL4Xlate indicates the method for L4 DNAT translation
+@@ -3072,8 +3078,14 @@ func (c *DaemonConfig) Populate(vp *viper.Viper) {
+ 	if c.TunnelPort == 0 {
+ 		switch c.Tunnel {
+ 		case TunnelDisabled:
+-			// tunnel might still be used by eg. EgressGW
+-			c.TunnelPort = defaults.TunnelPortVXLAN
++			// tunnel might still be used by eg. DSR with Geneve dispatch or EgressGW
++			if (c.EnableNodePort || c.KubeProxyReplacement == KubeProxyReplacementStrict) &&
++				c.NodePortMode == NodePortModeDSR &&
++				c.LoadBalancerDSRDispatch == DSRDispatchGeneve {
++				c.TunnelPort = defaults.TunnelPortGeneve
++			} else {
++				c.TunnelPort = defaults.TunnelPortVXLAN
++			}
+ 		case TunnelVXLAN:
+ 			c.TunnelPort = defaults.TunnelPortVXLAN
+ 		case TunnelGeneve:
diff --git a/hubble-relay/BRANCH b/hubble-relay/BRANCH
index 809bdcb85..d3456a90f 100644
--- a/hubble-relay/BRANCH
+++ b/hubble-relay/BRANCH
@@ -1 +1 @@
-1.12
+1.13
diff --git a/hubble-relay/Dockerfile b/hubble-relay/Dockerfile
index 13394462f..934ee5319 100644
--- a/hubble-relay/Dockerfile
+++ b/hubble-relay/Dockerfile
@@ -1,6 +1,6 @@
 ARG BASE_IMAGE=scratch
-ARG GOLANG_IMAGE=quay.io/cybozu/golang:1.18-focal
-ARG UBUNTU_IMAGE=quay.io/cybozu/ubuntu:20.04
+ARG GOLANG_IMAGE=quay.io/cybozu/golang:1.20-jammy
+ARG UBUNTU_IMAGE=quay.io/cybozu/ubuntu:22.04
 
 # Stage1: build
 FROM ${GOLANG_IMAGE} as build
diff --git a/hubble-relay/TAG b/hubble-relay/TAG
index a94055c67..adb1349e5 100644
--- a/hubble-relay/TAG
+++ b/hubble-relay/TAG
@@ -1 +1 @@
-1.12.11.1
+1.13.6.1

From 9f22f799526ae32a6a02c0f7574592515ad091a0 Mon Sep 17 00:00:00 2001
From: chez-shanpu <tomoki-sugiura@cybozu.co.jp>
Date: Wed, 20 Sep 2023 17:51:42 +0900
Subject: [PATCH 2/6] Update hubble components

Signed-off-by: chez-shanpu <tomoki-sugiura@cybozu.co.jp>
---
 hubble-ui/BRANCH     |  2 +-
 hubble-ui/Dockerfile | 14 +++++++-------
 hubble-ui/TAG        |  2 +-
 hubble/BRANCH        |  2 +-
 hubble/Dockerfile    |  2 +-
 hubble/TAG           |  2 +-
 6 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/hubble-ui/BRANCH b/hubble-ui/BRANCH
index 68c123cf1..c43e1055f 100644
--- a/hubble-ui/BRANCH
+++ b/hubble-ui/BRANCH
@@ -1 +1 @@
-0.10
+0.12
diff --git a/hubble-ui/Dockerfile b/hubble-ui/Dockerfile
index 810276091..d90629943 100644
--- a/hubble-ui/Dockerfile
+++ b/hubble-ui/Dockerfile
@@ -1,10 +1,10 @@
-ARG GOLANG_IMAGE=quay.io/cybozu/golang:1.19-focal
-ARG UBUNTU_IMAGE=quay.io/cybozu/ubuntu:20.04
+ARG GOLANG_IMAGE=quay.io/cybozu/golang:1.20-jammy
+ARG UBUNTU_IMAGE=quay.io/cybozu/ubuntu:22.04
 ARG BACKEND_IMAGE=scratch
-ARG NGINX_VERSION=1.23.2
-ARG NJS_VERSION=0.7.7
-ARG PKG_RELEASE=1~focal
-ARG NGINX_UNPRIVILEGED_COMMIT_HASH=85f846c6c5d121b2b750d71c31429d9686523da0
+ARG NGINX_VERSION=1.25.2
+ARG NJS_VERSION=0.8.0
+ARG PKG_RELEASE=1~jammy
+ARG NGINX_UNPRIVILEGED_COMMIT_HASH=0ee942535b802636dd45b2d48b4e4f6d1a3eea89
 
 # Stage 1: build
 FROM ${GOLANG_IMAGE} AS builder-base
@@ -75,7 +75,7 @@ RUN set -x \
         nginx-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} \
         nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${PKG_RELEASE} \
     " \
-    && echo "deb https://nginx.org/packages/mainline/ubuntu/ focal nginx" >> /etc/apt/sources.list.d/nginx.list \
+    && echo "deb https://nginx.org/packages/mainline/ubuntu/ jammy nginx" >> /etc/apt/sources.list.d/nginx.list \
     && apt-get update \
     && apt-get install --no-install-recommends --no-install-suggests -y \
                         $nginxPackages \
diff --git a/hubble-ui/TAG b/hubble-ui/TAG
index 320497a73..9304eaf42 100644
--- a/hubble-ui/TAG
+++ b/hubble-ui/TAG
@@ -1 +1 @@
-0.10.0.1
+0.12.0.1
diff --git a/hubble/BRANCH b/hubble/BRANCH
index 51176c7c8..f2bb2d0a2 100644
--- a/hubble/BRANCH
+++ b/hubble/BRANCH
@@ -1 +1 @@
-0.11
+0.12
\ No newline at end of file
diff --git a/hubble/Dockerfile b/hubble/Dockerfile
index 0e4b3098d..71d59cbf1 100644
--- a/hubble/Dockerfile
+++ b/hubble/Dockerfile
@@ -1,7 +1,7 @@
 # hubble container
 
 # Stage1: build from source
-FROM quay.io/cybozu/golang:1.19-focal AS build
+FROM quay.io/cybozu/golang:1.20-jammy AS build
 
 COPY TAG /
 
diff --git a/hubble/TAG b/hubble/TAG
index f6b6ce022..9304eaf42 100644
--- a/hubble/TAG
+++ b/hubble/TAG
@@ -1 +1 @@
-0.11.3.1
+0.12.0.1

From 3c78767b8c83d667fd0ef99e012ac68ce5502a72 Mon Sep 17 00:00:00 2001
From: chez-shanpu <tomoki-sugiura@cybozu.co.jp>
Date: Fri, 22 Sep 2023 13:54:17 +0900
Subject: [PATCH 3/6] Fix hubble and hubble-ui versions to v0.11.x

Signed-off-by: chez-shanpu <tomoki-sugiura@cybozu.co.jp>
---
 hubble-ui/BRANCH     |  2 +-
 hubble-ui/Dockerfile | 12 +++++-------
 hubble-ui/TAG        |  2 +-
 hubble/BRANCH        |  2 +-
 hubble/TAG           |  2 +-
 5 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/hubble-ui/BRANCH b/hubble-ui/BRANCH
index c43e1055f..51176c7c8 100644
--- a/hubble-ui/BRANCH
+++ b/hubble-ui/BRANCH
@@ -1 +1 @@
-0.12
+0.11
diff --git a/hubble-ui/Dockerfile b/hubble-ui/Dockerfile
index d90629943..013987f50 100644
--- a/hubble-ui/Dockerfile
+++ b/hubble-ui/Dockerfile
@@ -1,10 +1,10 @@
 ARG GOLANG_IMAGE=quay.io/cybozu/golang:1.20-jammy
 ARG UBUNTU_IMAGE=quay.io/cybozu/ubuntu:22.04
 ARG BACKEND_IMAGE=scratch
-ARG NGINX_VERSION=1.25.2
-ARG NJS_VERSION=0.8.0
+ARG NGINX_VERSION=1.23.4
+ARG NJS_VERSION=0.7.11
 ARG PKG_RELEASE=1~jammy
-ARG NGINX_UNPRIVILEGED_COMMIT_HASH=0ee942535b802636dd45b2d48b4e4f6d1a3eea89
+ARG NGINX_UNPRIVILEGED_COMMIT_HASH=582fa68a7609f2d3dad7fb2121af0244b3ce976c
 
 # Stage 1: build
 FROM ${GOLANG_IMAGE} AS builder-base
@@ -18,16 +18,14 @@ RUN VERSION=$(cut -d \. -f 1,2,3 < /TAG ) \
 
 # Stage 1: build hubble-ui
 FROM builder-base as build-hubble-ui
-ARG NODE_VERSION=16
+ARG NODE_VERSION=18
 
 WORKDIR /app
 
 RUN curl -sSLf https://deb.nodesource.com/setup_${NODE_VERSION}.x | bash - \
     && apt-get install -y --no-install-recommends nodejs \
     && rm -rf /var/lib/apt/lists/* \
-    && npm set unsafe-perm true \
-    && npm install \
-    && npm set unsafe-perm false
+    && npm install
 ARG NODE_ENV=production
 RUN npm run build
 
diff --git a/hubble-ui/TAG b/hubble-ui/TAG
index 9304eaf42..193f2f4e9 100644
--- a/hubble-ui/TAG
+++ b/hubble-ui/TAG
@@ -1 +1 @@
-0.12.0.1
+0.11.0.1
diff --git a/hubble/BRANCH b/hubble/BRANCH
index f2bb2d0a2..0eb41820e 100644
--- a/hubble/BRANCH
+++ b/hubble/BRANCH
@@ -1 +1 @@
-0.12
\ No newline at end of file
+0.11
\ No newline at end of file
diff --git a/hubble/TAG b/hubble/TAG
index 9304eaf42..2bd34c095 100644
--- a/hubble/TAG
+++ b/hubble/TAG
@@ -1 +1 @@
-0.12.0.1
+0.11.6.1

From 9c247fb0c33f76c8bdb4fbb9c022c40a435758d6 Mon Sep 17 00:00:00 2001
From: chez-shanpu <tomoki-sugiura@cybozu.co.jp>
Date: Fri, 22 Sep 2023 14:03:35 +0900
Subject: [PATCH 4/6] Update cilium components to v1.13.7

Signed-off-by: chez-shanpu <tomoki-sugiura@cybozu.co.jp>
---
 cilium-operator-generic/TAG | 2 +-
 cilium/TAG                  | 2 +-
 hubble-relay/TAG            | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/cilium-operator-generic/TAG b/cilium-operator-generic/TAG
index adb1349e5..2a2530f62 100644
--- a/cilium-operator-generic/TAG
+++ b/cilium-operator-generic/TAG
@@ -1 +1 @@
-1.13.6.1
+1.13.7.1
diff --git a/cilium/TAG b/cilium/TAG
index adb1349e5..2a2530f62 100644
--- a/cilium/TAG
+++ b/cilium/TAG
@@ -1 +1 @@
-1.13.6.1
+1.13.7.1
diff --git a/hubble-relay/TAG b/hubble-relay/TAG
index adb1349e5..2a2530f62 100644
--- a/hubble-relay/TAG
+++ b/hubble-relay/TAG
@@ -1 +1 @@
-1.13.6.1
+1.13.7.1

From 234aa91a259ae27a7456768a190d21ce64a38146 Mon Sep 17 00:00:00 2001
From: chez-shanpu <tomoki-sugiura@cybozu.co.jp>
Date: Fri, 22 Sep 2023 14:04:44 +0900
Subject: [PATCH 5/6] Use cybozu-go/cilium

Signed-off-by: chez-shanpu <tomoki-sugiura@cybozu.co.jp>
---
 cilium-operator-generic/Dockerfile |   14 +-
 cilium/Dockerfile                  |   12 +-
 cilium/cilium.patch                | 1442 ----------------------------
 hubble-relay/Dockerfile            |   15 +-
 4 files changed, 23 insertions(+), 1460 deletions(-)
 delete mode 100644 cilium/cilium.patch

diff --git a/cilium-operator-generic/Dockerfile b/cilium-operator-generic/Dockerfile
index 873994cf3..459204051 100644
--- a/cilium-operator-generic/Dockerfile
+++ b/cilium-operator-generic/Dockerfile
@@ -9,10 +9,12 @@ COPY TAG /
 COPY fix-metallb-bug.patch /tmp/
 
