loader: Remove program and route when disable endpoint routes

When per-endpoint routes are enabled, a route is added for each endpoint. A BPF program is also attached to the lxc devices on the path to the containers. When per-endpoint routes are disabled, we need to remove the routes and the programs. Signed-off-by: Paul Chaignon <paul@cilium.io>
pchaigno · Mar 10, 2021 · 72e6238 · 72e6238
1 parent 991fd55
commit 72e6238
Showing 1 changed file with 14 additions and 3 deletions.
diff --git a/pkg/datapath/loader/loader.go b/pkg/datapath/loader/loader.go
@@ -342,16 +342,27 @@ func (l *Loader) reloadDatapath(ctx context.Context, ep datapath.Endpoint, dirs
 				}
 				return err
 			}
+		} else {
+			err := RemoveTCFilters(ep.InterfaceName(), netlink.HANDLE_MIN_EGRESS)
+			if err != nil {
+				log.WithField("device", ep.InterfaceName()).Error(err)
+			}
 		}
 	}
 
-	if ep.RequireEndpointRoute() {
-		if ip := ep.IPv4Address(); ip.IsSet() {
+	if ip := ep.IPv4Address(); ip.IsSet() {
+		if ep.RequireEndpointRoute() {
 			upsertEndpointRoute(ep, *ip.IPNet(32))
+		} else {
+			removeEndpointRoute(ep, *ip.IPNet(32))
 		}
+	}
 
-		if ip := ep.IPv6Address(); ip.IsSet() {
+	if ip := ep.IPv6Address(); ip.IsSet() {
+		if ep.RequireEndpointRoute() {
 			upsertEndpointRoute(ep, *ip.IPNet(128))
+		} else {
+			removeEndpointRoute(ep, *ip.IPNet(128))
 		}
 	}