Skip to content

datapath: Fix BPF masquerade IP selection with multiple IPs per interface#43996

Merged
julianwiedmann merged 1 commit intocilium:mainfrom
buildio:fix-masquerade-ip-selection-41866
Jan 29, 2026
Merged

datapath: Fix BPF masquerade IP selection with multiple IPs per interface#43996
julianwiedmann merged 1 commit intocilium:mainfrom
buildio:fix-masquerade-ip-selection-41866

Conversation

@usiegj00
Copy link
Copy Markdown
Contributor

@usiegj00 usiegj00 commented Jan 25, 2026
edited
Loading

Summary

When a network device has multiple IP addresses (both public and private), BPF masquerading was incorrectly selecting the Kubernetes Node IP even when it was a private address and a public address was available on the same interface.

The issue was introduced in PR #33629 which added K8s Node IP prioritization. The code was setting both ipv4PublicIndex and ipv4PrivateIndex to the K8s Node IP index, effectively forcing it to be selected regardless of public/private status. This broke the documented "prefer public over private" logic for Primary address selection used by BPF masquerading.

The fix ensures that K8s Node IP prioritization only applies within its own category (public or private):

  • If K8s Node IP is public, it takes precedence over other public IPs
  • If K8s Node IP is private, it takes precedence over other private IPs
  • But public IPs still take precedence over private IPs for masquerading

This restores the correct behavior where egress traffic is masqueraded using the public IP address when available, which is required for proper routing in environments with both public and private IPs on the same interface.

Fixes: #41866

Fix BPF masquerade selecting private Node IP when public IP is available on the same interface

Test plan

  • Unit tests updated and passing
  • Deployed and tested in a bare metal cluster suffering from this issue; confirmed the fix resolves the problem

@usiegj00 usiegj00 requested a review from a team as a code owner January 25, 2026 05:01
@usiegj00 usiegj00 requested a review from joamaki January 25, 2026 05:01
@maintainer-s-little-helper
Copy link
Copy Markdown

maintainer-s-little-helper bot commented Jan 25, 2026

Commit 1d86d3f does not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

@maintainer-s-little-helper maintainer-s-little-helper bot added dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Jan 25, 2026
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Jan 25, 2026
@usiegj00
datapath: Fix BPF masquerade IP selection with multiple IPs per inter…
0dddd39 
…face

When a network device has multiple IP addresses (both public and
private), BPF masquerading was incorrectly selecting the Kubernetes
Node IP even when it was a private address and a public address was
available on the same interface.

The issue was introduced in PR cilium#33629 which added K8s Node IP
prioritization. The code was setting both ipv4PublicIndex and
ipv4PrivateIndex to the K8s Node IP index, effectively forcing
it to be selected regardless of public/private status. This broke
the documented "prefer public over private" logic for Primary
address selection used by BPF masquerading.

The fix ensures that K8s Node IP prioritization only applies within
its own category (public or private):
- If K8s Node IP is public, it takes precedence over other public IPs
- If K8s Node IP is private, it takes precedence over other private IPs
- But public IPs still take precedence over private IPs for masquerading

This restores the correct behavior where egress traffic is masqueraded
using the public IP address when available, which is required for
proper routing in environments with both public and private IPs on
the same interface.

Fixes: cilium#41866
Signed-off-by: Jonathan Siegel <248302+usiegj00@users.noreply.github.com>
@usiegj00 usiegj00 force-pushed the fix-masquerade-ip-selection-41866 branch from 1d86d3f to 0dddd39 Compare January 25, 2026 05:23
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label Jan 25, 2026
@joamaki joamaki added the release-note/bug This PR fixes an issue in a previous release of Cilium. label Jan 26, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 26, 2026
joamaki
joamaki approved these changes Jan 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@joamaki joamaki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Please add a release note label to the PR description to be included in release notes.

@joamaki
Copy link
Copy Markdown
Contributor

joamaki commented Jan 26, 2026

/test

@usiegj00
Copy link
Copy Markdown
Contributor Author

usiegj00 commented Jan 26, 2026

Thank you @joamaki -- let me know if there's anything else needed. We were suffering this in our own cluster and glad to see it get accepted!

@julianwiedmann julianwiedmann self-requested a review January 26, 2026 12:34
julianwiedmann
julianwiedmann approved these changes Jan 29, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@julianwiedmann julianwiedmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, lgtm!

@julianwiedmann julianwiedmann added this pull request to the merge queue Jan 29, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jan 29, 2026
Merged via the queue into cilium:main with commit a598dfd Jan 29, 2026
78 checks passed
@julianwiedmann julianwiedmann added affects/v1.16 This issue affects v1.16 branch affects/v1.17 This issue affects v1.17 branch affects/v1.18 This issue affects v1.18 branch needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch labels Jan 30, 2026
mentos1386 added a commit to tjo-space/tjo-cloud-infrastructure that referenced this pull request Jan 31, 2026
@mentos1386
feat(k8s.tjo.cloud): switch to ipv6 only cluster
315548b 
Not yet working. Have to wait for cilium/cilium#43996 to be released.
@rastislavs rastislavs mentioned this pull request Feb 2, 2026
Merged
4 tasks
@rastislavs rastislavs added backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. and removed needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch labels Feb 2, 2026
@github-actions github-actions bot added backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. and removed backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. labels Feb 2, 2026
@cilium-release-bot cilium-release-bot bot moved this to Released in cilium v1.19.0 Feb 3, 2026
@tenyo
Copy link
Copy Markdown

tenyo commented Mar 4, 2026

Are there plans to backport this to v1.16, v1.17 and v1.18?

@tenyo
Copy link
Copy Markdown

tenyo commented Mar 9, 2026

@julianwiedmann Do you know if this fix will be added to the next patch releases of 1.16, 1.17 and 1.18? I saw it's been backported to 1.19 but we're currently stuck on 1.15 and we need it in all the intermediate cilium versions in order to upgrade to 1.19. Thank you!

@julianwiedmann
Copy link
Copy Markdown
Member

julianwiedmann commented Mar 10, 2026

@julianwiedmann Do you know if this fix will be added to the next patch releases of 1.16, 1.17 and 1.18? I saw it's been backported to 1.19 but we're currently stuck on 1.15 and we need it in all the intermediate cilium versions in order to upgrade to 1.19. Thank you!

v1.16 is not getting any further patch releases.

You can look at the backport policy here. Imho this shouldn't go back further, those branches are meant to be fairly stable and not have big behavioral changes at this point of their lifetime.

If you strictly need this change for your upgrade and don't have any other workarounds, I'd suggest to build your own v1.16 / v1.17 / v.1.18 images and apply a backport.

@julianwiedmann julianwiedmann mentioned this pull request Mar 23, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joamaki joamaki joamaki approved these changes

@julianwiedmann julianwiedmann julianwiedmann approved these changes

Assignees

No one assigned

Labels

affects/v1.16 This issue affects v1.16 branch affects/v1.17 This issue affects v1.17 branch affects/v1.18 This issue affects v1.18 branch backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. feature/bpf-masquerading kind/community-contribution This was a contribution made by a community member. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.

Projects

No open projects
cilium v1.19.0
Status: Released

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Cilium 1.16 BPF Masquerade picks different host IP address (when using multiple IPs per interface)

5 participants

@usiegj00 @joamaki @tenyo @julianwiedmann @rastislavs