proxy: also install from-ingress-proxy rules with per-EP routing

This is a v1.14-only patch, the closest upstream equivalent is 217ae4f ("Re-introduce 2005 route table"). Egressing traffic would usually get routed straight to eth0. Install the 2005 rule to divert the traffic into cilium_host first. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
cilium · Mar 7, 2024 · 579d0a4 · 579d0a4
1 parent bde2d5e
commit 579d0a4
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 8 deletions.
diff --git a/bpf/init.sh b/bpf/init.sh
@@ -25,7 +25,7 @@ NODE_PORT=${18}
 # NODE_PORT_BIND=${19}
 # MCPU=${20}
 # NR_CPUS=${21}
-ENDPOINT_ROUTES=${22}
+# ENDPOINT_ROUTES=${22}
 PROXY_RULE=${23}
 FILTER_PRIO=${24}
 DEFAULT_RTPROTO=${25}
@@ -109,7 +109,7 @@ function setup_proxy_rules()
 	from_ingress_rulespec="fwmark 0xA00/0xF00 pref 10 lookup $PROXY_RT_TABLE proto $DEFAULT_RTPROTO"
 	use_from_ingress_proxy_rules=0
 
-	if [ "$IPSEC_ENCRYPTION" = "true" ] && [ "$ENDPOINT_ROUTES" != "true" ] && [ "$MODE" != "tunnel" ]; then
+	if [ "$IPSEC_ENCRYPTION" = "true" ] && [ "$MODE" != "tunnel" ]; then
 		use_from_ingress_proxy_rules=1
 	fi
 

diff --git a/pkg/datapath/loader/base.go b/pkg/datapath/loader/base.go
@@ -431,12 +431,7 @@ func (l *Loader) Reinitialize(ctx context.Context, o datapath.BaseProgramOwner,
 
 	args[initBPFCPU] = "<nil>"
 	args[initArgNrCPUs] = "<nil>"
-
-	if option.Config.EnableEndpointRoutes {
-		args[initArgEndpointRoutes] = "true"
-	} else {
-		args[initArgEndpointRoutes] = "false"
-	}
+	args[initArgEndpointRoutes] = "nil"
 
 	clockSource := []string{"ktime", "jiffies"}
 	log.WithFields(logrus.Fields{