Cilium Feature Proposal

Is your proposed feature related to a problem?

This issue occurs when using Cilium's kube-proxy replacement. When creating a load balancer service in Kubernetes, if this load balancer establishes a connection with the node by the method of an L3 IPIP tunnel(L3 DSR), the load balancer service does not work. This issue has occurred in our private cloud environment.

In the case of 'No kube-proxy replacement', there are no issues. because kube-proxy operates after the decapsulation of tunl0, so there are no problems. However, in the case of kube-proxy replacement, issues arise. This is because the bpf_host.o of the eth0 ingress tc filter runs before the tunnel device of eth0. from-netdev considers only the Outer IP Header to determine if a packet belongs to a service or not. Therefore, the service does not work.

Describe your proposed solution

To resolve this issue, we need to enhance bpf_host.c to consider the inner tuple. When the inner IP header and L4 tuple match the service in bpf_host.c, performing decapsulation resolves the issue. This approach has successfully resolved the issue in our private cloud. I would appreciate it if you could review the code in #33026. Thank you.