Is there an existing issue for this?

• I have searched the existing issues

Version

equal or higher than v1.17.3 and lower than v1.18.0

What happened?

As stated in #39266 (reply in thread)

It's a bug in the compat code - when lb*_lookup_service() does the lookup for local backends (LB_LOOKUP_SCOPE_INT), it also needs to consider the protocol differentation (and perform two lookups instead of one)

How can we reproduce the issue?

1. Original map entry looked like this:

# cilium service list | grep 64:ff9b::dead:beef
4042   [64:ff9b::dead:beef]:443/ANY                        LoadBalancer    1 => [<BACKEND_IP>]:443/ANY (active)

2. Upgrade to v1.17.2

3. Update Service with externalTrafficPolicy: Local, it becomes:

4042   [64:ff9b::dead:beef]:443/ANY                        LoadBalancer
9460   [64:ff9b::dead:beef]:443/TCP/i                      LoadBalancer    1 => [<BACKEND_IP>]:443/ANY (active)

Here traffic being droped because there is no allow outside ns egress policy
xx drop (Policy denied by denylist) flow 0x9b60ede to endpoint 0, ifindex 248, file bpf_lxc.c:807, , identity 276893->16777344: [<DEBUG_POD_IP>]:41344 -> [64:ff9b::dead:beef]:443 tcp SYN

4. Recovered after service being recreated (or deleted from bpf map on cilium-agent) like this:

9464   [64:ff9b::dead:beef]:443/TCP                         LoadBalancer
9465   [64:ff9b::dead:beef]:443/TCP/i                       LoadBalancer    1 => [<BACKEND_IP>]:443/TCP

Cilium Version

1.17.2

Kernel Version

6.6.37

Kubernetes Version

1.29.1

Regression

No response

Sysdump

No response

Relevant log output

Anything else?

No response

Cilium Users Document

• Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

• I agree to follow this project's Code of Conduct