cilium: reenable host routing on endpoint routes and ipsec

... since both need to go up the stack for packet handling. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
cilium · Nov 17, 2020 · bbd6886 · bbd6886
1 parent 92edccf
commit bbd6886
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/daemon/cmd/kube_proxy_replacement.go b/daemon/cmd/kube_proxy_replacement.go
@@ -236,6 +236,9 @@ func initKubeProxyReplacementOptions() (strict bool) {
 			fallthrough
 		case option.Config.Tunnel != option.TunnelDisabled:
 			fallthrough
+		// Needs host stack for packet handling.
+		case option.Config.EnableEndpointRoutes || option.Config.EnableIPSec:
+			fallthrough
 		// Non-BPF masquerade requires netfilter and hence CT.
 		case option.Config.Masquerade && !option.Config.EnableBPFMasquerade:
 			option.Config.EnableHostLegacyRouting = true