proxy: Re-enable proxy rule installation in tunnel mode

This commit is to re-enable proxy rule installation in tunnel mode, as route 2005 was added back, and we need this rule to handle the hairpinning trafic in Ingress L7 proxy if the backend is on the same node. Relates: 0ebe516 Relates: #29530, #29864 Signed-off-by: Tam Mach <tam.mach@cilium.io>
cilium · Apr 16, 2024 · 85dda17 · 85dda17
1 parent 43ca6f2
commit 85dda17
Showing 1 changed file with 8 additions and 8 deletions.
diff --git a/pkg/proxy/proxy.go b/pkg/proxy/proxy.go
@@ -410,12 +410,12 @@ func (p *Proxy) ReinstallRoutingRules() error {
 			return err
 		}
 
-		if !option.Config.EnableIPSec || option.Config.TunnelingEnabled() {
-			if err := removeFromProxyRoutesIPv4(); err != nil {
+		if !option.Config.EnableIPSec || (option.Config.EnableIPSec && !option.Config.TunnelingEnabled()) {
+			if err := installFromProxyRoutesIPv4(node.GetInternalIPv4Router(), defaults.HostDevice); err != nil {
 				return err
 			}
 		} else {
-			if err := installFromProxyRoutesIPv4(node.GetInternalIPv4Router(), defaults.HostDevice); err != nil {
+			if err := removeFromProxyRoutesIPv4(); err != nil {
 				return err
 			}
 		}
@@ -433,18 +433,18 @@ func (p *Proxy) ReinstallRoutingRules() error {
 			return err
 		}
 
-		if !option.Config.EnableIPSec || option.Config.TunnelingEnabled() {
-			if err := removeFromProxyRoutesIPv6(); err != nil {
-				return err
-			}
-		} else {
+		if !option.Config.EnableIPSec || (option.Config.EnableIPSec && !option.Config.TunnelingEnabled()) {
 			ipv6, err := getCiliumNetIPv6()
 			if err != nil {
 				return err
 			}
 			if err := installFromProxyRoutesIPv6(ipv6, defaults.HostDevice); err != nil {
 				return err
 			}
+		} else {
+			if err := removeFromProxyRoutesIPv6(); err != nil {
+				return err
+			}
 		}
 	} else {
 		if err := removeToProxyRoutesIPv6(); err != nil {