Skip to content

fix(datapath): ignore link-local IPv6 addresses for NodePort binding#44778

Merged
joestringer merged 1 commit intocilium:mainfrom
Bigdelle:nodeport-issue-44436
Mar 22, 2026
Merged

fix(datapath): ignore link-local IPv6 addresses for NodePort binding#44778
joestringer merged 1 commit intocilium:mainfrom
Bigdelle:nodeport-issue-44436

Conversation

@Bigdelle
Copy link
Copy Markdown
Contributor

@Bigdelle Bigdelle commented Mar 13, 2026
edited
Loading

Currently, in environments with dual-stack or IPv6 enabled, NodePorts can fail to route traffic because the agent incorrectly binds the IPv6 frontend to the node's unroutable link-local address (e.g., fe80::) instead of the global IPv6 address.

When dumping the eBPF load balancer maps (cilium-dbg bpf lb list), the NodePort incorrectly points to the link-local address:

[fe80::4001:aff:fe0b:102]:30884/TCP (0)   [::]:0 (16) (0) [NodePort]

In pkg/datapath/tables/node_address.go (getAddressesFromDevice), the agent evaluates the device's IPv6 addresses. Because a link-local IP isn't considered "public", the agent tags it as a valid "private" IP.

Later in the function, the fallback logic states: "Pick the NodePort addresses. Prefer private addresses if possible." Because of this, the unroutable link-local address wins the election and steals the NodePort binding from the actual global IPv6 address.

This fix should also be backported to 1.19

Fixes: #44436

@Bigdelle Bigdelle requested a review from a team as a code owner March 13, 2026 19:59
@Bigdelle Bigdelle requested a review from ldelossa March 13, 2026 19:59
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 13, 2026
@jrife
Copy link
Copy Markdown
Contributor

jrife commented Mar 13, 2026

/test

jingyuanliang
jingyuanliang reviewed Mar 13, 2026
View reviewed changes
@Bigdelle
fix(datapath): ignore link-local IPv6 addresses for NodePort binding
aee047f 
In `getAddressesFromDevice`, IPv6 link-local addresses (e.g., fe80::)
were not being explicitly filtered out. Because they are not public,
the agent categorized them as private IPs. Since the fallback logic
prefers private IPs for NodePort addresses, the unroutable link-local
address would win the election over the routable global IPv6 address.

This commit adds an `!IsLinkLocalUnicast()` filter to ensure link-local
addresses are ignored during the NodePort IP selection process, allowing
the global IPv6 address to be correctly selected and populated in the
eBPF maps.

Added unit tests to verify the link-local filtering behavior.

Fixes: cilium#44436

Signed-off-by: Ben Bigdelle <bigdelle@google.com>
@Bigdelle Bigdelle force-pushed the nodeport-issue-44436 branch from 3ee5e5f to aee047f Compare March 13, 2026 20:38
@cilium-ariane
Copy link
Copy Markdown

cilium-ariane bot commented Mar 13, 2026

/test

@jrife jrife added needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/bug This PR fixes an issue in a previous release of Cilium. labels Mar 19, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 19, 2026
@HadrienPatte HadrienPatte removed the request for review from ldelossa March 21, 2026 11:13
@HadrienPatte HadrienPatte added dont-merge/bad-bot To prevent MLH from marking ready-to-merge. and removed dont-merge/bad-bot To prevent MLH from marking ready-to-merge. labels Mar 21, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 21, 2026
@joestringer joestringer added this pull request to the merge queue Mar 22, 2026
Merged via the queue into cilium:main with commit 5b2dbd2 Mar 22, 2026
79 checks passed
@julianwiedmann
Copy link
Copy Markdown
Member

julianwiedmann commented Mar 23, 2026

@Bigdelle thank you! Curious, were you able to pin-point whether this was a regression from #43996 ?

@julianwiedmann julianwiedmann added feature/ipv6 Relates to IPv6 protocol support area/loadbalancing Impacts load-balancing and Kubernetes service implementations labels Mar 23, 2026
@tklauser tklauser mentioned this pull request Mar 24, 2026
Merged
5 tasks
@tklauser tklauser added backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. and removed needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch labels Mar 24, 2026
@Bigdelle
Copy link
Copy Markdown
Contributor Author

Bigdelle commented Mar 24, 2026
edited
Loading

@Bigdelle thank you! Curious, were you able to pin-point whether this was a regression from #43996 ?

I didn't identify the specific commit that led to this regression, but AFAIK it was the commit that migrated from this heuristic and architecture fix (#37839) which fixes to the same issue that this code does (#36752)

@rokoucha rokoucha mentioned this pull request Mar 25, 2026
Closed
1 task
@julianwiedmann
Copy link
Copy Markdown
Member

julianwiedmann commented Mar 25, 2026

@Bigdelle thank you! Curious, were you able to pin-point whether this was a regression from #43996 ?

I didn't identify the specific commit that led to this regression, but AFAIK it was the commit that migrated from this heuristic and architecture fix (#37839) which fixes to the same issue that this code does (#36752)

Ok I believe the regression from v1.18 to v1.19 is caused by #41778. Which messes with the skip condition here, and causes us to consider the link-local address as candidate for the NodePort address on the device.

@Bigdelle does that make sense? I think your fix is still the right move (even for older releases) - even if someone intentionally changes the scope for address discovery, they still don't want to use a link-local address for NodePort (or BPF masq) purposes.

@julianwiedmann julianwiedmann mentioned this pull request Mar 25, 2026
Merged
@github-actions github-actions bot added backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. and removed backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. labels Mar 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jrife jrife jrife approved these changes

+1 more reviewer

@jingyuanliang jingyuanliang jingyuanliang left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. area/loadbalancing Impacts load-balancing and Kubernetes service implementations backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. feature/ipv6 Relates to IPv6 protocol support ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

From 1.18.4 upgrade to 1.19 breaks nodeport ipv6 functionality

7 participants

@Bigdelle @jrife @julianwiedmann @jingyuanliang @tklauser @joestringer @HadrienPatte