From 4b236aaaf82813feb93c13bcaae0646fcdab996e Mon Sep 17 00:00:00 2001 From: Federico Cabiddu Date: Fri, 3 Apr 2026 12:35:44 +0200 Subject: [PATCH] MT#55283 kernel-module: clear skb->mark before forwarding to fix Cilium routing Change-Id: Ibac5e897ed79d483ae4e8c4c3417fdd78a35f591 (cherry picked from commit 6b02c024b1f5d2a9a90b33c4e43686a0afd404ff) (cherry picked from commit 6dd2fab79ba9450434b193cb39b190a51d948182) --- kernel-module/nft_rtpengine.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/kernel-module/nft_rtpengine.c b/kernel-module/nft_rtpengine.c index 0c9f4b74f..61e38af54 100644 --- a/kernel-module/nft_rtpengine.c +++ b/kernel-module/nft_rtpengine.c @@ -5006,6 +5006,12 @@ static int send_proxy_packet4(struct sk_buff *skb, const struct re_address *src, }; skb->protocol = htons(ETH_P_IP); + /* Clear any mark inherited from the received packet. On Cilium/GKE + * DPv2 nodes, ingress BPF stamps identity/decrypt marks on incoming + * skbs; leaving them in place can match an ip rule (e.g. + * "fwmark 0x200/0xf00 → table 2004") and send forwarded packets into + * a Cilium-internal routing table that has no default gateway. */ + skb->mark = 0; #if (LINUX_VERSION_CODE >= KERNEL_VERSION(6,10,0)) || \ (defined(RHEL_RELEASE_CODE) && LINUX_VERSION_CODE >= KERNEL_VERSION(5,14,0) && \ @@ -5093,6 +5099,9 @@ static int send_proxy_packet6(struct sk_buff *skb, const struct re_address *src, memcpy(&ih->daddr, dst->u.ipv6, sizeof(ih->daddr)); skb->protocol = htons(ETH_P_IPV6); + /* Same reasoning as send_proxy_packet4: clear inherited Cilium ingress + * marks to avoid misrouting via Cilium-internal tables. */ + skb->mark = 0; memset(&fl6, 0, sizeof(fl6)); memcpy(&fl6.saddr, src->u.ipv6, sizeof(fl6.saddr));