 # LICENSE.all
-WORKDIR /go/src/github.com/cilium/cilium
+WORKDIR /go/src/github.com/cybozu-go/
 RUN VERSION=$(cut -d \. -f 1,2,3 < /TAG ) \
-    && curl -fsSL "https://github.com/cilium/cilium/archive/v${VERSION}.tar.gz" | \
-      tar xzf - --strip-components 1 \
+    # Since we use the fork and patched repogitory, we need to specify the branch name
+    && BRANCH=v${VERSION}-lb-dsr-patch \
+    && git clone --depth 1 --branch ${BRANCH} https://github.com/cybozu-go/cilium \
+    && cd cilium \
     && patch -p1 --no-backup-if-mismatch < /tmp/fix-metallb-bug.patch \
     && make licenses-all \
     && apt-get update \
@@ -21,7 +23,7 @@ RUN VERSION=$(cut -d \. -f 1,2,3 < /TAG ) \
     && mkdir -p /etc/gops
 
 # operator-generic
-WORKDIR /go/src/github.com/cilium/cilium/operator
+WORKDIR /go/src/github.com/cybozu-go/cilium/operator
 RUN make cilium-operator-generic
 
 # Stage2: runtime
@@ -29,8 +31,8 @@ FROM ${BASE_IMAGE}
 COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=build /out/linux/amd64/bin/gops /bin/gops
 COPY --from=build --chown=10000:10000 /etc/gops /etc/gops
-COPY --from=build /go/src/github.com/cilium/cilium/LICENSE.all /LICENSE
-COPY --from=build /go/src/github.com/cilium/cilium/operator/cilium-operator-generic /usr/bin/cilium-operator-generic
+COPY --from=build /go/src/github.com/cybozu-go/cilium/LICENSE.all /LICENSE
+COPY --from=build /go/src/github.com/cybozu-go/cilium/operator/cilium-operator-generic /usr/bin/cilium-operator-generic
 
 USER 10000:10000
 
diff --git a/cilium/Dockerfile b/cilium/Dockerfile
index 30f7b2094..588be525b 100644
--- a/cilium/Dockerfile
+++ b/cilium/Dockerfile
@@ -7,14 +7,14 @@ FROM ${GOLANG_IMAGE} as build-base
 ARG DESTDIR
 ENV DESTDIR=${DESTDIR}
 COPY TAG /
-COPY cilium.patch /tmp/
 
