proxy: Re-enable proxy rule installation in tunnel mode

This commit is to re-enable proxy rule installation in tunnel mode, as route 2005 was added back, and we need this rule to handle the hairpinning trafic in Ingress L7 proxy if the backend is on the same node. Relates: 0ebe516 Relates: #29530, #29864 Signed-off-by: Tam Mach <tam.mach@cilium.io>
cilium · Apr 10, 2024 · 595bd87 · 595bd87
1 parent 9325212
commit 595bd87
Showing 1 changed file with 8 additions and 8 deletions.
diff --git a/pkg/proxy/proxy.go b/pkg/proxy/proxy.go
@@ -410,12 +410,12 @@ func (p *Proxy) ReinstallRoutingRules() error {
 			return err
 		}
 
-		if !option.Config.EnableIPSec || option.Config.TunnelingEnabled() {
-			if err := removeFromProxyRoutesIPv4(); err != nil {
+		if !option.Config.EnableIPSec || (option.Config.EnableIPSec && !option.Config.TunnelingEnabled()) {
+			if err := installFromProxyRoutesIPv4(node.GetInternalIPv4Router(), defaults.HostDevice); err != nil {
 				return err
 			}
 		} else {
-			if err := installFromProxyRoutesIPv4(node.GetInternalIPv4Router(), defaults.HostDevice); err != nil {
+			if err := removeFromProxyRoutesIPv4(); err != nil {
 				return err
 			}
 		}
@@ -433,18 +433,18 @@ func (p *Proxy) ReinstallRoutingRules() error {
 			return err
 		}
 
-		if !option.Config.EnableIPSec || option.Config.TunnelingEnabled() {
-			if err := removeFromProxyRoutesIPv6(); err != nil {
-				return err
-			}
-		} else {
+		if !option.Config.EnableIPSec || (option.Config.EnableIPSec && !option.Config.TunnelingEnabled()) {
 			ipv6, err := getCiliumNetIPv6()
 			if err != nil {
 				return err
 			}
 			if err := installFromProxyRoutesIPv6(ipv6, defaults.HostDevice); err != nil {
 				return err
 			}
+		} else {
+			if err := removeFromProxyRoutesIPv6(); err != nil {
+				return err
+			}
 		}
 	} else {
 		if err := removeToProxyRoutesIPv6(); err != nil {