_, localhostDst, err := net.ParseCIDR(fullCIDR)
		if err != nil {
			return fmt.Errorf("parse CIDR: %v", err)
		}

		netlinkRoutes := []*netlink.Route{
			// In routing table ${INBOUND_TPROXY_ROUTE_TABLE}, create a single default rule to route all traffic to
			// the loopback interface.
			// Equiv: "ip route add local 0.0.0.0/0 dev lo table 100"
			{
				Dst:       localhostDst,
				Scope:     netlink.SCOPE_HOST,

# There are two use cases here:
# * Building all docker images (generally in CI). In this case we want to build everything at once, so they share work
# * Building a single docker image (generally during dev). In this case we just want to build the single binary alone
BUILD_ALL ?= true
define build-linux
.PHONY: $(TARGET_OUT_LINUX)/$(shell basename $(1))
ifeq ($(BUILD_ALL),true)

		pod.GetLabels()[constants.DataplaneModeLabel] == constants.DataplaneModeAmbient) {
		// Neither namespace nor pod has ambient mode enabled
		return false
	}
	if podHasSidecar(pod) {
		// Ztunnel and sidecar for a single pod is currently not supported; opt out.
		return false
	}
	if pod.GetLabels()[constants.DataplaneModeLabel] == constants.DataplaneModeNone {
		// Pod explicitly asked to not have ambient redirection enabled
		return false

	optionalDeleteCmds := [][]string{
		// flush-then-delete our created chains
		{"-t", iptablesconstants.MANGLE, "-F", ChainInpodPrerouting},
		{"-t", iptablesconstants.MANGLE, "-F", ChainInpodOutput},
		{"-t", iptablesconstants.NAT, "-F", ChainInpodOutput},
		{"-t", iptablesconstants.MANGLE, "-X", ChainInpodPrerouting},
		{"-t", iptablesconstants.MANGLE, "-X", ChainInpodOutput},
		{"-t", iptablesconstants.NAT, "-X", ChainInpodOutput},
	}

	// We have already Unmap'd, so we can do a simple IsV6 y/n check now
	if ipToInsert.Is6() {
		return m.Deps.addIP(m.V6Name, ipToInsert, ipProto, comment, replace)
	}
	return m.Deps.addIP(m.V4Name, ipToInsert, ipProto, comment, replace)
}

func (m *IPSet) DeleteIP(ip netip.Addr, ipProto uint8) error {
	ipToDel := ip.Unmap()

	// We have already Unmap'd, so we can do a simple IsV6 y/n check now
	if ipToDel.Is6() {

)

const (
	// to reliably identify kubelet healthprobes from inside the pod (versus standard kube-proxy traffic,
	// since the IP is normally the same), we SNAT identified host probes in the host netns to a fixed
	// APIPA/"link-local" IP.
	//
	// It doesn't matter what this IP is, so long as it's not routable and doesn't collide with anything else.

            # But we don't need _everything_ in `privileged`, so drop+readd capabilities based on feature.
            # privileged is redundant with CAP_SYS_ADMIN
            # since it's redundant, hardcode it to `true`, then manually drop ALL + readd granular
            # capabilities we actually require
            capabilities:
              drop:
              - ALL
              add: