Viktor Kuzmin

@brb, also setup on 1.14.2 is not working good even with the patch. This time it is cause of new wireguard implementation: If I connect from wan ip to mentioned...

So. Setup can be simplified: each server is inside private L2 network. We have no real load balancers but we have several ip addresses which can be assigned to any...

One more clarification: I'm talking about connecting from inside pod to external ips. i.e. we have ingress-nginx assigned to several virtual ips and it have dns ingress.example.com and we're using...

Cilium is aware of those external IPs - they are all defined in a service. Service example (ip's are modified from real one): ``` apiVersion: v1 kind: Service metadata: annotations:...

The setup is something like L2 Announcements and I also added feature enhancement proposal: https://github.com/cilium/cilium/issues/28326

@brb, the problem exists in any setup which uses virtual ip. Also wireguard is also filtering packets in not expected way - I will add separate issue.

@rlex, we're using dedicated (metal) servers and vswitch in robot and cloud networks is almost the same stuff. You can even combine them both. I don't think that your problem...

@brb, it's not about LB at all. It's all about how DSR is handled. This is misunderstanding of what is happening. You have a service accessible from the internet. Let...

You mean it should do LB before sending initial packet out ? And that means there will be no packet with 'virtual ip' (src or dst) at all ? *...

Just tried to remove this condition: `lb4_svc_is_external_ip(svc)` and it's all working! Is it possible to make this mitigation optional ?