never forward blindly if natin/out dev is involved

projectcalico · Nov 1, 2024 · 2f15c59 · 2f15c59
1 parent 5f68541
commit 2f15c59
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/felix/bpf-gpl/fib_co_re.h b/felix/bpf-gpl/fib_co_re.h
@@ -121,9 +121,9 @@ static CALI_BPF_INLINE int forward_or_drop(struct cali_tc_ctx *ctx)
 			goto cancel_fib;
 		}
 
-		if (CALI_F_TO_HOST &&
-				ct_result_is_confirmed(state->ct_result.rc) &&
-				state->ct_result.ifindex_fwd != CT_INVALID_IFINDEX ) {
+		if (CALI_F_TO_HOST && ct_result_is_confirmed(state->ct_result.rc) &&
+				state->ct_result.ifindex_fwd != CT_INVALID_IFINDEX &&
+				!(state->ct_result.flags & CALI_CT_FLAG_VIA_NAT_IF)) {
 			rc = bpf_redirect_neigh(state->ct_result.ifindex_fwd, NULL, 0, 0);
 			if (rc == TC_ACT_REDIRECT) {
 				CALI_DEBUG("Redirect to dev %d without fib lookup", state->ct_result.ifindex_fwd);

diff --git a/felix/bpf-gpl/tc.c b/felix/bpf-gpl/tc.c
@@ -1173,7 +1173,7 @@ static CALI_BPF_INLINE struct fwd post_nat(struct cali_tc_ctx *ctx,
 		} else if (!r || cali_rt_flags_remote_workload(r->flags)) {
 			/* If there is no route, treat it as a remote NP BE */
 			if (CALI_F_LO || CALI_F_MAIN) {
-				state->ct_result.ifindex_fwd = NATIN_IFACE  ;
+				state->ct_result.ifindex_fwd = NATIN_IFACE;
 				CALI_DEBUG("NP remote WL " IP_FMT ":%d on LO or main HEP",
 						debug_ip(state->post_nat_ip_dst), state->post_nat_dport);
 				ctx->state->flags |= CALI_ST_CT_NP_LOOP;