-WORKDIR /go/src/github.com/cilium/cilium
+WORKDIR /go/src/github.com/cybozu-go/
 RUN mkdir -p ${DESTDIR} \
     && VERSION=$(cut -d \. -f 1,2,3 < /TAG ) \
-    && curl -fsSL "https://github.com/cilium/cilium/archive/v${VERSION}.tar.gz" | \
-      tar xzf - --strip-components 1 \
-    && patch -p1 --no-backup-if-mismatch < /tmp/cilium.patch \
+    # Since we use the fork and patched repogitory, we need to specify the branch name
+    && BRANCH=v${VERSION}-lb-dsr-patch \
+    && git clone --depth 1 --branch ${BRANCH} https://github.com/cybozu-go/cilium \
+    && cd cilium \
     && make licenses-all \
     && mv LICENSE.all ${DESTDIR}/LICENSE \
     && apt-get update \
@@ -39,7 +39,7 @@ RUN mkdir -p ${DESTDIR} \
 FROM build-base as builder
 COPY workspace/bin/llvm-objcopy /bin/
 COPY workspace/bin/clang workspace/bin/llc /bin/
-WORKDIR /go/src/github.com/cilium/cilium
+WORKDIR /go/src/github.com/cybozu-go/cilium
 ARG LIBNETWORK_PLUGIN
 ARG DESTDIR
 ENV PKG_BUILD=1
diff --git a/cilium/cilium.patch b/cilium/cilium.patch
deleted file mode 100644
index ee7b965cc..000000000
--- a/cilium/cilium.patch
+++ /dev/null
@@ -1,1442 +0,0 @@
-diff --git a/Documentation/observability/metrics.rst b/Documentation/observability/metrics.rst
-index 6d165a185e..265d758b24 100644
---- a/Documentation/observability/metrics.rst
-+++ b/Documentation/observability/metrics.rst
-@@ -407,6 +407,17 @@ Name                                        Labels
- ``k8s_terminating_endpoints_events_total``                                                     Enabled    Number of terminating endpoint events received from Kubernetes
- =========================================== ================================================== ========== ========================================================
- 
-+Kubernetes Rest Client
-+~~~~~~~~~~~~~~~~~~~~~~
-+
-+============================================= ============================================= ========== ===========================================================
-+Name                                          Labels                                        Default    Description
-+============================================= ============================================= ========== ===========================================================
-+``k8s_client_api_latency_time_seconds``       ``path``, ``method``                          Enabled    Duration of processed API calls labeled by path and method
-+``k8s_client_rate_limiter_duration_seconds``  ``path``, ``method``                          Enabled    Kubernetes client rate limiter latency in seconds. Broken down by path and method
-+``k8s_client_api_calls_total``                ``host``, ``method``, ``return_code``         Enabled    Number of API calls made to kube-apiserver labeled by host, method and return code
-+============================================= ============================================= ========== ===========================================================
-+
- IPAM
- ~~~~
- 
-diff --git a/bpf/Makefile b/bpf/Makefile
-index ee516eea21..eb4f530ab7 100644
---- a/bpf/Makefile
-+++ b/bpf/Makefile
-@@ -213,8 +213,12 @@ XDP_OPTIONS = $(LB_OPTIONS) \
- 	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_DSR_HYBRID: \
- 	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DDSR_ENCAP_MODE:-DDSR_ENCAP_NONE:-DDSR_ENCAP_IPIP=2 \
- 	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DDSR_ENCAP_MODE:-DDSR_ENCAP_IPIP:-DDSR_ENCAP_NONE=2 \
-+	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DDSR_ENCAP_MODE:-DDSR_ENCAP_GENEVE:-DDSR_ENCAP_IPIP=2 \
-+	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DDSR_ENCAP_MODE:-DDSR_ENCAP_IPIP_CNI:-DDSR_ENCAP_NONE=2 \
- 	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_CAPTURE:-DDSR_ENCAP_MODE:-DDSR_ENCAP_NONE:-DDSR_ENCAP_IPIP=2 \
--	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_CAPTURE:-DDSR_ENCAP_MODE:-DDSR_ENCAP_IPIP:-DENABLE_SCTP:-DDSR_ENCAP_NONE=2
-+	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_CAPTURE:-DDSR_ENCAP_MODE:-DDSR_ENCAP_IPIP_CNI:-DDSR_ENCAP_NONE=2 \
-+	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_CAPTURE:-DDSR_ENCAP_MODE:-DDSR_ENCAP_IPIP:-DENABLE_SCTP:-DDSR_ENCAP_NONE=2 \
-+	-DENABLE_NODEPORT_ACCELERATION:-DENABLE_IPV4:-DENABLE_IPV6:-DENABLE_NODEPORT:-DENABLE_DSR:-DENABLE_CAPTURE:-DDSR_ENCAP_MODE:-DDSR_ENCAP_GENEVE:-DENABLE_SCTP:-DDSR_ENCAP_IPIP=2
- 
- ifndef MAX_XDP_OPTIONS
- MAX_XDP_OPTIONS = $(MAX_BASE_OPTIONS) -DENABLE_PREFILTER=1
-diff --git a/bpf/bpf_host.c b/bpf/bpf_host.c
-index f9bc648ebf..b6129f6620 100644
---- a/bpf/bpf_host.c
-+++ b/bpf/bpf_host.c
-@@ -552,7 +552,8 @@ handle_ipv4(struct __ctx_buff *ctx, __u32 secctx,
- 		if (vtep->vtep_mac && vtep->tunnel_endpoint) {
- 			if (eth_store_daddr(ctx, (__u8 *)&vtep->vtep_mac, 0) < 0)
- 				return DROP_WRITE_ERROR;
--			return __encap_and_redirect_with_nodeid(ctx, vtep->tunnel_endpoint,
-+			return __encap_and_redirect_with_nodeid(ctx,
-+								vtep->tunnel_endpoint,
- 								secctx, WORLD_ID, WORLD_ID, &trace);
- 		}
- 	}
-@@ -562,7 +563,8 @@ skip_vtep:
- #ifdef TUNNEL_MODE
- 	info = ipcache_lookup4(&IPCACHE_MAP, ip4->daddr, V4_CACHE_KEY_LEN);
- 	if (info != NULL && info->tunnel_endpoint != 0) {
--		return encap_and_redirect_with_nodeid(ctx, info->tunnel_endpoint,
-+		return encap_and_redirect_with_nodeid(ctx,
-+							  info->tunnel_endpoint,
- 						      secctx, info->sec_label,
- 						      &trace);
- 	} else {
-@@ -1052,9 +1054,9 @@ int cil_from_netdev(struct __ctx_buff *ctx)
- 		edt_set_aggregate(ctx, 0);
- 
- 		ret = __encap_and_redirect_with_nodeid(ctx, ctx_get_xfer(ctx, XFER_ENCAP_NODEID),
--							ctx_get_xfer(ctx, XFER_ENCAP_SECLABEL),
--							ctx_get_xfer(ctx, XFER_ENCAP_DSTID),
--							NOT_VTEP_DST, &trace);
-+						       ctx_get_xfer(ctx, XFER_ENCAP_SECLABEL),
-+						       ctx_get_xfer(ctx, XFER_ENCAP_DSTID),
-+						       NOT_VTEP_DST, &trace);
- 
- 		if (IS_ERR(ret))
- 			goto drop_err;
-diff --git a/bpf/complexity-tests/419/bpf_host.txt b/bpf/complexity-tests/419/bpf_host.txt
-index 76404252d6..0d7b3ac3c5 100644
---- a/bpf/complexity-tests/419/bpf_host.txt
-+++ b/bpf/complexity-tests/419/bpf_host.txt
-@@ -1,3 +1,6 @@
- -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1
-+-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1
- -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1
-+-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1
- -DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1
-+-DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1
-diff --git a/bpf/complexity-tests/419/bpf_lxc.txt b/bpf/complexity-tests/419/bpf_lxc.txt
-index 76404252d6..76683a1480 100644
---- a/bpf/complexity-tests/419/bpf_lxc.txt
-+++ b/bpf/complexity-tests/419/bpf_lxc.txt
-@@ -1,3 +1,6 @@
- -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1
-+-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_CLUSTER_AWARE_ADDRESSING=1
- -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1
-+-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_CLUSTER_AWARE_ADDRESSING=1
- -DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1
-+-DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1
-diff --git a/bpf/complexity-tests/419/bpf_overlay.txt b/bpf/complexity-tests/419/bpf_overlay.txt
-index 851b907098..3684ec9729 100644
---- a/bpf/complexity-tests/419/bpf_overlay.txt
-+++ b/bpf/complexity-tests/419/bpf_overlay.txt
-@@ -1 +1,2 @@
- -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1
-+-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_CLUSTER_AWARE_ADDRESSING=1 -DENABLE_INTER_CLUSTER_SNAT=1
-diff --git a/bpf/complexity-tests/419/bpf_sock.txt b/bpf/complexity-tests/419/bpf_sock.txt
-index b0324fb85a..ed0d508a96 100644
---- a/bpf/complexity-tests/419/bpf_sock.txt
-+++ b/bpf/complexity-tests/419/bpf_sock.txt
-@@ -1 +1,2 @@
- -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_NAT_46X64=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_NAT_46X64_GATEWAY=1
-+-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_NAT_46X64=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_NAT_46X64_GATEWAY=1
-diff --git a/bpf/complexity-tests/419/bpf_xdp.txt b/bpf/complexity-tests/419/bpf_xdp.txt
-index ce88402a08..c07ac041d1 100644
---- a/bpf/complexity-tests/419/bpf_xdp.txt
-+++ b/bpf/complexity-tests/419/bpf_xdp.txt
-@@ -1 +1,2 @@
- -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_PREFILTER=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1
-+-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_PREFILTER=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1
-diff --git a/bpf/complexity-tests/54/bpf_host.txt b/bpf/complexity-tests/54/bpf_host.txt
-index d843f2646a..1c7e786f8d 100644
---- a/bpf/complexity-tests/54/bpf_host.txt
-+++ b/bpf/complexity-tests/54/bpf_host.txt
-@@ -1,3 +1,6 @@
- -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
-+-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
- -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
-+-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
- -DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
-+-DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
-diff --git a/bpf/complexity-tests/54/bpf_lxc.txt b/bpf/complexity-tests/54/bpf_lxc.txt
-index 7b1df33478..afc1d0d9fa 100644
---- a/bpf/complexity-tests/54/bpf_lxc.txt
-+++ b/bpf/complexity-tests/54/bpf_lxc.txt
-@@ -1,3 +1,7 @@
- -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP
-+-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1 -DENABLE_CLUSTER_AWARE_ADDRESSING=1
- -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP
-+-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1 -DENABLE_CLUSTER_AWARE_ADDRESSING=1
- -DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP
-+-DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
-+-DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_HOST_SERVICES_TCP=1 -DENABLE_HOST_SERVICES_UDP=1 -DENABLE_HOST_REDIRECT=1 -DENABLE_ROUTING=1 -DNO_REDIRECT=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DDSR_ENCAP_IPIP_CNI=1
-diff --git a/bpf/complexity-tests/54/bpf_overlay.txt b/bpf/complexity-tests/54/bpf_overlay.txt
-index 906b7c10bf..04083bfd57 100644
---- a/bpf/complexity-tests/54/bpf_overlay.txt
-+++ b/bpf/complexity-tests/54/bpf_overlay.txt
-@@ -1 +1,2 @@
- -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_VTEP=1 -DENABLE_SCTP
-+-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1 -DENABLE_CLUSTER_AWARE_ADDRESSING=1 -DENABLE_INTER_CLUSTER_SNAT=1
-diff --git a/bpf/complexity-tests/54/bpf_sock.txt b/bpf/complexity-tests/54/bpf_sock.txt
-index 9cb3a62cf9..63a421d814 100644
