proxy/routes: Remove fromEgressProxyRule for cilium downgrade

[ upstream commit: 53133ff ] [ backporter's note: v1.14 uses bpf/init.sh to install proxy rules so we have to do a customized backport. ] Although we don't install fromEgressProxyRule for now, this commit insists on removing it to make sure further downgrade can go smoothly. Soon We'll have another PR to install fromEgressProxyRule, and cilium downgrade from that PR to branch tip (patch downgrade, 1.X.Y -> 1.X.{Y-1}) will be broken if we don't handle the new ip rule carefullly. Without this patch, downgrade from higher version will leave fromEgressProxyRule on the lower version cilium, cluster will be in a wrong status of "having stale ip rule + not having other necessary settings (iptables)", breaking the connectivity. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com> Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
cilium · Apr 26, 2024 · 1142519 · 1142519
1 parent ca0b0f8
commit 1142519
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/bpf/init.sh b/bpf/init.sh
@@ -135,6 +135,9 @@ function setup_proxy_rules()
 					ip -4 rule delete $from_ingress_rulespec 2> /dev/null || true
 				fi
 			fi
+                        if [ ! -z "$(ip -4 rule list $from_egress_rulespec)" ]; then
+                                ip -4 rule delete $from_egress_rulespec 2> /dev/null || true
+                        fi
 		fi
 
 		# Traffic to the host proxy is local
@@ -168,6 +171,9 @@ function setup_proxy_rules()
 					ip -6 rule delete $from_ingress_rulespec 2> /dev/null || true
 				fi
 			fi
+                        if [ ! -z "$(ip -6 rule list $from_egress_rulespec)" ]; then
+                                ip -6 rule delete $from_egress_rulespec 2> /dev/null || true
+                        fi
 		fi
 
 		IP6_LLADDR=$(ip -6 addr show dev $HOST_DEV2 | grep inet6 | head -1 | awk '{print $2}' | awk -F'/' '{print $1}')