bpf:nat: Fix DSR support for remote NodePort services

[gyutaeb]

Please ensure your pull request adheres to the following guidelines:

• For first time contributors, read Submitting a pull request
• All code is covered by unit and/or runtime tests where feasible.
• All commits contain a well written commit description including a title,
  description and a Fixes: #XXX line if the commit addresses a particular
  GitHub issue.
• If your commit description contains a Fixes: <commit-id> tag, then
  please add the commit author[s] as reviewer[s] to this issue.
• All commits are signed off. See the section Developer’s Certificate of Origin
• Provide a title or release-note blurb suitable for the release notes.
• Are you a user of Cilium? Please add yourself to the Users doc
• Thanks for contributing!

---

Problem Statement

• When DSR and PER_PACKET_LB are enabled, connections fail if a client pod sends a request to a remote nodes's NodePort service while the server pod is located on the same node as the client.
• This issue causes the Cilium connectivity tests to fail.
• For more details, refer to bpf:nat When DSR and PER_PACKET_LB are enabled, cilium connectivity tests fail. #41962

Root Cause

• The root cause is that remote node only performs DNAT. This sets the packets's source address to client's node address, leading to a hairpin problem. Consequently, the originating node cannot perform the necessary REV NAT for the reply packets.
• The problem occurs through the following path:
  • Request
    • Client Pod -> Remote Node:nodePort
    • Local Node:sport -> Remote Node:nodePort (masquerading)
    • Local Node:sport -> Backend Pod:port (DSR DNAT)
    • Send the above packet over Geneve From Remote Node
    • Local Node route above packet to Backend Pod:port
  • Reply
    • BackendPod:port -> Local Node:sport
    • Route to loopback without REVNAT. Because of destination address is Local Node

Solution Summary

• To resolve this, remote service requests are now handled on the source node when DSR is enabled, similar to the behavior of socket-level load balancing.

Key Consideration

• If we choose to address this by egressing to a remote node, a REV NAT stage corresponding to the native device masquerading is required. Because REV NAT executes only on the native devices's ingress path, we conclude it is better to handle this on the local node--analogous to the BPF socket load-balancer. Performing REV NAT in cil_from_container would unnecessarily increase complexity.

Release Note

Fix in-cluster NodePort connectivity failure in DSR mode when SocketLB
is disabled. When a pod accesses a NodePort service via a remote node's
IP (instead of the ClusterIP) and the selected backend resides on the
same node as the client, the connection fails due to missing reverse NAT
on the reply path.

[julianwiedmann]

👋 just to confirm - this is about the scenario where SocketLB is disabled, and a pod accesses a remote Nodeport service which selects a DSR backend on the client's node? I could have sworn that we already have an issue for this somewhere 🙂.

Ideally we'd solve this by addressing #34777.

[gyutaeb]

👋 just to confirm - this is about the scenario where SocketLB is disabled, and a pod accesses a remote Nodeport service which selects a DSR backend on the client's node? I could have sworn that we already have an issue for this somewhere 🙂.

Ideally we'd solve this by addressing #34777.

@julianwiedmann
👋 Thanks for confirming, Julian. Yes, exactly. This issue arises when remote Nodeport service selects a DSR backend on the client's node. I've reviewed a number of cases. My view align with #34777: the load balancing should happen at the source node, So I implemented this PR in that direction.

For the wildcard lookups, I preferred not to reuse the SocketLB functions, so I factored them into a separate lookup function.

[julianwiedmann]

(adding the preview label for now, since we currently don't have tests or IPv6 support)

[aditighag]

Thanks for your contribution, and the detailed PR description.
IIUC, there are two main changes in the PR: (1) Perform LB wildcard svc lookup and xlate for nodeport-vip:port at the source node for DSR. (2) Create CT mappings for the xlate'd traffic so that it can be reverse xlate'd.

A high-level question: Is there a reason why (1) is implemented only for DSR? Why not align it with the socket-LB implementation for all cases?

I’d also suggest extracting the service wildcard lookup code into a helper function that explicitly highlights the functionality (similar to socket-LB). This would make it easier to draw parallels with the socket-LB implementation for feature parity.

[gyutaeb]

@julianwiedmann @aditighag
Sorry for the delay. I've been tied up with CiliumCon NA preparations. I will take a look soon.

[gyutaeb]

A high-level question: Is there a reason why (1) is implemented only for DSR? Why not align it with the socket-LB implementation for all cases?

I’d also suggest extracting the service wildcard lookup code into a helper function that explicitly highlights the functionality (similar to socket-LB). This would make it easier to draw parallels with the socket-LB implementation for feature parity.

@aditighag
Thanks for the review!

Initially, I aimed to make the wildcard svc lookup generic, similar to socket-LB. However I wasn't fully confident it was safe to broaden the scope. The first iteration enables it only for DSR to keep the blast radius small. I agree that a generic approach is better. I will revise the patch to make the lookup generic.

[gyutaeb]

@julianwiedmann @aditighag
Thanks for your patience. I have addressed all your feedback.

1. Verified proper operation of GC for NAT entries.
2. Verified the RevNAT map mechanism in SocketLB.
3. Made the wildcard lookup function generic.
4. Added IPv6 support.
5. Rebased onto the latest main.

Could you please take a look again?

[gyutaeb]

@pchaigno
Thanks for testing.
It looks like many CI jobs failed during the provisioning and setup stages. I've rebase this branch on the latest main.
Could you please rerun the tests?

[gyutaeb]

(rebased branch again to facilitate testing)

[gyutaeb]

@pchaigno
I've found the cause of the failures. It looks like one of the C macro definitions changed when I rebase on the latest main. I'll fix it and update you here.

• https://github.com/cilium/cilium/actions/runs/19661099453/job/56307492058

2025-11-25T07:02:43.084954383Z time=2025-11-25T07:02:43.084671309Z level=error source=/go/src/github.com/cilium/cilium/pkg/datapath/loader/compile.go:219 msg="Failed to compile bpf_alignchecker.o: exit status 1" module=agent.datapath.loader compilerPID=59
2025-11-25T07:02:43.085012253Z time=2025-11-25T07:02:43.084800211Z level=warn source=/go/src/github.com/cilium/cilium/pkg/datapath/loader/compile.go:227 msg="In file included from /var/lib/cilium/bpf/bpf_alignchecker.c:38:" module=agent.datapath.loader
2025-11-25T07:02:43.085029323Z time=2025-11-25T07:02:43.084937022Z level=warn source=/go/src/github.com/cilium/cilium/pkg/datapath/loader/compile.go:227 msg="/var/lib/cilium/bpf/lib/lb.h:1789:21: error: use of undeclared identifier 'NODEPORT_PORT_MIN'" module=agent.datapath.loader
2025-11-25T07:02:43.085128155Z time=2025-11-25T07:02:43.085007873Z level=warn source=/go/src/github.com/cilium/cilium/pkg/datapath/loader/compile.go:227 msg=" 1789 |         if (service_port < NODEPORT_PORT_MIN || service_port > NODEPORT_PORT_MAX)" module=agent.datapath.loader
2025-11-25T07:02:43.085205446Z time=2025-11-25T07:02:43.085098574Z level=warn source=/go/src/github.com/cilium/cilium/pkg/datapath/loader/compile.go:227 msg="      |                            ^" module=agent.datapath.loader
2025-11-25T07:02:43.085288416Z time=2025-11-25T07:02:43.085150855Z level=warn source=/go/src/github.com/cilium/cilium/pkg/datapath/loader/compile.go:227 msg="/var/lib/cilium/bpf/lib/lb.h:1789:57: error: use of undeclared identifier 'NODEPORT_PORT_MAX'" module=agent.datapath.loader
2025-11-25T07:02:43.085334837Z time=2025-11-25T07:02:43.085270466Z level=warn source=/go/src/github.com/cilium/cilium/pkg/datapath/loader/compile.go:227 msg=" 1789 |         if (service_port < NODEPORT_PORT_MIN || service_port > NODEPORT_PORT_MAX)" module=agent.datapath.loader
2025-11-25T07:02:43.085454828Z time=2025-11-25T07:02:43.085339147Z level=warn source=/go/src/github.com/cilium/cilium/pkg/datapath/loader/compile.go:227 msg="      |   

