cilium · jrajahalme · Jan 22, 2025 · Jan 21, 2025 · Jan 21, 2025
@@ -370,10 +370,6 @@ Config::extractSocketMetadata(Network::ConnectionSocket& socket) {
     return absl::nullopt;
   }
 
-  // We do this first as this likely restores the destination address and
-  // lets the OriginalDstCluster know the destination address can be used.
-  socket.connectionInfoProvider().restoreLocalAddress(dst_address); // mark as `restored`
-
   std::string pod_ip, other_ip;
   if (is_ingress_) {
     pod_ip = dip->addressAsString();
@@ -516,8 +512,8 @@ Config::extractSocketMetadata(Network::ConnectionSocket& socket) {
   return absl::optional(Cilium::BpfMetadata::SocketMetadata(
       mark, ingress_source_identity, source_identity, is_ingress_, is_l7lb_, dip->port(),
       std::move(pod_ip), std::move(src_address), std::move(source_addresses.ipv4_),
-      std::move(source_addresses.ipv6_), weak_from_this(), proxy_id_, std::move(proxylib_l7proto),
-      sni));
+      std::move(source_addresses.ipv6_), std::move(dst_address), weak_from_this(), proxy_id_,
+      std::move(proxylib_l7proto), sni));
 }
 
 Network::FilterStatus Instance::onAccept(Network::ListenerFilterCallbacks& cb) {
@@ -540,6 +536,8 @@ Network::FilterStatus Instance::onAccept(Network::ListenerFilterCallbacks& cb) {
 
     socket_metadata->configureProxyLibApplicationProtocol(socket);
 
+    socket_metadata->configureOriginalDstAddress(socket);
+
     // Make Cilium Policy data available to filters and upstream connection (Cilium TLS Wrapper) as
     // filter state.
     cb.filterState().setData(

@@ -36,6 +36,7 @@ struct SocketMetadata : public Logger::Loggable<Logger::Id::filter> {
                  Network::Address::InstanceConstSharedPtr original_source_address,
                  Network::Address::InstanceConstSharedPtr source_address_ipv4,
                  Network::Address::InstanceConstSharedPtr source_address_ipv6,
+                 Network::Address::InstanceConstSharedPtr original_dest_address,
                  const std::weak_ptr<PolicyResolver>& policy_resolver, uint32_t proxy_id,
                  std::string&& proxylib_l7_proto, absl::string_view sni)
       : ingress_source_identity_(ingress_source_identity), source_identity_(source_identity),
@@ -44,7 +45,8 @@ struct SocketMetadata : public Logger::Loggable<Logger::Id::filter> {
         policy_resolver_(policy_resolver), mark_(mark),
         original_source_address_(std::move(original_source_address)),
         source_address_ipv4_(std::move(source_address_ipv4)),
-        source_address_ipv6_(std::move(source_address_ipv6)) {}
+        source_address_ipv6_(std::move(source_address_ipv6)),
+        original_dest_address_(std::move(original_dest_address)) {}
 
   std::shared_ptr<Envoy::Cilium::CiliumPolicyFilterState> buildCiliumPolicyFilterState() {
     return std::make_shared<Envoy::Cilium::CiliumPolicyFilterState>(
@@ -76,6 +78,24 @@ struct SocketMetadata : public Logger::Loggable<Logger::Id::filter> {
     }
   }
 
+  void configureOriginalDstAddress(Network::ConnectionSocket& socket) {
+    if (!original_dest_address_) {
+      return;
+    }
+
+    if (*original_dest_address_ == *socket.connectionInfoProvider().localAddress()) {
+      // Only set the local address if it really changed, and mark it as address being restored.
+      return;
+    }
+
+    // Restoration of the original destination address lets the OriginalDstCluster know the
+    // destination address that can be used.
+    ENVOY_LOG(trace, "cilium.bpf_metadata: restoreLocalAddress ({} -> {})",
+              socket.connectionInfoProvider().localAddress()->asString(),
+              original_dest_address_->asString());
+    socket.connectionInfoProvider().restoreLocalAddress(original_dest_address_);
+  }
+
   uint32_t ingress_source_identity_;
   uint32_t source_identity_;
   bool ingress_;
@@ -92,6 +112,7 @@ struct SocketMetadata : public Logger::Loggable<Logger::Id::filter> {
   Network::Address::InstanceConstSharedPtr original_source_address_;
   Network::Address::InstanceConstSharedPtr source_address_ipv4_;
   Network::Address::InstanceConstSharedPtr source_address_ipv6_;
+  Network::Address::InstanceConstSharedPtr original_dest_address_;
 };
 
 /**

@@ -159,11 +159,6 @@ TestConfig::~TestConfig() {
 
 absl::optional<Cilium::BpfMetadata::SocketMetadata>
 TestConfig::extractSocketMetadata(Network::ConnectionSocket& socket) {
-  // fake setting the local address. It remains the same as required by the test
-  // infra, but it will be marked as restored as required by the original_dst
-  // cluster.
-  socket.connectionInfoProvider().restoreLocalAddress(original_dst_address);
-
   // TLS filter chain matches this, make namespace part of this (e.g.,
   // "default")?
   socket.setDetectedTransportProtocol("cilium:default");
@@ -197,7 +192,7 @@ TestConfig::extractSocketMetadata(Network::ConnectionSocket& socket) {
 
   return absl::optional(Cilium::BpfMetadata::SocketMetadata(
       0, 0, source_identity, is_ingress_, is_l7lb_, port, std::move(pod_ip), nullptr, nullptr,
-      nullptr, shared_from_this(), 0, std::move(l7proto), ""));
+      nullptr, original_dst_address, shared_from_this(), 0, std::move(l7proto), ""));
 }
 
 } // namespace BpfMetadata

@@ -1,5 +1,6 @@
 #include <gmock/gmock-actions.h>
 #include <gmock/gmock-spec-builders.h>
+#include <gtest/gtest.h>
 #include <spdlog/common.h>
 
 #include <cstdint>
@@ -516,6 +517,23 @@ TEST_F(MetadataConfigTest, ProxyLibConfigured) {
   socket_metadata->configureProxyLibApplicationProtocol(socket_);
 }
 
+TEST_F(MetadataConfigTest, RestoreLocalAddress) {
+  ::cilium::BpfMetadata config{};
+
+  EXPECT_NO_THROW(initialize(config));
+
+  auto socket_metadata = config_->extractSocketMetadata(socket_);
+  EXPECT_TRUE(socket_metadata);
+
+  EXPECT_NE(socket_.connectionInfoProvider().localAddress(), original_dst_address);
+  EXPECT_FALSE(socket_.connectionInfoProvider().localAddressRestored());
+
+  socket_metadata->configureOriginalDstAddress(socket_);
+
+  EXPECT_EQ(socket_.connectionInfoProvider().localAddress(), original_dst_address);
+  EXPECT_TRUE(socket_.connectionInfoProvider().localAddressRestored());
+}
+
 } // namespace
 } // namespace Cilium
 } // namespace Envoy