---- a/bpf/complexity-tests/54/bpf_sock.txt
-+++ b/bpf/complexity-tests/54/bpf_sock.txt
-@@ -1 +1,2 @@
- -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENABLE_NAT_46X64=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_SCTP -DENABLE_NAT_46X64_GATEWAY=1
-+-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENABLE_NAT_46X64=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_SCTP=1 -DENABLE_NAT_46X64_GATEWAY=1
-diff --git a/bpf/complexity-tests/54/bpf_xdp.txt b/bpf/complexity-tests/54/bpf_xdp.txt
-index a7bc3cc0c8..b80fdc21c3 100644
---- a/bpf/complexity-tests/54/bpf_xdp.txt
-+++ b/bpf/complexity-tests/54/bpf_xdp.txt
-@@ -1 +1,2 @@
- -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENABLE_PREFILTER=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_SCTP
-+-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_BANDWIDTH_MANAGER=1 -DENABLE_PREFILTER=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_SCTP=1
-diff --git a/bpf/complexity-tests/netnext/bpf_host.txt b/bpf/complexity-tests/netnext/bpf_host.txt
-index c8b73222ef..625dfad6bd 100644
---- a/bpf/complexity-tests/netnext/bpf_host.txt
-+++ b/bpf/complexity-tests/netnext/bpf_host.txt
-@@ -1,3 +1,6 @@
- -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
-+-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
- -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
-+-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
- -DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
-+-DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
-diff --git a/bpf/complexity-tests/netnext/bpf_lxc.txt b/bpf/complexity-tests/netnext/bpf_lxc.txt
-index fc2dc5ffbf..c662d69709 100644
---- a/bpf/complexity-tests/netnext/bpf_lxc.txt
-+++ b/bpf/complexity-tests/netnext/bpf_lxc.txt
-@@ -1,3 +1,6 @@
- -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_WIREGUARD=1 -DENABLE_VTEP=1 -DENABLE_SCTP
-+-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1 -DENABLE_CLUSTER_AWARE_ADDRESSING=1
- -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_WIREGUARD=1 -DENABLE_VTEP=1 -DENABLE_SCTP
-+-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1 -DENABLE_CLUSTER_AWARE_ADDRESSING=1
- -DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_WIREGUARD=1 -DENABLE_VTEP=1 -DENABLE_SCTP
-+-DSKIP_DEBUG=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DENABLE_EGRESS_GATEWAY=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1
-diff --git a/bpf/complexity-tests/netnext/bpf_overlay.txt b/bpf/complexity-tests/netnext/bpf_overlay.txt
-index ccbfa1d0a1..c01f2c2a9d 100644
---- a/bpf/complexity-tests/netnext/bpf_overlay.txt
-+++ b/bpf/complexity-tests/netnext/bpf_overlay.txt
-@@ -1 +1,2 @@
- -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_VTEP=1 -DENABLE_SCTP
-+-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_VTEP=1 -DENABLE_SCTP=1 -DENABLE_CLUSTER_AWARE_ADDRESSING=1 -DENABLE_INTER_CLUSTER_SNAT=1
-diff --git a/bpf/complexity-tests/netnext/bpf_sock.txt b/bpf/complexity-tests/netnext/bpf_sock.txt
-index 59630d1f58..09100196f3 100644
---- a/bpf/complexity-tests/netnext/bpf_sock.txt
-+++ b/bpf/complexity-tests/netnext/bpf_sock.txt
-@@ -1 +1,2 @@
- -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENABLE_NAT_46X64=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_SCTP -DENABLE_NAT_46X64_GATEWAY=1
-+-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENABLE_NAT_46X64=1 -DENCAP_IFINDEX=1 -DTUNNEL_MODE=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_SCTP=1 -DENABLE_NAT_46X64_GATEWAY=1
-diff --git a/bpf/complexity-tests/netnext/bpf_xdp.txt b/bpf/complexity-tests/netnext/bpf_xdp.txt
-index 790c69a73d..c928c7ca8a 100644
---- a/bpf/complexity-tests/netnext/bpf_xdp.txt
-+++ b/bpf/complexity-tests/netnext/bpf_xdp.txt
-@@ -1 +1,2 @@
- -DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DHAVE_LPM_TRIE_MAP_TYPE=1 -DHAVE_LRU_HASH_MAP_TYPE=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENABLE_PREFILTER=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_SCTP
-+-DSKIP_DEBUG=1 -DENABLE_IPV4=1 -DENABLE_IPV6=1 -DENABLE_ROUTING=1 -DPOLICY_VERDICT_NOTIFY=1 -DALLOW_ICMP_FRAG_NEEDED=1 -DENABLE_IDENTITY_MARK=1 -DMONITOR_AGGREGATION=3 -DCT_REPORT_FLAGS=0x0002 -DENABLE_HOST_FIREWALL=1 -DENABLE_ICMP_RULE=1 -DENABLE_CUSTOM_CALLS=1 -DENABLE_SRV6=1 -DENABLE_MASQUERADE=1 -DENABLE_SRC_RANGE_CHECK=1 -DENABLE_NODEPORT=1 -DENABLE_NODEPORT_ACCELERATION=1 -DENABLE_SESSION_AFFINITY=1 -DENABLE_DSR_ICMP_ERRORS=1 -DENABLE_DSR=1 -DENABLE_DSR_HYBRID=1 -DDSR_ENCAP_MODE=1 -DDSR_ENCAP_GENEVE=1 -DDSR_ENCAP_IPIP=2 -DENABLE_IPV4_FRAGMENTS=1 -DENABLE_TPROXY=1 -DENABLE_HOST_ROUTING=1 -DENABLE_BANDWIDTH_MANAGER=1 -DETH_HLEN=0 -DENABLE_PREFILTER=1 -DLB_SELECTION=1 -DLB_SELECTION_MAGLEV=1 -DENABLE_SCTP=1
-diff --git a/bpf/include/bpf/ctx/common.h b/bpf/include/bpf/ctx/common.h
-index ca64a1c817..ad012df18c 100644
---- a/bpf/include/bpf/ctx/common.h
-+++ b/bpf/include/bpf/ctx/common.h
-@@ -33,4 +33,9 @@ static __always_inline bool ctx_no_room(const void *needed, const void *limit)
- 	return unlikely(needed > limit);
- }
- 
-+static __always_inline bool ctx_is_skb(void)
-+{
-+    return __ctx_is == __ctx_skb;
-+}
-+
- #endif /* __BPF_CTX_COMMON_H_ */
-diff --git a/bpf/include/bpf/ctx/skb.h b/bpf/include/bpf/ctx/skb.h
-index 01fa3f78fc..1a315242ab 100644
---- a/bpf/include/bpf/ctx/skb.h
-+++ b/bpf/include/bpf/ctx/skb.h
-@@ -46,6 +46,9 @@
- #define ctx_get_tunnel_key	skb_get_tunnel_key
- #define ctx_set_tunnel_key	skb_set_tunnel_key
- 
-+#define ctx_get_tunnel_opt	skb_get_tunnel_opt
-+#define ctx_set_tunnel_opt	skb_set_tunnel_opt
-+
- #define ctx_event_output	skb_event_output
- 
- #define ctx_adjust_meta		({ -ENOTSUPP; })
-diff --git a/bpf/include/bpf/ctx/xdp.h b/bpf/include/bpf/ctx/xdp.h
-index 13aa821e48..3ff617e030 100644
---- a/bpf/include/bpf/ctx/xdp.h
-+++ b/bpf/include/bpf/ctx/xdp.h
-@@ -100,6 +100,9 @@ xdp_store_bytes(const struct xdp_md *ctx, __u64 off, const void *from,
- #define ctx_get_tunnel_key		xdp_get_tunnel_key__stub
- #define ctx_set_tunnel_key		xdp_set_tunnel_key__stub
- 
-+#define ctx_get_tunnel_opt		xdp_get_tunnel_opt__stub
-+#define ctx_set_tunnel_opt		xdp_set_tunnel_opt__stub
-+
- #define ctx_event_output		xdp_event_output
- 
- #define ctx_adjust_meta			xdp_adjust_meta
-diff --git a/bpf/include/bpf/helpers_skb.h b/bpf/include/bpf/helpers_skb.h
-index d4bce19723..b3b3e47c24 100644
---- a/bpf/include/bpf/helpers_skb.h
-+++ b/bpf/include/bpf/helpers_skb.h
-@@ -49,6 +49,11 @@ static int BPF_FUNC(skb_set_tunnel_key, struct __sk_buff *skb,
- 		    const struct bpf_tunnel_key *from, __u32 size,
- 		    __u32 flags);
- 
-+static int BPF_FUNC(skb_get_tunnel_opt, struct __sk_buff *skb,
-+		    void *opt, __u32 size);
-+static int BPF_FUNC(skb_set_tunnel_opt, struct __sk_buff *skb,
-+		    void *opt, __u32 size);
-+
- /* Events for user space */
- static int BPF_FUNC_REMAP(skb_event_output, struct __sk_buff *skb, void *map,
- 			  __u64 index, const void *data, __u32 size) =
-diff --git a/bpf/include/bpf/helpers_xdp.h b/bpf/include/bpf/helpers_xdp.h
-index 98500a5407..3da9c95955 100644
---- a/bpf/include/bpf/helpers_xdp.h
-+++ b/bpf/include/bpf/helpers_xdp.h
-@@ -47,6 +47,11 @@ static int BPF_STUB(xdp_set_tunnel_key, struct xdp_md *xdp,
- 		    const struct bpf_tunnel_key *from, __u32 size,
- 		    __u32 flags);
- 
-+static int BPF_STUB(xdp_get_tunnel_opt, struct xdp_md *xdp, void *opt,
-+		    __u32 size);
-+static int BPF_STUB(xdp_set_tunnel_opt, struct xdp_md *xdp, void *opt,
-+		    __u32 size);
-+
- /* Events for user space */
- static int BPF_FUNC_REMAP(xdp_event_output, struct xdp_md *xdp, void *map,
- 			  __u64 index, const void *data, __u32 size) =
-diff --git a/bpf/lib/common.h b/bpf/lib/common.h
-index 866a60c852..5620b76612 100644
---- a/bpf/lib/common.h
-+++ b/bpf/lib/common.h
-@@ -46,7 +46,8 @@
- #define CONDITIONAL_PREALLOC BPF_F_NO_PREALLOC
- #endif
- 
--#if defined(ENCAP_IFINDEX) || defined(ENABLE_EGRESS_GATEWAY)
-+#if defined(ENCAP_IFINDEX) || defined(ENABLE_EGRESS_GATEWAY) || \
-+    (defined(ENABLE_DSR) && DSR_ENCAP_MODE == DSR_ENCAP_GENEVE)
- #define HAVE_ENCAP
- 
- /* NOT_VTEP_DST is passed to an encapsulation function when the
-@@ -75,6 +76,8 @@ enum {
- 	XFER_ENCAP_NODEID = 1,
- 	XFER_ENCAP_SECLABEL = 2,
- 	XFER_ENCAP_DSTID = 3,
-+	XFER_ENCAP_PORT = 4,
-+	XFER_ENCAP_ADDR = 5,
- };
- 
- /* These are shared with test/bpf/check-complexity.sh, when modifying any of
-@@ -534,6 +537,7 @@ enum {
- #define DROP_NAT46		-187
- #define DROP_NAT64		-188
- #define DROP_POLICY_AUTH_REQUIRED	-189
-+#define DROP_DSR_ENCAP_UNSUPP_PROTO -193
- #define DROP_NO_EGRESS_GATEWAY	-194
- #define DROP_TTL_EXCEEDED	-196
- #define DROP_NO_NODE_ID		-197
-@@ -641,6 +645,27 @@ enum metric_dir {
- #define DSR_IPV6_OPT_LEN	(sizeof(struct dsr_opt_v6) - 4)
- #define DSR_IPV6_EXT_LEN	((sizeof(struct dsr_opt_v6) - 8) / 8)
- 
-+/* The high-order bit of the Geneve option type indicates that
-+ * this is a critical option.
-+ *
-+ * https://www.rfc-editor.org/rfc/rfc8926.html#name-tunnel-options
-+ */
-+#define GENEVE_OPT_TYPE_CRIT	0x80
-+
-+/* Geneve option used to carry service addr and port for DSR.
-+ *
-+ * Class = 0x014B (Cilium according to [1])
-+ * Type  = 0x1   (vendor-specific)
-+ *
-+ * [1]: https://www.iana.org/assignments/nvo3/nvo3.xhtml#geneve-option-class
-+ */
-+#define DSR_GENEVE_OPT_CLASS	0x014B
-+#define DSR_GENEVE_OPT_TYPE	(GENEVE_OPT_TYPE_CRIT | 0x01)
-+#define DSR_IPV4_GENEVE_OPT_LEN	\
-+	((sizeof(struct geneve_dsr_opt4) - sizeof(struct geneve_opt_hdr)) / 4)
-+#define DSR_IPV6_GENEVE_OPT_LEN	\
-+	((sizeof(struct geneve_dsr_opt6) - sizeof(struct geneve_opt_hdr)) / 4)
-+
- /* We cap key index at 4 bits because mark value is used to map ctx to key */
- #define MAX_KEY_INDEX 15
- 
-@@ -698,12 +723,17 @@ enum {
- 	CB_POLICY,
- #define	CB_ADDR_V6_2		CB_POLICY	/* Alias, non-overlapping */
- #define	CB_BACKEND_ID		CB_POLICY	/* Alias, non-overlapping */
-+#define CB_SRC_PORT			CB_POLICY	/* Alias, non-overlapping */
- #define CB_SRV6_SID_3		CB_POLICY	/* Alias, non-overlapping */
- #define CB_ENCAP_DSTID		CB_POLICY	/* XDP */
-+#define CB_DSR_SRC_LABEL	CB_POLICY	/* Alias, non-overlapping */
- 	CB_NAT,
- #define	CB_ADDR_V6_3		CB_NAT		/* Alias, non-overlapping */
- #define	CB_FROM_HOST		CB_NAT		/* Alias, non-overlapping */
-+#define CB_ADDR_V4_2		CB_NAT		/* Alias, non-overlapping */
- #define CB_SRV6_SID_4		CB_NAT		/* Alias, non-overlapping */
-+#define CB_ENCAP_PORT		CB_NAT		/* XDP */
-+#define CB_DSR_L3_OFF		CB_NAT		/* Alias, non-overlapping */
- 	CB_CT_STATE,
- #define	CB_ADDR_V6_4		CB_CT_STATE	/* Alias, non-overlapping */
- #define	CB_ENCRYPT_IDENTITY	CB_CT_STATE	/* Alias, non-overlapping,
