proxy: Re-enable proxy rule installation in native mode

This commit is to re-enable proxy rule installation in native mode if cilium envoy config or ipsec is enabled. The reason is to handle the reply packet of hair-pinning traffic in Ingress L7 proxy (i.e. backend is in the same node). Relates: 0ebe516 Relates: #29530, #29864 Signed-off-by: Tam Mach <tam.mach@cilium.io>
cilium · May 10, 2024 · 32b2784 · 32b2784
1 parent d079381
commit 32b2784
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 8 deletions.
diff --git a/pkg/defaults/defaults.go b/pkg/defaults/defaults.go
@@ -567,6 +567,9 @@ const (
 
 	// BPFEventsTraceEnabled controls whether the Cilium datapath exposes "trace" events to Cilium monitor and Hubble.
 	BPFEventsTraceEnabled = true
+
+	// EnableEnvoyConfig is the default value for option.EnableEnvoyConfig
+	EnableEnvoyConfig = false
 )
 
 var (

diff --git a/pkg/option/config.go b/pkg/option/config.go
@@ -2432,6 +2432,7 @@ var (
 		BPFEventsDropEnabled:          defaults.BPFEventsDropEnabled,
 		BPFEventsPolicyVerdictEnabled: defaults.BPFEventsPolicyVerdictEnabled,
 		BPFEventsTraceEnabled:         defaults.BPFEventsTraceEnabled,
+		EnableEnvoyConfig:             defaults.EnableEnvoyConfig,
 	}
 )
 

diff --git a/pkg/proxy/proxy.go b/pkg/proxy/proxy.go
@@ -411,12 +411,12 @@ func (p *Proxy) ReinstallRoutingRules() error {
 		if err := removeFromEgressProxyRoutesIPv4(); err != nil {
 			return err
 		}
-		if !option.Config.EnableIPSec || option.Config.TunnelingEnabled() {
-			if err := removeFromIngressProxyRoutesIPv4(); err != nil {
+		if requireFromProxyRoutes() {
+			if err := installFromProxyRoutesIPv4(node.GetInternalIPv4Router(), defaults.HostDevice); err != nil {
 				return err
 			}
 		} else {
-			if err := installFromProxyRoutesIPv4(node.GetInternalIPv4Router(), defaults.HostDevice); err != nil {
+			if err := removeFromIngressProxyRoutesIPv4(); err != nil {
 				return err
 			}
 		}
@@ -437,18 +437,18 @@ func (p *Proxy) ReinstallRoutingRules() error {
 		if err := removeFromEgressProxyRoutesIPv6(); err != nil {
 			return err
 		}
-		if !option.Config.EnableIPSec || option.Config.TunnelingEnabled() {
-			if err := removeFromIngressProxyRoutesIPv6(); err != nil {
-				return err
-			}
-		} else {
+		if requireFromProxyRoutes() {
 			ipv6, err := getCiliumNetIPv6()
 			if err != nil {
 				return err
 			}
 			if err := installFromProxyRoutesIPv6(ipv6, defaults.HostDevice); err != nil {
 				return err
 			}
+		} else {
+			if err := removeFromIngressProxyRoutesIPv6(); err != nil {
+				return err
+			}
 		}
 	} else {
 		if err := removeToProxyRoutesIPv6(); err != nil {
@@ -462,6 +462,10 @@ func (p *Proxy) ReinstallRoutingRules() error {
 	return nil
 }
 
+func requireFromProxyRoutes() bool {
+	return (option.Config.EnableEnvoyConfig || option.Config.EnableIPSec) && !option.Config.TunnelingEnabled()
+}
+
 // getCiliumNetIPv6 retrieves the first IPv6 address from the cilium_net device.
 func getCiliumNetIPv6() (net.IP, error) {
 	link, err := netlink.LinkByName(defaults.SecondHostDevice)