From 0d69dec2dd3ea7d6957527b941c57d5c4b5c7b15 Mon Sep 17 00:00:00 2001 From: Federico Cabiddu Date: Fri, 3 Apr 2026 12:35:44 +0200 Subject: [PATCH] MT#55283 kernel-module: clear skb->mark before forwarding to fix Cilium routing Change-Id: Ibac5e897ed79d483ae4e8c4c3417fdd78a35f591 (cherry picked from commit 6b02c024b1f5d2a9a90b33c4e43686a0afd404ff) (cherry picked from commit f21104e0845f6778ca40d17892a40a2a4bf5f26b) --- kernel-module/xt_RTPENGINE.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/kernel-module/xt_RTPENGINE.c b/kernel-module/xt_RTPENGINE.c index 4673aee4c..05c067080 100644 --- a/kernel-module/xt_RTPENGINE.c +++ b/kernel-module/xt_RTPENGINE.c @@ -4900,6 +4900,12 @@ static int send_proxy_packet4(struct sk_buff *skb, struct re_address *src, struc }; skb->protocol = htons(ETH_P_IP); + /* Clear any mark inherited from the received packet. On Cilium/GKE + * DPv2 nodes, ingress BPF stamps identity/decrypt marks on incoming + * skbs; leaving them in place can match an ip rule (e.g. + * "fwmark 0x200/0xf00 → table 2004") and send forwarded packets into + * a Cilium-internal routing table that has no default gateway. */ + skb->mark = 0; net = NULL; if (par) @@ -4992,6 +4998,9 @@ static int send_proxy_packet6(struct sk_buff *skb, struct re_address *src, struc memcpy(&ih->daddr, dst->u.ipv6, sizeof(ih->daddr)); skb->protocol = htons(ETH_P_IPV6); + /* Same reasoning as send_proxy_packet4: clear inherited Cilium ingress + * marks to avoid misrouting via Cilium-internal tables. */ + skb->mark = 0; net = NULL; if (par)