proxy/routes: Remove fromEgressProxyRule for ci-ipsec-upgrade

Now cilium-1.15 doesn't install fromEgressProxyRule, this commit insists on removing it to make sure further downgrade can go smoothly. Soon cilium-main will have a PR to install fromEgressProxyRule, ci-ipsec-upgrade at that moment will upgrade cilium from 1.15-tip to main-pr, followed by a downgrade operation back to 1.15-tip. Without this 1.15 commit, downgrade from that main-pr will leave stale fromEgressProxyRule which breaks connectivity. This 1.15 commit makes sure there is no stale proxy rule installed by higher version after downgrade. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
cilium · Apr 12, 2024 · 5901e39 · 5901e39
1 parent d94e3cb
commit 5901e39
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/pkg/proxy/proxy.go b/pkg/proxy/proxy.go
@@ -434,6 +434,9 @@ func (p *Proxy) ReinstallRoutingRules() error {
 				return err
 			}
 		}
+		if err := removeFromEgressProxyRoutesIPv4(); err != nil {
+			return err
+		}
 	} else {
 		if err := removeToProxyRoutesIPv4(); err != nil {
 			return err
@@ -464,6 +467,9 @@ func (p *Proxy) ReinstallRoutingRules() error {
 				return err
 			}
 		}
+		if err := removeFromEgressProxyRoutesIPv6(); err != nil {
+			return err
+		}
 	} else {
 		if err := removeToProxyRoutesIPv6(); err != nil {
 			return err

diff --git a/pkg/proxy/routes.go b/pkg/proxy/routes.go
@@ -165,6 +165,13 @@ func removeFromIngressProxyRoutesIPv4() error {
 	return nil
 }
 
+func removeFromEgressProxyRoutesIPv4() error {
+	if err := route.DeleteRule(netlink.FAMILY_V4, fromEgressProxyRule); err != nil && !errors.Is(err, syscall.ENOENT) {
+		return fmt.Errorf("removing ipv4 from egress proxy routing rule: %w", err)
+	}
+	return nil
+}
+
 // removeStaleProxyRulesIPv4 removes stale proxy rules. This is a v1.15 only function.
 func removeStaleProxyRulesIPv4() error {
 	return removeProtoUnspecRules(netlink.FAMILY_V4)
@@ -217,6 +224,15 @@ func removeFromIngressProxyRoutesIPv6() error {
 	return nil
 }
 
+func removeFromEgressProxyRoutesIPv6() error {
+	if err := route.DeleteRule(netlink.FAMILY_V6, fromEgressProxyRule); err != nil {
+		if !errors.Is(err, syscall.ENOENT) && !errors.Is(err, syscall.EAFNOSUPPORT) {
+			return fmt.Errorf("removing ipv6 from egress proxy routing rule: %w", err)
+		}
+	}
+	return nil
+}
+
 // removeStaleProxyRulesIPv6 removes stale proxy rules. This is a v1.15 only function.
 func removeStaleProxyRulesIPv6() error {
 	return removeProtoUnspecRules(netlink.FAMILY_V6)