-@@ -715,6 +745,7 @@ enum {
- 						 */
- #define	CB_CUSTOM_CALLS		CB_CT_STATE	/* Alias, non-overlapping */
- #define	CB_SRV6_VRF_ID		CB_CT_STATE	/* Alias, non-overlapping */
-+#define CB_ENCAP_ADDR		CB_CT_STATE /* XDP */
- };
- 
- /* Magic values for CB_FROM_HOST.
-@@ -1090,6 +1121,51 @@ struct lpm_val {
- 	__u8 flags;
- };
- 
-+struct geneve_opt_hdr {
-+	__be16 opt_class;
-+	__u8 type;
-+#ifdef __LITTLE_ENDIAN_BITFIELD
-+	__u8 length:5,
-+	     rsvd:3;
-+#else
-+	__u8 rsvd:3,
-+	     length:5;
-+#endif
-+};
-+
-+struct geneve_dsr_opt4 {
-+	struct geneve_opt_hdr hdr;
-+	__be32	addr;
-+	__be16	port;
-+	__u16	pad;
-+};
-+
-+struct geneve_dsr_opt6 {
-+	struct geneve_opt_hdr hdr;
-+	union v6addr addr;
-+	__be16	port;
-+	__u16	pad;
-+};
-+
-+struct genevehdr {
-+#ifdef __LITTLE_ENDIAN_BITFIELD
-+	__u8 opt_len:6,
-+	     ver:2;
-+	__u8 rsvd:6,
-+	     critical:1,
-+	     control:1;
-+#else
-+	__u8 ver:2,
-+	     opt_len:6;
-+	__u8 control:1,
-+	     critical:1,
-+	     rsvd:6;
-+#endif
-+	__be16 protocol_type;
-+	__u8 vni[3];
-+	__u8 reserved;
-+};
-+
- #include "overloadable.h"
- 
- #endif /* __LIB_COMMON_H_ */
-diff --git a/bpf/lib/encap.h b/bpf/lib/encap.h
-index 982128d3d1..74c7260195 100644
---- a/bpf/lib/encap.h
-+++ b/bpf/lib/encap.h
-@@ -92,7 +92,8 @@ __encap_with_nodeid(struct __ctx_buff *ctx, __u32 tunnel_endpoint,
- 
- 	cilium_dbg(ctx, DBG_ENCAP, node_id, seclabel);
- 
--	ret = ctx_set_encap_info(ctx, node_id, seclabel, dstid, vni, ifindex);
-+	ret = ctx_set_encap_info(ctx, node_id, seclabel, dstid, vni,
-+				 NULL, 0, ifindex);
- 	if (ret == CTX_ACT_REDIRECT)
- 		send_trace_notify(ctx, TRACE_TO_OVERLAY, seclabel, dstid, 0, *ifindex,
- 				  ct_reason, monitor);
-@@ -126,7 +127,8 @@ encap_and_redirect_with_nodeid(struct __ctx_buff *ctx, __u32 tunnel_endpoint,
- 			       __u32 seclabel, __u32 dstid,
- 			       const struct trace_ctx *trace)
- {
--	return __encap_and_redirect_with_nodeid(ctx, tunnel_endpoint, seclabel, dstid, NOT_VTEP_DST,
-+	return __encap_and_redirect_with_nodeid(ctx, tunnel_endpoint, seclabel,
-+						dstid, NOT_VTEP_DST,
- 						trace);
- }
- 
-@@ -155,6 +157,7 @@ __encap_and_redirect_lxc(struct __ctx_buff *ctx, __u32 tunnel_endpoint,
- 	 * apply the correct reverse DNAT.
- 	 * See #14674 for details.
- 	 */
-+
- 	ret = __encap_with_nodeid(ctx, tunnel_endpoint, seclabel, dstid, NOT_VTEP_DST,
- 				  trace->reason, trace->monitor, &ifindex);
- 	if (ret != CTX_ACT_REDIRECT)
-@@ -222,5 +225,58 @@ encap_and_redirect_netdev(struct __ctx_buff *ctx, struct tunnel_key *k,
- }
- #endif /* TUNNEL_MODE */
- 
-+#if defined(ENABLE_DSR) && DSR_ENCAP_MODE == DSR_ENCAP_GENEVE
-+static __always_inline int
-+__encap_with_nodeid_opt(struct __ctx_buff *ctx,
-+			__u32 tunnel_endpoint,
-+			__u32 seclabel, __u32 dstid, __u32 vni,
-+			void *opt, __u32 opt_len,
-+			enum trace_reason ct_reason,
-+			__u32 monitor, __u32 *ifindex)
-+{
-+	__u32 node_id;
-+
-+	/* When encapsulating, a packet originating from the local host is
-+	 * being considered as a packet from a remote node as it is being
-+	 * received.
-+	 */
-+	if (seclabel == HOST_ID)
-+		seclabel = LOCAL_NODE_ID;
-+
-+	node_id = bpf_ntohl(tunnel_endpoint);
-+
-+	cilium_dbg(ctx, DBG_ENCAP, node_id, seclabel);
-+
-+	send_trace_notify(ctx, TRACE_TO_OVERLAY, seclabel, dstid, 0, *ifindex,
-+			  ct_reason, monitor);
-+
-+	/* dstid is unused. */
-+	return ctx_set_encap_info(ctx, node_id, seclabel, 0, vni, opt,
-+				  opt_len, ifindex);
-+}
-+
-+static __always_inline void
-+set_geneve_dsr_opt4(__be16 port, __be32 addr, struct geneve_dsr_opt4 *gopt)
-+{
-+	memset(gopt, 0, sizeof(*gopt));
-+	gopt->hdr.opt_class = bpf_htons(DSR_GENEVE_OPT_CLASS);
-+	gopt->hdr.type = DSR_GENEVE_OPT_TYPE;
-+	gopt->hdr.length = DSR_IPV4_GENEVE_OPT_LEN;
-+	gopt->addr = addr;
-+	gopt->port = port;
-+}
-+
-+static __always_inline void
-+set_geneve_dsr_opt6(__be16 port, const union v6addr *addr,
-+		    struct geneve_dsr_opt6 *gopt)
-+{
-+	memset(gopt, 0, sizeof(*gopt));
-+	gopt->hdr.opt_class = bpf_htons(DSR_GENEVE_OPT_CLASS);
-+	gopt->hdr.type = DSR_GENEVE_OPT_TYPE;
-+	gopt->hdr.length = DSR_IPV6_GENEVE_OPT_LEN;
-+	ipv6_addr_copy((union v6addr *)&gopt->addr, addr);
-+	gopt->port = port;
-+}
-+#endif /* ENABLE_DSR && DSR_ENCAP_GENEVE */
- #endif /* HAVE_ENCAP */
- #endif /* __LIB_ENCAP_H_ */
-diff --git a/bpf/lib/nodeport.h b/bpf/lib/nodeport.h
-index b247fcb6c9..63e52ab936 100644
---- a/bpf/lib/nodeport.h
-+++ b/bpf/lib/nodeport.h
-@@ -59,6 +59,31 @@ static __always_inline bool nodeport_uses_dsr(__u8 nexthdr __maybe_unused)
- # endif
- }
- 
-+#ifdef HAVE_ENCAP
-+static __always_inline int
-+nodeport_add_tunnel_encap(struct __ctx_buff *ctx,
-+			  __be32 dst_ip, __u32 src_sec_identity, __u32 dst_sec_identity,
-+			  enum trace_reason ct_reason, __u32 monitor, __u32 *ifindex)
-+{
-+	return __encap_with_nodeid(ctx, dst_ip,
-+				   src_sec_identity, dst_sec_identity, NOT_VTEP_DST,
-+				   ct_reason, monitor, ifindex);
-+}
-+
-+# if defined(ENABLE_DSR) && DSR_ENCAP_MODE == DSR_ENCAP_GENEVE
-+static __always_inline int
-+nodeport_add_tunnel_encap_opt(struct __ctx_buff *ctx,
-+			      __be32 dst_ip, __u32 src_sec_identity, __u32 dst_sec_identity,
-+			      void *opt, __u32 opt_len, enum trace_reason ct_reason,
-+			      __u32 monitor, __u32 *ifindex)
-+{
-+	return __encap_with_nodeid_opt(ctx, dst_ip,
-+				       src_sec_identity, dst_sec_identity, NOT_VTEP_DST,
-+				       opt, opt_len, ct_reason, monitor, ifindex);
-+}
-+# endif
-+#endif /* HAVE_ENCAP */
-+
- static __always_inline bool
- bpf_skip_recirculation(const struct __ctx_buff *ctx __maybe_unused)
- {
-@@ -528,10 +553,15 @@ int tail_nodeport_ipv6_dsr(struct __ctx_buff *ctx)
- 			    ctx_load_meta(ctx, CB_HINT), &ohead);
- #elif DSR_ENCAP_MODE == DSR_ENCAP_NONE
- 	ret = dsr_set_ext6(ctx, ip6, &addr, port, &ohead);
-+#elif DSR_ENCAP_MODE == DSR_ENCAP_IPIP_CNI
-+	/* To do, add support for ipv6 */
-+	ret = 0;
-+#elif DSR_ENCAP_MODE == DSR_ENCAP_GENEVE
-+	ret = 0;
- #else
- # error "Invalid load balancer DSR encapsulation mode!"
- #endif
--	if (unlikely(ret)) {
-+	if (IS_ERR(ret)) {
- 		if (dsr_fail_needs_reply(ret))
- 			return dsr_reply_icmp6(ctx, ip6, &addr, port, ret, ohead);
- 		goto drop_err;
-@@ -850,6 +880,7 @@ int tail_nodeport_nat_egress_ipv6(struct __ctx_buff *ctx)
- 	dst = (union v6addr *)&ip6->daddr;
- 	info = ipcache_lookup6(&IPCACHE_MAP, dst, V6_CACHE_KEY_LEN);
- 	if (info && info->tunnel_endpoint != 0) {
-+		/* FIX ME: IPv6 is not used, so src_ip and src_port are 0 as a dummy value. */
- 		ret = __encap_with_nodeid(ctx, info->tunnel_endpoint,
- 					  WORLD_ID,
- 					  info->sec_label,
-@@ -967,7 +998,11 @@ static __always_inline int nodeport_lb6(struct __ctx_buff *ctx,
- 
- 	svc = lb6_lookup_service(&key, false, false);
- 	if (svc) {
--		const bool skip_l3_xlate = DSR_ENCAP_MODE == DSR_ENCAP_IPIP;
-+#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP
-+		const bool skip_l3_xlate = true;
-+#else
-+		const bool skip_l3_xlate = false;
-+#endif
- 
- 		if (!lb6_src_range_ok(svc, (union v6addr *)&ip6->saddr))
- 			return DROP_NOT_IN_SRC_RANGE;
-@@ -1217,6 +1252,7 @@ static __always_inline int rev_nodeport_lb6(struct __ctx_buff *ctx, __u32 *ifind
- 
- 			info = ipcache_lookup6(&IPCACHE_MAP, dst, V6_CACHE_KEY_LEN);
- 			if (info != NULL && info->tunnel_endpoint != 0) {
-+				/* FIX ME: IPv6 is not used, so src_ip and src_port are 0 as a dummy value. */
- 				return __encap_with_nodeid(ctx, info->tunnel_endpoint,
- 							   SECLABEL, info->sec_label,
- 							   NOT_VTEP_DST,
-@@ -1466,7 +1502,7 @@ static __always_inline int nodeport_snat_fwd_ipv4(struct __ctx_buff *ctx)
- }
- 
- #ifdef ENABLE_DSR
--#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP
-+#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP || DSR_ENCAP_MODE == DSR_ENCAP_IPIP_CNI
- static __always_inline __be32 rss_gen_src4(__be32 client, __be32 l4_hint)
- {
- 	const __u32 bits = 32 - IPV4_RSS_PREFIX_BITS;
-@@ -1476,6 +1512,237 @@ static __always_inline __be32 rss_gen_src4(__be32 client, __be32 l4_hint)
- 		src |= bpf_htonl(hash_32(client ^ l4_hint, bits));
- 	return src;
- }
-+#endif /*DSR_ENCAP_MODE*/
-+
-+#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP_CNI
-+/*
-+ * Original packet: [clientIP:clientPort -> serviceIP:servicePort] } IP/L4
-+ *
-+ * After DSR IPIP:  [rssSrcIP -> backendIP]                        } IP
-+ *                  [clientIP:clientPort -> backendIP:backendPort] } IP/L4
-+ */
-+static __always_inline int dsr_set_ipipcni4(struct __ctx_buff *ctx,
-+					    const struct iphdr *ip4,
-+					    __be32 backend_addr,
-+					    __be32 l4_hint,
-+					    __be16 svc_port,
-+					    __be32 svc_addr,
-+					    __be16 *ohead)
-+{
-+	__u16 tot_len = bpf_ntohs(ip4->tot_len) + sizeof(*ip4);
-+	const int l3_off = ETH_HLEN;
-+	const int l4_off = ETH_HLEN + sizeof(struct iphdr);
-+	__be16 id, frag_off;
-+	__be32 sum, sum_old;
-+	__u8 ihlver, tos;
-+
-+	struct iphds {
-+#if defined(__LITTLE_ENDIAN_BITFIELD)
-+	__u8	ihl:4,
-+		version:4;
-+#elif defined(__BIG_ENDIAN_BITFIELD)
-+	__u8	version:4,
-+		ihl:4;
-+#else
-+#error	"Please fix <asm/byteorder.h>"
-+#endif
-+	__u8	tos;
-+	__be16	tot_len;
-+	__be16	id;
-+	__u8	ttl;
-+	__u8	protocol;
-+	__be32	saddr;
-+	__be32	daddr;
-+	struct dsr_opt_v4 opt;
-+	};
-+
-+	struct iphds tp_old = {
-+		.ihl		= ip4->ihl,
-+		.version	= ip4->version,
-+		.tot_len	= ip4->tot_len,
-+		.ttl		= ip4->ttl,
-+		.protocol	= ip4->protocol,
-+		.saddr		= ip4->saddr,
-+		.daddr		= ip4->daddr,
-+		.opt = {
-+			.type = DSR_IPV4_OPT_TYPE,
-+			.len = sizeof(struct dsr_opt_v4),
-+			.port = bpf_htons(svc_port),
-+			.addr = bpf_htonl(svc_addr),
-+		},
-+	}, tp_new = {
-+		.ihl		= 5,
-+		.version	= ip4->version,
-+		.tot_len	= bpf_htons(tot_len),
-+		.ttl		= IPDEFTTL,
-+		.protocol	= IPPROTO_IPIP,
-+		.saddr		= rss_gen_src4(ip4->saddr, l4_hint),
-+		.daddr		= backend_addr,
-+		.opt = {
-+			.type = 0,
-+			.len = 0,
-+			.port = 0,
-+			.addr = 0,
-+		},
-+	};
-+
-+	if (ip4->protocol == IPPROTO_TCP) {
-+		union tcp_flags tcp_flags = { .value = 0 };
-+
-+		if (ctx_load_bytes(ctx, ETH_HLEN + ip4->ihl * 4 + 12,
-+				   &tcp_flags, 2) < 0)
-+			return DROP_CT_INVALID_HDR;
-+
-+		/* Encap with IP-in-IP is required only for the first packet
-+		 * (SYN), in the case of TCP, as for further packets of the
-+		 * same connection a remote node will use a NAT entry to
-+		 * reverse xlate a reply.
-+		 */
-+		if (!(tcp_flags.value & (TCP_FLAG_SYN)))
-+			return 0;
-+	}
-+
-+	if (dsr_is_too_big(ctx, tot_len)) {
-+		*ohead = sizeof(*ip4);
-+		return DROP_FRAG_NEEDED;
