fix: enable-bpf-masquerade when snat values are not enabled

[hown3d]

How to categorize this PR?

/area networking
/kind TODO

What this PR does / why we need it:

Enable bpf-masquerading on direct routing if SNAT masquerades are not enabled.
For more information see the issue.

Which issue(s) this PR fixes:
Fixes #349

Special notes for your reviewer:

Release note:

Use BPF masquerading and therefore BPF host routing in Cilium when using direct routing.

[gardener-robot]

@hown3d Label kind/todo does not exist.

[gardener-prow]

Hi @hown3d. Thanks for your PR.

I'm waiting for a gardener member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[gardener-robot]

@hown3d Thank you for your contribution.

[gardener-robot-ci-1]

Thank you @hown3d for your contribution. Before I can start building your PR, a member of the organization must set the required label(s) {'reviewed/ok-to-test'}. Once started, you can check the build status in the PR checks section below.

[axel7born]

/ok-to-test

[hown3d]

/test pull-extension-networking-cilium-e2e-kind

[axel7born]

In tests I see an issue with this change together with the apiserver-proxy.
apiserver-proxy adds aa additional ip address the service addres of the kube-apiserver to the loopback interface on each node. The endpoint for the kubernetes service has this address, so the traffic to kubernetes.cluster.local is send to the loopback device, where an envoy proxy is listening and sending the traffic via proxy-protocol to the see.
With this change this isn't working anymore. In a tcpdump I can see, that source NAT is happening and the packets are send to the default device for outgoing traffic.
I agree, that it would be nice to have bpf masquerading. However, right now, I have no easy fix for the broken apiserver-proxy connection.

[gardener-prow]

@hown3d: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-gardener-extension-networking-cilium-check-renovate-config	8e35b32	link	true	/test pull-gardener-extension-networking-cilium-check-renovate-config

Full PR test history. Your PR dashboard. Command help for this repository.
Please help us cut down on flakes by linking this test failure to an open flake report or filing a new flake report if you can't find an existing one. Also see our testing guideline for how to avoid and hunt flakes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.