Allow networkpolicy ipBlock to filter Ingress traffic for hostport & hostnetwork pods

[fvigotti]

see my last message here for more context : #3367
anyway the problem is that for bare metal cluster there are only 3 ways to get external ip address
nodeport ( with externalTrafficPolicy: Local )
hostport ( wich will do a DNAT so source ip is preserved )
hostnetwork

the nodeport is not very usabe for standard applications ( ie mysql/kafka/http ) because high range ports and the mess when there are tons of them ,

leaving only last two options.. but none of them seems to be covered by your weave iplementation of networkpolicy ( Ingress->ipBlock ) I think that the hostport could be easy to implement, and hostnetwork maybe a bit more complicated by anyway any of them would be very useful ( I've seen other issues opened around about people with same problems ( ie: whitelisted ip and block everything else ( to create a DMZ , vpn access to some services, ... ) ) the only way to handle that is doing sidecar with tcp/udp proxy in every pod that need this but this is not a good design, also touching node firewalls doesn't sound good to me ( there are already too many component that play with iptables ) and in most of bare-metal setup the external firewall is a costly options so I prefer to avoid due to my limited budget..

NB: I've tested with latest build of master which have the patch mentioned here #3367 and the policy doesn't work (I've not tested nodeport but I cannot use this for the reasons describe above )

thank you,
Francesco

[brb]

Weave NPC filters ingress traffic which goes through the filter/FORWARD chain. For hostPort and hostNetwork to be filtered we need to include the filter/INPUT chain. However, with the current NPC implementation we cannot include it as the NPC rules would interfere with non-Weave Net traffic.