LoadBalancer does not preserve source IP address, when forwarding TCP/UDP packets with externalTrafficPolicy=Local

[gnarlex]

Expected behavior If my service object of type LoadBalancer has externalTrafficPolicy set to Local, the forwarded packets should preserve the original client source IP address.

Actual behavior TCP/UDP packets arriving at the pod have their source IP set to the LoadBalancer IP.

Context This is important for some protocols like STUN, that allows clients to discover their public IP address and the type of NAT they are behind.

Steps to reproduce

1. Deploy a single replica deployment, running netcat on port 22333 (nc -lvk 22333)
2. Service object, with type: LoadBalancer and externalTrafficPolicy: Local forwarding traffice to that deployment, port 22333
3. Wait for IP to be assigned.
4. On client, open netcat connection to server (nc -v $IP 22333)
5. On the server, it should now display the IP for the respective loadbalancer (instead of the IP of the client).

[Kumm-Kai]

Hi @gnarlex thanks for reporting this issue.

This works as designed, as YAWOL is deploying an envoy proxy which does SNAT on the traffic.
To work around this, you can enable the PROXY protocol:

yawol/README.md

Lines 274 to 275 in 9e210e9

	# Enable/disable envoy support for proxy protocol.
	yawol.stackit.cloud/tcpProxyProtocol: "false"

(FYI: this only applies when using YAWOL directly, not when using the LBs provisioned by managed STACKIT Kubernetes Engine clusters. For STACKIT LBs please consult the official documentation)

Keep in mind that your application must be capable of parsing the PROXY protocol packets!