[julianwiedmann]

Thank you, @julianwiedmann. The thorough discussions and feedback were invaluable and really helped improve the quality of this patch. I appreciate all your support throughout the process :)

Happy to help, this was not an easy one :).

I think we should try & backport this to v1.19 as well - but maybe let it soak in main for a few weeks. I'll add the necessary labels. Given that this is a bug, we should also add a release-note to the PR description that describes the user-visible impact (what misbehavior would a user observe, and what conditions are required to hit it). I've added a place holder for now, could you give that a try please? You can look at old PRs with kind/bug for inspiration.

[gyutaeb]

I think we should try & backport this to v1.19 as well - but maybe let it soak in main for a few weeks. I'll add the necessary labels. Given that this is a bug, we should also add a release-note to the PR description that describes the user-visible impact (what misbehavior would a user observe, and what conditions are required to hit it). I've added a place holder for now, could you give that a try please? You can look at old PRs with kind/bug for inspiration.

@julianwiedmann I've updated the PR description with the release note as requested, and added a diagram to illustrate the issue. Please let me know if it looks good! I'll prepare the backport to v1.19 after soak period.

[julianwiedmann]

I think we should try & backport this to v1.19 as well - but maybe let it soak in main for a few weeks. I'll add the necessary labels. Given that this is a bug, we should also add a release-note to the PR description that describes the user-visible impact (what misbehavior would a user observe, and what conditions are required to hit it). I've added a place holder for now, could you give that a try please? You can look at old PRs with kind/bug for inspiration.

@julianwiedmann I've updated the PR description with the release note as requested, and added a diagram to illustrate the issue. Please let me know if it looks good! I'll prepare the backport to v1.19 after soak period.

Thank you! I think we should also emphasize that this (1) affects in-cluster connectivity (where folks could/should use the ClusterIP), and (2) only happens when SocketLB is disabled.

[gyutaeb]

I think we should try & backport this to v1.19 as well - but maybe let it soak in main for a few weeks. I'll add the necessary labels. Given that this is a bug, we should also add a release-note to the PR description that describes the user-visible impact (what misbehavior would a user observe, and what conditions are required to hit it). I've added a place holder for now, could you give that a try please? You can look at old PRs with kind/bug for inspiration.

@julianwiedmann I've updated the PR description with the release note as requested, and added a diagram to illustrate the issue. Please let me know if it looks good! I'll prepare the backport to v1.19 after soak period.

Thank you! I think we should also emphasize that this (1) affects in-cluster connectivity (where folks could/should use the ClusterIP), and (2) only happens when SocketLB is disabled.

@julianwiedmann Thanks for the feedback! Updated the release note to clarify that this only affects in-cluster NodePort access (rather than ClusterIP) with SocketLB disabled.

[julianwiedmann]

From unrelated discussion - we could also check for SVC_FLAG_NODEPORT here, to be absolutely sure of what we're handling. Assuming that the controlplane sets things up as expected.

Maybe something to look into when relaxing the DSR requirement.

[ldelossa]

Nice change, while policy changes will be needed to communicate thing, translation at source fits our other models much better 👍.

[ldelossa]

LGTM.

[gyutaeb]

@ldelossa Thanks for the review and the kind words! I'm really glad to hear that this "translation at source" approach aligns well with the broader datapath architecture 👍.