-+	}
-+
-+	if (ip4->ihl == 0x5) {
-+		tp_old.opt.type = 0;
-+		tp_old.opt.len = 0;
-+		tp_old.opt.port = 0;
-+		tp_old.opt.addr = 0;
-+	}
-+
-+	if (ctx_adjust_hroom(ctx, sizeof(*ip4), BPF_ADJ_ROOM_NET,
-+			     ctx_adjust_hroom_dsr_flags()))
-+		return DROP_INVALID;
-+
-+	sum = csum_diff(&tp_old, 24, &tp_new, 24, 0);
-+	if (ctx_load_bytes(ctx, l3_off + offsetof(struct iphdr, tos),
-+			   &tos, sizeof(tos)) < 0)
-+		return DROP_CT_INVALID_HDR;
-+	if (ctx_load_bytes(ctx, l3_off + offsetof(struct iphdr, id),
-+			   &id, sizeof(id)) < 0)
-+		return DROP_CT_INVALID_HDR;
-+	if (ctx_load_bytes(ctx, l3_off + offsetof(struct iphdr, frag_off),
-+			   &frag_off, sizeof(frag_off)) < 0)
-+		return DROP_CT_INVALID_HDR;
-+	if (ctx_load_bytes(ctx, l3_off + offsetof(struct iphdr, check),
-+			   &sum_old, sizeof(sum_old)) < 0)
-+		return DROP_CT_INVALID_HDR;
-+
-+	ihlver = *((__u8 *)&tp_new);
-+	if (ctx_store_bytes(ctx, l3_off,
-+			    &ihlver, 1, 0) < 0)
-+		return DROP_WRITE_ERROR;
-+	if (ctx_store_bytes(ctx, l3_off + offsetof(struct iphdr, tot_len),
-+			    &tp_new.tot_len, 2, 0) < 0)
-+		return DROP_WRITE_ERROR;
-+	if (ctx_store_bytes(ctx, l3_off + offsetof(struct iphdr, ttl),
-+			    &tp_new.ttl, 2, 0) < 0)
-+		return DROP_WRITE_ERROR;
-+	if (ctx_store_bytes(ctx, l3_off + offsetof(struct iphdr, saddr),
-+			    &tp_new.saddr, 8, 0) < 0)
-+		return DROP_WRITE_ERROR;
-+	if (l3_csum_replace(ctx, l3_off + offsetof(struct iphdr, check),
-+			    0, sum, 0) < 0)
-+		return DROP_CSUM_L3;
-+
-+	ihlver = *((__u8 *)&tp_old);
-+	if (ctx_store_bytes(ctx, l4_off,
-+			    &ihlver, 1, 0) < 0)
-+		return DROP_WRITE_ERROR;
-+	if (ctx_store_bytes(ctx, l4_off + offsetof(struct iphdr, tos),
-+			    &tos, 1, 0) < 0)
-+		return DROP_WRITE_ERROR;
-+	if (ctx_store_bytes(ctx, l4_off + offsetof(struct iphdr, tot_len),
-+			    &tp_old.tot_len, 2, 0) < 0)
-+		return DROP_WRITE_ERROR;
-+	if (ctx_store_bytes(ctx, l4_off + offsetof(struct iphdr, id),
-+			    &id, 2, 0) < 0)
-+		return DROP_WRITE_ERROR;
-+	if (ctx_store_bytes(ctx, l4_off + offsetof(struct iphdr, frag_off),
-+			    &frag_off, 2, 0) < 0)
-+		return DROP_WRITE_ERROR;
-+	if (ctx_store_bytes(ctx, l4_off + offsetof(struct iphdr, ttl),
-+			    &tp_old.ttl, 2, 0) < 0)
-+		return DROP_WRITE_ERROR;
-+	if (ctx_store_bytes(ctx, l4_off + offsetof(struct iphdr, check),
-+			    &sum_old, 2, 0) < 0)
-+		return DROP_WRITE_ERROR;
-+	if (ctx_store_bytes(ctx, l4_off + offsetof(struct iphdr, saddr),
-+			    &tp_old.saddr, 8, 0) < 0)
-+		return DROP_WRITE_ERROR;
-+	return 0;
-+}
-+#elif DSR_ENCAP_MODE == DSR_ENCAP_GENEVE
-+static __always_inline int encap_geneve_dsr_opt4(struct __ctx_buff *ctx, int l3_off __maybe_unused,
-+						 struct iphdr *ip4, __be32 svc_addr,
-+						 __be16 svc_port, __u32 *ifindex, __be16 *ohead)
-+{
-+	struct remote_endpoint_info *info __maybe_unused;
-+	struct geneve_dsr_opt4 gopt;
-+	bool need_opt = true;
-+	__u16 encap_len = sizeof(struct iphdr) + sizeof(struct udphdr) +
-+		sizeof(struct genevehdr) + ETH_HLEN;
-+	__u16 total_len = bpf_ntohs(ip4->tot_len);
-+	__u32 src_sec_identity = WORLD_ID;
-+	__u32 dst_sec_identity;
-+	__be32 tunnel_endpoint;
-+
-+	info = ipcache_lookup4(&IPCACHE_MAP, ip4->daddr, V4_CACHE_KEY_LEN);
-+	if (!info || info->tunnel_endpoint == 0)
-+		return DROP_NO_TUNNEL_ENDPOINT;
-+
-+	tunnel_endpoint = info->tunnel_endpoint;
-+	dst_sec_identity = info->sec_label;
-+
-+	if (ip4->protocol == IPPROTO_TCP) {
-+		union tcp_flags tcp_flags = { .value = 0 };
-+
-+		if (l4_load_tcp_flags(ctx, l3_off + ipv4_hdrlen(ip4), &tcp_flags) < 0)
-+			return DROP_CT_INVALID_HDR;
-+
-+		/* The GENEVE option is required only for the first packet
-+		 * (SYN), in the case of TCP, as for further packets of the
-+		 * same connection a remote node will use a NAT entry to
-+		 * reverse xlate a reply.
-+		 */
-+		if (!(tcp_flags.value & (TCP_FLAG_SYN)))
-+			need_opt = false;
-+	}
-+
-+	if (need_opt) {
-+		encap_len += sizeof(struct geneve_dsr_opt4);
-+		set_geneve_dsr_opt4(svc_port, svc_addr, &gopt);
-+	}
-+
-+	if (dsr_is_too_big(ctx, total_len + encap_len)) {
-+		*ohead = encap_len;
-+		return DROP_FRAG_NEEDED;
-+	}
-+
-+	if (need_opt)
-+		return nodeport_add_tunnel_encap_opt(ctx,
-+						     tunnel_endpoint,
-+						     src_sec_identity,
-+						     dst_sec_identity,
-+						     &gopt,
-+						     sizeof(gopt),
-+						     (enum trace_reason)CT_NEW,
-+						     TRACE_PAYLOAD_LEN,
-+						     ifindex);
-+
-+	return nodeport_add_tunnel_encap(ctx,
-+					 tunnel_endpoint,
-+					 src_sec_identity,
-+					 dst_sec_identity,
-+					 (enum trace_reason)CT_NEW,
-+					 TRACE_PAYLOAD_LEN,
-+					 ifindex);
-+}
-+#elif DSR_ENCAP_MODE == DSR_ENCAP_IPIP
- 
- /*
-  * Original packet: [clientIP:clientPort -> serviceIP:servicePort] } IP/L4
-@@ -1536,7 +1803,9 @@ static __always_inline int dsr_set_ipip4(struct __ctx_buff *ctx,
- 		return DROP_CSUM_L3;
- 	return 0;
- }
--#elif DSR_ENCAP_MODE == DSR_ENCAP_NONE
-+#endif /* DSR_ENCAP_MODE */
-+
-+#if DSR_ENCAP_MODE == DSR_ENCAP_NONE || DSR_ENCAP_MODE == DSR_ENCAP_IPIP_CNI
- static __always_inline int dsr_set_opt4(struct __ctx_buff *ctx,
- 					struct iphdr *ip4, __be32 svc_addr,
- 					__be16 svc_port, __be16 *ohead)
-@@ -1595,7 +1864,7 @@ static __always_inline int dsr_set_opt4(struct __ctx_buff *ctx,
- #endif /* DSR_ENCAP_MODE */
- 
- static __always_inline int
--nodeport_extract_dsr_v4(struct __ctx_buff *ctx, struct iphdr *ip4,
-+nodeport_extract_dsr_v4(struct __ctx_buff *ctx, struct iphdr *ip4 __maybe_unused,
- 			struct ipv4_ct_tuple *tuple, int l4_off, __be32 *addr,
- 			__be16 *port, bool *dsr)
- {
-@@ -1627,6 +1896,25 @@ nodeport_extract_dsr_v4(struct __ctx_buff *ctx, struct iphdr *ip4,
- 		}
- 	}
- 
-+#if defined(IS_BPF_OVERLAY)
-+	{
-+		struct geneve_dsr_opt4 gopt;
-+		int ret = 0;
-+
-+		ret = ctx_get_tunnel_opt(ctx, &gopt, sizeof(gopt));
-+
-+		if (ret > 0) {
-+			if (gopt.hdr.opt_class == bpf_htons(DSR_GENEVE_OPT_CLASS) &&
-+			    gopt.hdr.type == DSR_GENEVE_OPT_TYPE) {
-+				*dsr = true;
-+				*port = gopt.port;
-+				*addr = gopt.addr;
-+				return 0;
-+			}
-+		}
-+	}
-+#else
-+
- 	/* Check whether IPv4 header contains a 64-bit option (IPv4 header
- 	 * w/o option (5 x 32-bit words) + the DSR option (2 x 32-bit words)).
- 	 */
-@@ -1644,6 +1932,7 @@ nodeport_extract_dsr_v4(struct __ctx_buff *ctx, struct iphdr *ip4,
- 			return 0;
- 		}
- 	}
-+ #endif
- 
- 	/* SYN for a new connection that's not / no longer DSR.
- 	 * If it's reopened, avoid sending subsequent traffic down the DSR path.
-@@ -1654,6 +1943,29 @@ nodeport_extract_dsr_v4(struct __ctx_buff *ctx, struct iphdr *ip4,
- 	return 0;
- }
- 
-+#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP_CNI
-+static __always_inline int decap_ipip_v4(struct __ctx_buff *ctx)
-+{
-+	void *data, *data_end;
-+	struct iphdr *ip4;
-+
-+	if (!revalidate_data(ctx, &data, &data_end, &ip4))
-+		return DROP_INVALID;
-+
-+	if (ip4->protocol == IPPROTO_IPIP) {
-+		if (ip4->ihl != 0x5)
-+			return DROP_INVALID;
-+		/* This will remove outer iph. Fix me: Not working with XDP */
-+		if (ctx_adjust_hroom(ctx, -(ip4->ihl * 4),
-+				     BPF_ADJ_ROOM_MAC,
-+				     ctx_adjust_hroom_dsr_flags()) < 0) {
-+			return DROP_INVALID;
-+		}
-+	}
-+	return 0;
-+}
-+#endif /* DSR_ENCAP_MODE */
-+
- static __always_inline int xlate_dsr_v4(struct __ctx_buff *ctx,
- 					const struct ipv4_ct_tuple *tuple,
- 					int l4_off, bool has_l4_header)
-@@ -1806,6 +2118,7 @@ int tail_nodeport_ipv4_dsr(struct __ctx_buff *ctx)
- 	__u16 port;
- 	__be16 ohead = 0;
- 	int ret, ext_err = 0;
-+	__u32 oif __maybe_unused = 0;
- 
- 	if (!revalidate_data(ctx, &data, &data_end, &ip4)) {
- 		ret = DROP_INVALID;
-@@ -1814,7 +2127,28 @@ int tail_nodeport_ipv4_dsr(struct __ctx_buff *ctx)
- 
- 	addr = ctx_load_meta(ctx, CB_ADDR_V4);
- 	port = (__u16)ctx_load_meta(ctx, CB_PORT);
--#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP
-+# if DSR_ENCAP_MODE == DSR_ENCAP_IPIP_CNI
-+	ret = dsr_set_opt4(ctx, ip4,
-+			   ctx_load_meta(ctx, CB_ADDR_V4_2),
-+			   (__u16)ctx_load_meta(ctx, CB_SRC_PORT), &ohead);
-+	if (unlikely(ret)) {
-+		if (dsr_fail_needs_reply(ret))
-+			return dsr_reply_icmp4(ctx, ip4, addr, port, ret, ohead);
-+		goto drop_err;
-+	}
-+
-+	if (!revalidate_data(ctx, &data, &data_end, &ip4)) {
-+		ret = DROP_INVALID;
-+		goto drop_err;
-+	}
-+
-+	ret = dsr_set_ipipcni4(ctx, ip4,
-+			       ctx_load_meta(ctx, CB_ADDR_V4),
-+			       ctx_load_meta(ctx, CB_HINT),
-+			       (__u16)ctx_load_meta(ctx, CB_SRC_PORT),
-+			       ctx_load_meta(ctx, CB_ADDR_V4_2),
-+			       &ohead);
-+#elif DSR_ENCAP_MODE == DSR_ENCAP_IPIP
- 	ret = dsr_set_ipip4(ctx, ip4,
- 			    addr,
- 			    ctx_load_meta(ctx, CB_HINT), &ohead);
-@@ -1822,10 +2156,20 @@ int tail_nodeport_ipv4_dsr(struct __ctx_buff *ctx)
- 	ret = dsr_set_opt4(ctx, ip4,
- 			   addr,
- 			   port, &ohead);
-+#elif DSR_ENCAP_MODE == DSR_ENCAP_GENEVE
-+    ret = encap_geneve_dsr_opt4(ctx, ctx_load_meta(ctx, CB_DSR_L3_OFF),
-+				ip4, addr, port, &oif, &ohead);
-+	if (!IS_ERR(ret)) {
-+		if (ret == CTX_ACT_REDIRECT && oif) {
-+			cilium_capture_out(ctx);
-+			return ctx_redirect(ctx, oif, 0);
-+		}
-+	}
-+
- #else
- # error "Invalid load balancer DSR encapsulation mode!"
- #endif
--	if (unlikely(ret)) {
-+	if (IS_ERR(ret)) {
- 		if (dsr_fail_needs_reply(ret))
- 			return dsr_reply_icmp4(ctx, ip4, addr, port, ret, ohead);
- 		goto drop_err;
-@@ -2033,11 +2377,14 @@ int tail_nodeport_nat_egress_ipv4(struct __ctx_buff *ctx)
- 		.max_port = NODEPORT_PORT_MAX_NAT,
- 		.src_from_world = true,
- 	};
-+	struct ipv4_ct_tuple tuple __maybe_unused = {};
- 	int verdict = CTX_ACT_REDIRECT;
- 	void *data, *data_end;
- 	struct iphdr *ip4;
- 	bool l2_hdr_required = true;
- 	int ret, ext_err = 0;
-+	int l4_off __maybe_unused = 0;
-+	__be16 src_port __maybe_unused = 0;
- 
- #ifdef TUNNEL_MODE
- 	struct remote_endpoint_info *info;
-@@ -2068,7 +2415,13 @@ int tail_nodeport_nat_egress_ipv4(struct __ctx_buff *ctx)
- 		 * bypass any netpol which disallows LB requests from
- 		 * outside.
- 		 */
--		ret = __encap_with_nodeid(ctx, info->tunnel_endpoint,
-+
-+		ret = lb4_extract_tuple(ctx, ip4, ETH_HLEN, &l4_off, &tuple);
-+		if (IS_ERR(ret))
-+			goto drop_err;
-+
-+		ret = __encap_with_nodeid(ctx,
-+					  info->tunnel_endpoint,
- 					  WORLD_ID,
- 					  info->sec_label,
- 					  NOT_VTEP_DST,
-@@ -2155,6 +2508,12 @@ static __always_inline int nodeport_lb4(struct __ctx_buff *ctx,
- 
- 	cilium_capture_in(ctx);
- 
-+#if __ctx_is != __ctx_xdp && DSR_ENCAP_MODE == DSR_ENCAP_IPIP_CNI
-+	ret = decap_ipip_v4(ctx);
-+	if (ret != 0)
-+		return ret;
-+#endif /* DSR_ENCAP_MODE */
