cilium · borkmann · Jun 16, 2020 · Jun 15, 2020 · Jun 16, 2020
diff --git a/daemon/cmd/daemon.go b/daemon/cmd/daemon.go
@@ -437,14 +437,15 @@ func NewDaemon(ctx context.Context, dp datapath.Datapath) (*Daemon, *endpointRes
 	}
 	// BPF masquerade depends on BPF NodePort, so the following checks should
 	// happen after invoking initKubeProxyReplacementOptions().
+	if option.Config.Masquerade && option.Config.EnableBPFMasquerade &&
+		!option.Config.EnableNodePort {
+		// ipt.InstallRules() (called by Reinitialize()) happens later than
+		// this  statement, so it's OK to fallback to iptables-based MASQ.
+		log.Warnf("BPF masquerade requires NodePort (--%s=\"true\"). "+
+			"Falling back to iptables-based masquerading.", option.EnableNodePort)
+		option.Config.EnableBPFMasquerade = false
+	}
 	if option.Config.Masquerade && option.Config.EnableBPFMasquerade {
-		if !option.Config.EnableNodePort {
-			// ipt.InstallRules() (called by Reinitialize()) happens later than
-			// this  statement, so it's OK to fallback to iptables-based MASQ.
-			log.Warnf("BPF masquerade requires NodePort (--%s=\"true\"). "+
-				"Falling back to iptables-based masquerading.", option.EnableNodePort)
-			option.Config.EnableBPFMasquerade = false
-		}
 		// TODO(brb) nodeport + ipvlan constraints will be lifted once the SNAT BPF code has been refactored
 		if option.Config.DatapathMode == datapathOption.DatapathModeIpvlan {
 			log.Fatalf("BPF masquerade works only in veth mode (--%s=\"%s\"", option.DatapathMode, datapathOption.DatapathModeVeth)