datapath: Fix BPF masquerade IP selection with multiple IPs per interface

usiegj00 · julianwiedmann · commit a598dfd64fb3 · 2026-01-29T18:13:13.000Z
When a network device has multiple IP addresses (both public and private), BPF masquerading was incorrectly selecting the Kubernetes Node IP even when it was a private address and a public address was available on the same interface. The issue was introduced in PR #33629 which added K8s Node IP prioritization. The code was setting both ipv4PublicIndex and ipv4PrivateIndex to the K8s Node IP index, effectively forcing it to be selected regardless of public/private status. This broke the documented "prefer public over private" logic for Primary address selection used by BPF masquerading. The fix ensures that K8s Node IP prioritization only applies within its own category (public or private): - If K8s Node IP is public, it takes precedence over other public IPs - If K8s Node IP is private, it takes precedence over other private IPs - But public IPs still take precedence over private IPs for masquerading This restores the correct behavior where egress traffic is masqueraded using the public IP address when available, which is required for proper routing in environments with both public and private IPs on the same interface. Fixes: #41866 Signed-off-by: Jonathan Siegel <248302+usiegj00@users.noreply.github.com>
diff --git a/pkg/datapath/tables/node_address.go b/pkg/datapath/tables/node_address.go
@@ -493,9 +493,17 @@ func (n *nodeAddressController) getAddressesFromDevice(dev *Device, k8sIPv4, k8s
 		isPublic := ip.IsPublicAddr(addr.Addr.AsSlice())
 		if addr.Addr.Is4() {
 			if addr.Addr.Unmap() == k8sIPv4.Unmap() {
-				// Address matches the K8s Node IP. Force this to be picked.
-				ipv4PublicIndex = index
-				ipv4PrivateIndex = index
+				// Address matches the K8s Node IP. Prioritize it within its
+				// category (public or private) for NodePort address selection.
+				// We don't force it to both categories, as that would break
+				// the "prefer public over private" logic for Primary address
+				// selection used by BPF masquerading.
+				// See: https://github.com/cilium/cilium/issues/41866
+				if isPublic {
+					ipv4PublicIndex = index
+				} else {
+					ipv4PrivateIndex = index
+				}
 			}
 			if ipv4PublicIndex < 0 && isPublic {
 				ipv4PublicIndex = index
@@ -507,9 +515,17 @@ func (n *nodeAddressController) getAddressesFromDevice(dev *Device, k8sIPv4, k8s
 
 		if addr.Addr.Is6() {
 			if addr.Addr == k8sIPv6 {
-				// Address matches the K8s Node IP. Force this to be picked.
-				ipv6PublicIndex = index
-				ipv6PrivateIndex = index
+				// Address matches the K8s Node IP. Prioritize it within its
+				// category (public or private) for NodePort address selection.
+				// We don't force it to both categories, as that would break
+				// the "prefer public over private" logic for Primary address
+				// selection used by BPF masquerading.
+				// See: https://github.com/cilium/cilium/issues/41866
+				if isPublic {
+					ipv6PublicIndex = index
+				} else {
+					ipv6PrivateIndex = index
+				}
 			}
 			if ipv6PublicIndex < 0 && isPublic {
 				ipv6PublicIndex = index
diff --git a/pkg/datapath/tables/node_address_test.go b/pkg/datapath/tables/node_address_test.go
@@ -215,26 +215,36 @@ var nodeAddressTests = []struct {
 	},
 
 	{
-		name: "node IP preferred",
+		// Test that K8s Node IP is prioritized within its category (public/private)
+		// but doesn't override the public/private preference itself.
+		// - testNodeIPv4 (172.16.0.1) is private, should be prioritized among private IPs
+		// - testNodeIPv6 (2222::1) is public, should be prioritized among public IPs
+		name: "k8s node IP prioritized within category",
 		addrs: []DeviceAddress{
+			// IPv4: multiple private IPs + one public
 			{
-				Addr:  netip.MustParseAddr("10.0.0.1"),
+				Addr:  netip.MustParseAddr("10.0.0.1"), // private, but not K8s IP
 				Scope: RT_SCOPE_UNIVERSE,
 			},
 			{
-				Addr:  netip.MustParseAddr("1.1.1.1"),
+				Addr:  netip.MustParseAddr("1.1.1.1"), // public
 				Scope: RT_SCOPE_UNIVERSE,
 			},
 			{
-				Addr:  testNodeIPv4,
+				Addr:  testNodeIPv4, // private K8s Node IP (172.16.0.1)
 				Scope: RT_SCOPE_UNIVERSE,
 			},
+			// IPv6: multiple public IPs + one private
 			{
-				Addr:  netip.MustParseAddr("2001:db8::1"),
+				Addr:  netip.MustParseAddr("2001:db8::1"), // private (documentation prefix)
+				Scope: RT_SCOPE_UNIVERSE,
+			},
+			{
+				Addr:  netip.MustParseAddr("2600:beef::1"), // public, but not K8s IP
 				Scope: RT_SCOPE_UNIVERSE,
 			},
 			{
-				Addr:  testNodeIPv6,
+				Addr:  testNodeIPv6, // public K8s Node IP (2222::1)
 				Scope: RT_SCOPE_UNIVERSE,
 			},
 		},
@@ -244,20 +254,23 @@ var nodeAddressTests = []struct {
 			ciliumHostIPLinkScoped,
 			netip.MustParseAddr("10.0.0.1"),
 			netip.MustParseAddr("1.1.1.1"),
-			netip.MustParseAddr("2001:db8::1"),
 			testNodeIPv4,
+			netip.MustParseAddr("2001:db8::1"),
+			netip.MustParseAddr("2600:beef::1"),
 			testNodeIPv6,
 		},
 
+		// Primary prefers public; among public IPs, K8s Node IP is prioritized
 		wantPrimary: []netip.Addr{
 			ciliumHostIP,
-			testNodeIPv4,
-			testNodeIPv6,
+			netip.MustParseAddr("1.1.1.1"), // IPv4: only public IP
+			testNodeIPv6,                   // IPv6: K8s Node IP prioritized among public
 		},
 
+		// NodePort prefers private; among private IPs, K8s Node IP is prioritized
 		wantNodePort: []netip.Addr{
-			testNodeIPv4,
-			testNodeIPv6,
+			testNodeIPv4,                       // IPv4: K8s Node IP prioritized among private
+			netip.MustParseAddr("2001:db8::1"), // IPv6: only private IP
 		},
 	},
 }