-+
- 	if (!revalidate_data(ctx, &data, &data_end, &ip4))
- 		return DROP_INVALID;
- 
-@@ -2176,7 +2535,11 @@ static __always_inline int nodeport_lb4(struct __ctx_buff *ctx,
- 
- 	svc = lb4_lookup_service(&key, false, false);
- 	if (svc) {
--		const bool skip_l3_xlate = DSR_ENCAP_MODE == DSR_ENCAP_IPIP;
-+#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP
-+		const bool skip_l3_xlate = true;
-+#else
-+		const bool skip_l3_xlate = false;
-+#endif
- 
- 		if (!lb4_src_range_ok(svc, ip4->saddr))
- 			return DROP_NOT_IN_SRC_RANGE;
-@@ -2227,6 +2590,8 @@ skip_service_lookup:
- 
- #ifdef ENABLE_DSR
- 		if (nodeport_uses_dsr4(&tuple)) {
-+#if (defined(IS_BPF_OVERLAY) && DSR_ENCAP_MODE == DSR_ENCAP_GENEVE) || \
-+	(!defined(IS_BPF_OVERLAY) && DSR_ENCAP_MODE != DSR_ENCAP_GENEVE)
- 			bool dsr = false;
- 
- 			/* Check if packet has embedded DSR info, or belongs to
-@@ -2244,6 +2609,7 @@ skip_service_lookup:
- 			if (IS_ERR(ret))
- 				return ret;
- 
-+#endif
- #ifndef ENABLE_MASQUERADE
- 			/* The packet is DSR-eligible, so we know for sure that it is
- 			 * not reply traffic by a remote backend which would require
-@@ -2327,15 +2693,23 @@ redo:
- 	}
- 
- 	/* TX request to remote backend: */
--	edt_set_aggregate(ctx, 0);
- 	if (nodeport_uses_dsr4(&tuple)) {
--#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP
-+#if DSR_ENCAP_MODE == DSR_ENCAP_IPIP_CNI
- 		ctx_store_meta(ctx, CB_HINT,
- 			       ((__u32)tuple.sport << 16) | tuple.dport);
- 		ctx_store_meta(ctx, CB_ADDR_V4, tuple.daddr);
--#elif DSR_ENCAP_MODE == DSR_ENCAP_NONE
-+		ctx_store_meta(ctx, CB_ADDR_V4_2, key.address);
-+		ctx_store_meta(ctx, CB_SRC_PORT, key.dport);
-+#elif DSR_ENCAP_MODE == DSR_ENCAP_GENEVE
- 		ctx_store_meta(ctx, CB_PORT, key.dport);
- 		ctx_store_meta(ctx, CB_ADDR_V4, key.address);
-+		ctx_store_meta(ctx, CB_DSR_SRC_LABEL, src_identity);
-+		ctx_store_meta(ctx, CB_DSR_L3_OFF, l3_off);
-+#elif DSR_ENCAP_MODE == DSR_ENCAP_IPIP
-+		ctx_store_meta(ctx, CB_HINT,
-+			       ((__u32)tuple.sport << 16) | tuple.dport);
-+		ctx_store_meta(ctx, CB_ADDR_V4, tuple.daddr);
-+#elif DSR_ENCAP_MODE == DSR_ENCAP_NONE
- #endif /* DSR_ENCAP_MODE */
- 		ep_tail_call(ctx, CILIUM_CALL_IPV4_NODEPORT_DSR);
- 	} else {
-@@ -2427,6 +2801,7 @@ static __always_inline int rev_nodeport_lb4(struct __ctx_buff *ctx, __u32 *ifind
- 	bool l2_hdr_required = true;
- 	__u32 tunnel_endpoint __maybe_unused = 0;
- 	__u32 dst_id __maybe_unused = 0;
-+	__be16 src_port __maybe_unused = 0;
- 	bool has_l4_header;
- 
- 	if (!revalidate_data(ctx, &data, &data_end, &ip4))
-@@ -2557,6 +2932,7 @@ out:
- 
- #if (defined(ENABLE_EGRESS_GATEWAY) || defined(TUNNEL_MODE))
- encap_redirect:
-+
- 	return __encap_with_nodeid(ctx, tunnel_endpoint, SECLABEL, dst_id,
- 				   NOT_VTEP_DST, reason, monitor, ifindex);
- #endif
-diff --git a/bpf/lib/overloadable_skb.h b/bpf/lib/overloadable_skb.h
-index 07162ffd02..95afd87c06 100644
---- a/bpf/lib/overloadable_skb.h
-+++ b/bpf/lib/overloadable_skb.h
-@@ -165,9 +165,9 @@ static __always_inline bool ctx_snat_done(struct __sk_buff *ctx)
- 
- #ifdef HAVE_ENCAP
- static __always_inline __maybe_unused int
--ctx_set_encap_info(struct __sk_buff *ctx, __u32 node_id, __u32 seclabel,
--		   __u32 dstid __maybe_unused, __u32 vni __maybe_unused,
--		   __u32 *ifindex)
-+ctx_set_encap_info(struct __sk_buff *ctx, __u32 node_id,
-+		   __u32 seclabel, __u32 dstid __maybe_unused, __u32 vni __maybe_unused,
-+		   void *opt, __u32 opt_len, __u32 *ifindex)
- {
- 	struct bpf_tunnel_key key = {};
- 	int ret;
-@@ -186,6 +186,12 @@ ctx_set_encap_info(struct __sk_buff *ctx, __u32 node_id, __u32 seclabel,
- 	if (unlikely(ret < 0))
- 		return DROP_WRITE_ERROR;
- 
-+	if (opt && opt_len > 0) {
-+		ret = ctx_set_tunnel_opt(ctx, opt, opt_len);
-+		if (unlikely(ret < 0))
-+			return DROP_WRITE_ERROR;
-+	}
-+
- 	*ifindex = ENCAP_IFINDEX;
- 
- 	return CTX_ACT_REDIRECT;
-diff --git a/bpf/lib/overloadable_xdp.h b/bpf/lib/overloadable_xdp.h
-index 4049371ce8..91f0576a0a 100644
---- a/bpf/lib/overloadable_xdp.h
-+++ b/bpf/lib/overloadable_xdp.h
-@@ -146,7 +146,10 @@ ctx_set_encap_info(struct xdp_md *ctx __maybe_unused,
- 		   __u32 node_id __maybe_unused,
- 		   __u32 seclabel __maybe_unused,
- 		   __u32 dstid __maybe_unused,
--		   __u32 vni __maybe_unused, __u32 *ifindex __maybe_unused)
-+		   __u32 vni __maybe_unused,
-+		   void *opt __maybe_unused,
-+		   __u32 opt_len __maybe_unused,
-+		   __u32 *ifindex __maybe_unused)
- {
- 	ctx_store_meta(ctx, CB_ENCAP_NODEID, bpf_ntohl(node_id));
- 	ctx_store_meta(ctx, CB_ENCAP_SECLABEL, seclabel);
-diff --git a/bpf/lib/stubs.h b/bpf/lib/stubs.h
-index 205bc0461c..9ffaa9d370 100644
---- a/bpf/lib/stubs.h
-+++ b/bpf/lib/stubs.h
-@@ -12,6 +12,8 @@
- # ifndef DSR_ENCAP_MODE
- #  define DSR_ENCAP_MODE 0
- #  define DSR_ENCAP_IPIP 2
-+#  define DSR_ENCAP_IPIP_CNI 3
-+#  define DSR_ENCAP_GENEVE 4
- # endif
- # if defined(ENABLE_IPV4) && defined(ENABLE_MASQUERADE) && !defined(IPV4_MASQUERADE)
- #  define IPV4_MASQUERADE 0
-diff --git a/bpf/tests/tc_nodeport_lb4_dsr_backend.c b/bpf/tests/tc_nodeport_lb4_dsr_backend.c
-index 32df51762f..207d521f3f 100644
---- a/bpf/tests/tc_nodeport_lb4_dsr_backend.c
-+++ b/bpf/tests/tc_nodeport_lb4_dsr_backend.c
-@@ -13,6 +13,7 @@
- #define ENABLE_IPV4
- #define ENABLE_NODEPORT
- #define ENABLE_DSR		1
-+#define DSR_ENCAP_GENEVE 4
- #define ENABLE_HOST_ROUTING
- 
- #define DISABLE_LOOPBACK_LB
-diff --git a/bpf/tests/tc_nodeport_lb4_dsr_lb.c b/bpf/tests/tc_nodeport_lb4_dsr_lb.c
-index 9810fabcd2..559a4ec106 100644
---- a/bpf/tests/tc_nodeport_lb4_dsr_lb.c
-+++ b/bpf/tests/tc_nodeport_lb4_dsr_lb.c
-@@ -13,6 +13,7 @@
- #define ENABLE_IPV4
- #define ENABLE_NODEPORT
- #define ENABLE_DSR
-+#define DSR_ENCAP_GENEVE 4
- 
- #define DISABLE_LOOPBACK_LB
- 
-diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go
-index 9572a830bc..98f3042763 100644
---- a/daemon/cmd/daemon_main.go
-+++ b/daemon/cmd/daemon_main.go
-@@ -568,7 +568,7 @@ func initializeFlags() {
- 	flags.String(option.LoadBalancerAlg, option.NodePortAlgRandom, "BPF load balancing algorithm (\"random\", \"maglev\")")
- 	option.BindEnv(Vp, option.LoadBalancerAlg)
- 
--	flags.String(option.LoadBalancerDSRDispatch, option.DSRDispatchOption, "BPF load balancing DSR dispatch method (\"opt\", \"ipip\")")
-+	flags.String(option.LoadBalancerDSRDispatch, option.DSRDispatchOption, "BPF load balancing DSR dispatch method (\"opt\", \"ipip\", \"ipipcni\", \"geneve\")")
- 	option.BindEnv(Vp, option.LoadBalancerDSRDispatch)
- 
- 	flags.String(option.LoadBalancerDSRL4Xlate, option.DSRL4XlateFrontend, "BPF load balancing DSR L4 DNAT method for IPIP (\"frontend\", \"backend\")")
-diff --git a/daemon/cmd/kube_proxy_replacement.go b/daemon/cmd/kube_proxy_replacement.go
-index b755d1aabe..731b4348aa 100644
---- a/daemon/cmd/kube_proxy_replacement.go
-+++ b/daemon/cmd/kube_proxy_replacement.go
-@@ -96,7 +96,9 @@ func initKubeProxyReplacementOptions() error {
- 
- 		if option.Config.NodePortMode == option.NodePortModeDSR &&
- 			option.Config.LoadBalancerDSRDispatch != option.DSRDispatchOption &&
--			option.Config.LoadBalancerDSRDispatch != option.DSRDispatchIPIP ||
-+			option.Config.LoadBalancerDSRDispatch != option.DSRDispatchIPIP &&
-+			option.Config.LoadBalancerDSRDispatch != option.DSRDispatchIPIPCNI &&
-+			option.Config.LoadBalancerDSRDispatch != option.DSRDispatchGeneve ||
- 			option.Config.NodePortMode == option.NodePortModeHybrid &&
- 				option.Config.LoadBalancerDSRDispatch != option.DSRDispatchOption {
- 			return fmt.Errorf("Invalid value for --%s: %s", option.LoadBalancerDSRDispatch, option.Config.LoadBalancerDSRDispatch)
-@@ -190,9 +192,16 @@ func initKubeProxyReplacementOptions() error {
- 	}
- 
- 	if option.Config.EnableNodePort {
--		if option.Config.TunnelingEnabled() &&
-+		if option.Config.Tunnel == option.TunnelVXLAN &&
- 			option.Config.NodePortMode != option.NodePortModeSNAT {
--			return fmt.Errorf("Node Port %q mode cannot be used with tunneling.", option.Config.NodePortMode)
-+			return fmt.Errorf("Node Port %q mode cannot be used with %s tunneling.", option.Config.NodePortMode, option.Config.Tunnel)
-+		}
-+
-+		if option.Config.Tunnel == option.TunnelGeneve &&
-+			option.Config.NodePortMode != option.NodePortModeSNAT &&
-+			option.Config.LoadBalancerDSRDispatch != option.DSRDispatchGeneve {
-+			return fmt.Errorf("Node Port %q mode with %s dispatch cannot be used with %s tunneling.",
-+				option.Config.NodePortMode, option.Config.LoadBalancerDSRDispatch, option.Config.Tunnel)
- 		}
- 
- 		if option.Config.NodePortMode == option.NodePortModeDSR &&
-diff --git a/install/kubernetes/cilium/templates/cilium-configmap.yaml b/install/kubernetes/cilium/templates/cilium-configmap.yaml
-index 7ba092d5ea..81c6bbd0b1 100644
---- a/install/kubernetes/cilium/templates/cilium-configmap.yaml
-+++ b/install/kubernetes/cilium/templates/cilium-configmap.yaml
-@@ -649,6 +649,9 @@ data:
- {{- if hasKey .Values.loadBalancer "acceleration" }}
-   bpf-lb-acceleration: {{ .Values.loadBalancer.acceleration | quote }}
- {{- end }}
-+{{- if hasKey .Values.loadBalancer "dsrL4Translate" }}
-+  bpf-lb-dsr-l4-xlate: {{ .Values.loadBalancer.dsrL4Translate | quote }}
-+{{- end }}
- {{- if hasKey .Values.loadBalancer "dsrDispatch" }}
-   bpf-lb-dsr-dispatch: {{ .Values.loadBalancer.dsrDispatch | quote }}
- {{- end }}
-diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml
-index 8528d3a660..5cfa20316f 100644
---- a/install/kubernetes/cilium/values.yaml
-+++ b/install/kubernetes/cilium/values.yaml
-@@ -1583,6 +1583,10 @@ loadBalancer:
-   # used to pass a service IP and port to remote backend
-   # dsrDispatch: opt
- 
-+  # -- dsrL4Translate configures whether use frontend or backend to
-+  # translate service port
-+  # dsrL4Translate: frontend
-+
-   # -- serviceTopology enables K8s Topology Aware Hints -based service
-   # endpoints filtering
-   # serviceTopology: false
-diff --git a/pkg/datapath/linux/config/config.go b/pkg/datapath/linux/config/config.go
-index 811daec7c2..fa8f173c0c 100644
---- a/pkg/datapath/linux/config/config.go
-+++ b/pkg/datapath/linux/config/config.go
-@@ -343,6 +343,8 @@ func (h *HeaderfileWriter) WriteNodeConfig(w io.Writer, cfg *datapath.LocalNodeC
- 			dsrEncapInv = iota
- 			dsrEncapNone
- 			dsrEncapIPIP
-+			dsrEncapIPIPCNI
-+			dsrEncapGeneve
- 		)
- 		const (
- 			dsrL4XlateInv = iota
-@@ -351,6 +353,8 @@ func (h *HeaderfileWriter) WriteNodeConfig(w io.Writer, cfg *datapath.LocalNodeC
- 		)
- 		cDefinesMap["DSR_ENCAP_IPIP"] = fmt.Sprintf("%d", dsrEncapIPIP)
- 		cDefinesMap["DSR_ENCAP_NONE"] = fmt.Sprintf("%d", dsrEncapNone)
