Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
bpf: nodeport: drop reply by local backend if revDNAT is skipped
RevDNAT for replies from a local service backend is handled by tail-calling from bpf_lxc to CILIUM_CALL_IPV*_NODEPORT_REVNAT with bpf_skip_recirculation() set. If rev_nodeport_lb*() then doesn't find a matching CT entry, don't return CTX_ACT_REDIRECT to the caller. Without a CT entry we also didn't perform a FIB lookup, so `ifindex` is still 0 and the subsequent bpf_redirect() won't do any good. As bpf_lxc only performs the tail-call if ct_state->node_port is set, finding no related Nodeport CT entry is unexpected. So drop the packet. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
- Loading branch information