Is there an existing issue for this?

• I have searched the existing issues

What happened?

In certain configs (basically when the node-to-node IPv4 address is also chosen as IPV4_MASQUERADE) the masquerade code in to-netdev decides that tunnel traffic is conflicting with masqueraded traffic. We thus need to reserve the packet's source port, and potentially even SNAT it.

Creating SNAT entries for tunnel traffic makes little sense - in particular as the replies will not be addressed to the packet's source port, but to TUNNEL_PORT. Doing it anyway can result in source port exhaustion.

We should improve this by detecting such tunnel traffic, and bypassing the masquerading logic. Either by peeking into the packet headers (along with checking the dst's security identity), or by passing a flag down from to-overlay that marks all tunnel traffic. This flag would need to be tolerated in the relevant iptables rule.

Cilium Version

v1.14

Kernel Version

any

Kubernetes Version

any

Sysdump

No response

Relevant log output

No response

Anything else?

No response

Code of Conduct

• I agree to follow this project's Code of Conduct