-+		cDefinesMap["DSR_ENCAP_IPIP_CNI"] = fmt.Sprintf("%d", dsrEncapIPIPCNI)
-+		cDefinesMap["DSR_ENCAP_GENEVE"] = fmt.Sprintf("%d", dsrEncapGeneve)
- 		cDefinesMap["DSR_XLATE_FRONTEND"] = fmt.Sprintf("%d", dsrL4XlateFrontend)
- 		cDefinesMap["DSR_XLATE_BACKEND"] = fmt.Sprintf("%d", dsrL4XlateBackend)
- 		if option.Config.NodePortMode == option.NodePortModeDSR ||
-@@ -366,8 +370,12 @@ func (h *HeaderfileWriter) WriteNodeConfig(w io.Writer, cfg *datapath.LocalNodeC
- 				cDefinesMap["DSR_ENCAP_MODE"] = fmt.Sprintf("%d", dsrEncapNone)
- 			} else if option.Config.LoadBalancerDSRDispatch == option.DSRDispatchIPIP {
- 				cDefinesMap["DSR_ENCAP_MODE"] = fmt.Sprintf("%d", dsrEncapIPIP)
-+			} else if option.Config.LoadBalancerDSRDispatch == option.DSRDispatchIPIPCNI {
-+				cDefinesMap["DSR_ENCAP_MODE"] = fmt.Sprintf("%d", dsrEncapIPIPCNI)
-+			} else if option.Config.LoadBalancerDSRDispatch == option.DSRDispatchGeneve {
-+				cDefinesMap["DSR_ENCAP_MODE"] = fmt.Sprintf("%d", dsrEncapGeneve)
- 			}
--			if option.Config.LoadBalancerDSRDispatch == option.DSRDispatchIPIP {
-+			if option.Config.LoadBalancerDSRDispatch == option.DSRDispatchIPIP || option.Config.LoadBalancerDSRDispatch == option.DSRDispatchIPIPCNI {
- 				if option.Config.LoadBalancerDSRL4Xlate == option.DSRL4XlateFrontend {
- 					cDefinesMap["DSR_XLATE_MODE"] = fmt.Sprintf("%d", dsrL4XlateFrontend)
- 				} else if option.Config.LoadBalancerDSRL4Xlate == option.DSRL4XlateBackend {
-diff --git a/pkg/datapath/loader/base.go b/pkg/datapath/loader/base.go
-index 54842856a1..be992a028b 100644
---- a/pkg/datapath/loader/base.go
-+++ b/pkg/datapath/loader/base.go
-@@ -339,6 +339,13 @@ func (l *Loader) Reinitialize(ctx context.Context, o datapath.BaseProgramOwner,
- 		args[initArgTunnelMode] = option.TunnelVXLAN
- 	}
- 
-+	if option.Config.Tunnel == option.TunnelDisabled &&
-+		option.Config.EnableNodePort &&
-+		option.Config.NodePortMode == option.NodePortModeDSR &&
-+		option.Config.LoadBalancerDSRDispatch == option.DSRDispatchGeneve {
-+		args[initArgTunnelMode] = option.TunnelGeneve
-+	}
-+
- 	args[initArgTunnelPort] = "<nil>"
- 	switch args[initArgTunnelMode] {
- 	case option.TunnelVXLAN, option.TunnelGeneve:
-diff --git a/pkg/k8s/watchers/watcher.go b/pkg/k8s/watchers/watcher.go
-index 7475dee96d..0217c2bf76 100644
---- a/pkg/k8s/watchers/watcher.go
-+++ b/pkg/k8s/watchers/watcher.go
-@@ -107,9 +107,9 @@ func init() {
- 	registerOps := k8s_metrics.RegisterOpts{
- 		ClientCertExpiry:      nil,
- 		ClientCertRotationAge: nil,
--		RequestLatency:        &k8sMetrics{},
--		RateLimiterLatency:    nil,
--		RequestResult:         &k8sMetrics{},
-+		RequestLatency:        &requestLatencyAdapter{},
-+		RateLimiterLatency:    &rateLimiterLatencyAdapter{},
-+		RequestResult:         &resultAdapter{},
- 	}
- 	k8s_metrics.Register(registerOps)
- 	k8s_metrics.RequestLatency = registerOps.RequestLatency
-@@ -334,15 +334,23 @@ func NewK8sWatcher(
- 	}
- }
- 
--// k8sMetrics implements the LatencyMetric and ResultMetric interface from
--// k8s client-go package
--type k8sMetrics struct{}
-+// requestLatencyAdapter implements the LatencyMetric interface from k8s client-go package
-+type requestLatencyAdapter struct{}
- 
--func (*k8sMetrics) Observe(_ context.Context, verb string, u url.URL, latency time.Duration) {
-+func (*requestLatencyAdapter) Observe(_ context.Context, verb string, u url.URL, latency time.Duration) {
- 	metrics.KubernetesAPIInteractions.WithLabelValues(u.Path, verb).Observe(latency.Seconds())
- }
- 
--func (*k8sMetrics) Increment(_ context.Context, code string, method string, host string) {
-+// rateLimiterLatencyAdapter implements the LatencyMetric interface from k8s client-go package
-+type rateLimiterLatencyAdapter struct{}
-+
-+func (c *rateLimiterLatencyAdapter) Observe(_ context.Context, verb string, u url.URL, latency time.Duration) {
-+	metrics.KubernetesAPIRateLimiterLatency.WithLabelValues(u.Path, verb).Observe(latency.Seconds())
-+}
-+
-+type resultAdapter struct{}
-+
-+func (*resultAdapter) Increment(_ context.Context, code string, method string, host string) {
- 	metrics.KubernetesAPICallsTotal.WithLabelValues(host, method, code).Inc()
- 	// The 'code' is set to '<error>' in case an error is returned from k8s
- 	// more info:
-diff --git a/pkg/metrics/metrics.go b/pkg/metrics/metrics.go
-index 0d02000f3a..afb5cd3495 100644
---- a/pkg/metrics/metrics.go
-+++ b/pkg/metrics/metrics.go
-@@ -412,6 +412,9 @@ var (
- 	// to the kube-apiserver
- 	KubernetesAPIInteractions = NoOpObserverVec
- 
-+	// KubernetesAPIRateLimiterLatency is the client side rate limiter latency metric
-+	KubernetesAPIRateLimiterLatency = NoOpObserverVec
-+
- 	// KubernetesAPICallsTotal is the counter for all API calls made to
- 	// kube-apiserver.
- 	KubernetesAPICallsTotal = NoOpCounterVec
-@@ -1105,6 +1108,15 @@ func CreateConfiguration(metricsEnabled []string) (Configuration, []prometheus.C
- 			collectors = append(collectors, KubernetesAPIInteractions)
- 			c.KubernetesAPIInteractionsEnabled = true
- 
-+		case Namespace + "_" + SubsystemK8sClient + "_rate_limiter_duration_seconds":
-+			KubernetesAPIRateLimiterLatency = prometheus.NewHistogramVec(prometheus.HistogramOpts{
-+				Namespace: Namespace,
-+				Subsystem: SubsystemK8sClient,
-+				Name:      "rate_limiter_duration_seconds",
-+				Help:      "Kubernetes client rate limiter latency in seconds. Broken down by path and method.",
-+				Buckets:   []float64{0.005, 0.025, 0.1, 0.25, 0.5, 1.0, 2.0, 4.0, 8.0, 15.0, 30.0, 60.0},
-+			}, []string{LabelPath, LabelMethod})
-+
- 		case Namespace + "_" + SubsystemK8sClient + "_api_calls_total":
- 			KubernetesAPICallsTotal = prometheus.NewCounterVec(prometheus.CounterOpts{
- 				Namespace: Namespace,
-diff --git a/pkg/monitor/api/drop.go b/pkg/monitor/api/drop.go
-index 7e02b7fee3..b10b6f85c0 100644
---- a/pkg/monitor/api/drop.go
-+++ b/pkg/monitor/api/drop.go
-@@ -85,6 +85,7 @@ var errors = map[uint8]string{
- 	187: "L3 translation from IPv4 to IPv6 failed (NAT46)",
- 	188: "L3 translation from IPv6 to IPv4 failed (NAT64)",
- 	189: "Authentication required",
-+	193: "Unsupported packet protocol for DSR encapsulation",
- 	194: "No egress gateway found",
- 	196: "TTL exceeded",
- 	197: "No node ID found",
-diff --git a/pkg/option/config.go b/pkg/option/config.go
-index a50b4764bb..05c9063db1 100644
---- a/pkg/option/config.go
-+++ b/pkg/option/config.go
-@@ -1245,6 +1245,12 @@ const (
- 	// DSR dispatch mode to encapsulate to IPIP
- 	DSRDispatchIPIP = "ipip"
- 
-+	// DSR dispatch mod to encapsulate to IPIP
-+	DSRDispatchIPIPCNI = "ipipcni"
-+
-+	// DSR dispatch mod to encapsulate to GENEVE
-+	DSRDispatchGeneve = "geneve"
-+
- 	// DSR L4 translation to frontend port
- 	DSRL4XlateFrontend = "frontend"
- 
-@@ -1915,7 +1921,7 @@ type DaemonConfig struct {
- 	NodePortAlg string
- 
- 	// LoadBalancerDSRDispatch indicates the method for pushing packets to
--	// backends under DSR ("opt" or "ipip")
-+	// backends under DSR ("opt", "ipip", or "ipipcni")
- 	LoadBalancerDSRDispatch string
- 
- 	// LoadBalancerDSRL4Xlate indicates the method for L4 DNAT translation
-@@ -3072,8 +3078,14 @@ func (c *DaemonConfig) Populate(vp *viper.Viper) {
- 	if c.TunnelPort == 0 {
- 		switch c.Tunnel {
- 		case TunnelDisabled:
--			// tunnel might still be used by eg. EgressGW
--			c.TunnelPort = defaults.TunnelPortVXLAN
-+			// tunnel might still be used by eg. DSR with Geneve dispatch or EgressGW
-+			if (c.EnableNodePort || c.KubeProxyReplacement == KubeProxyReplacementStrict) &&
-+				c.NodePortMode == NodePortModeDSR &&
-+				c.LoadBalancerDSRDispatch == DSRDispatchGeneve {
-+				c.TunnelPort = defaults.TunnelPortGeneve
-+			} else {
-+				c.TunnelPort = defaults.TunnelPortVXLAN
-+			}
- 		case TunnelVXLAN:
- 			c.TunnelPort = defaults.TunnelPortVXLAN
- 		case TunnelGeneve:
diff --git a/hubble-relay/Dockerfile b/hubble-relay/Dockerfile
index 934ee5319..7cb8f241f 100644
--- a/hubble-relay/Dockerfile
+++ b/hubble-relay/Dockerfile
@@ -8,25 +8,28 @@ FROM ${GOLANG_IMAGE} as build
 COPY TAG /
 
 # LICENSE.all
-WORKDIR /go/src/github.com/cilium/cilium
+WORKDIR /go/src/github.com/cybozu-go/
 RUN VERSION=$(cut -d \. -f 1,2,3 < /TAG ) \
-    && curl -fsSL "https://github.com/cilium/cilium/archive/v${VERSION}.tar.gz" | \
-      tar xzf - --strip-components 1 \
+    # Since we use the fork and patched repogitory, we need to specify the branch name
+    && BRANCH=v${VERSION}-lb-dsr-patch \
+    && echo ${BRANCH} \
+    && git clone --depth 1 --branch ${BRANCH} https://github.com/cybozu-go/cilium \
+    && cd cilium \
     && make licenses-all \
     && apt-get update \
     && apt-get install -y --no-install-recommends binutils-aarch64-linux-gnu \
     && images/runtime/build-gops.sh
 
 # hubble-relay
-WORKDIR /go/src/github.com/cilium/cilium/hubble-relay
+WORKDIR /go/src/github.com/cybozu-go/cilium/hubble-relay
 RUN make
 
 # Stage2: runtime
 FROM ${BASE_IMAGE}
 COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=build /out/linux/amd64/bin/gops /bin/gops
-COPY --from=build /go/src/github.com/cilium/cilium/LICENSE.all /LICENSE
-COPY --from=build /go/src/github.com/cilium/cilium/hubble-relay/hubble-relay /usr/bin/hubble-relay
+COPY --from=build /go/src/github.com/cybozu-go/cilium/LICENSE.all /LICENSE
+COPY --from=build /go/src/github.com/cybozu-go/cilium/hubble-relay/hubble-relay /usr/bin/hubble-relay
 
 WORKDIR /
 ENV GOPS_CONFIG_DIR=/

From 73528f57c008fdb0dcea2b0711088d546f2f2795 Mon Sep 17 00:00:00 2001
From: terasihma <tomoya-terashima@cybozu.co.jp>
Date: Fri, 22 Sep 2023 05:11:29 +0000
Subject: [PATCH 6/6] Fix to use gcc-9

Signed-off-by: terasihma <tomoya-terashima@cybozu.co.jp>
---
 .circleci/config.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 489134cc5..12f4cd35d 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -511,8 +511,8 @@ jobs:
               flex \
               g++ \
               g++-aarch64-linux-gnu \
-              gcc \
-              gcc-aarch64-linux-gnu \
+              gcc-9 \
+              gcc-9-aarch64-linux-gnu \
               git \
               libelf-dev \
               libelf-dev:arm64 \
@@ -526,6 +526,8 @@ jobs:
               python3-pip \
               unzip
             update-alternatives --install /usr/bin/python python /usr/bin/python2 1
+            update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-9 2
+            update-alternatives --install /usr/bin/aarch64-linux-gnu-gcc aarch64-linux-gnu-gcc /usr/bin/aarch64-linux-gnu-gcc-9 3
       - run:
           name: Download cilium/image-tools
           command: |