[BPF] packets to host must have MarkSeenSkipFIB

Regardless of whether we bypass conntrack or not, that mark must be on so that returning traffic from a pod (if the traffic was redirected) does not do FIB and skip iptables.
projectcalico · Aug 28, 2024 · ee755e9 · ee755e9
1 parent 966dba6
commit ee755e9
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/felix/rules/static.go b/felix/rules/static.go
@@ -1169,15 +1169,15 @@ func (r *DefaultRuleRenderer) StaticBPFModeRawChains(ipVersion uint8,
 			Action:  r.GoTo(ChainRawBPFUntrackedPolicy),
 			Comment: []string{"Jump to target for packets with Bypass mark"},
 		},
+		generictables.Rule{
+			Match:   r.NewMatch().DestAddrType(generictables.AddrTypeLocal),
+			Action:  r.SetMaskedMark(tcdefs.MarkSeenSkipFIB, tcdefs.MarkSeenSkipFIB),
+			Comment: []string{"Mark traffic towards the host - it is TRACKed"},
+		},
 	)
 
 	if bypassHostConntrack {
 		rawRules = append(rawRules,
-			generictables.Rule{
-				Match:   r.NewMatch().DestAddrType(generictables.AddrTypeLocal),
-				Action:  r.SetMaskedMark(tcdefs.MarkSeenSkipFIB, tcdefs.MarkSeenSkipFIB),
-				Comment: []string{"Mark traffic towards the host - it is TRACKed"},
-			},
 			generictables.Rule{
 				Match:   r.NewMatch().NotDestAddrType(generictables.AddrTypeLocal),
 				Action:  r.GoTo(ChainRawUntrackedFlows),