From 100a56caae641588ae545cda061c9695fd5ce196 Mon Sep 17 00:00:00 2001
From: Axel Siebenborn <axel.siebenborn@sap.com>
Date: Mon, 20 Nov 2023 14:58:42 +0100
Subject: [PATCH] Clean-up iptables nat rules.

IPv4NativeRoutingCIDR = "0.0.0.0/0" leads to an invalid iptables rule that never matches. In case of iptables-nft this leads to an error.
The intention of choosing "0.0.0.0/0" was to have a CIDR that includes both pod and nodes range.
However, cilium takes care not to masquerade traffic to node addresses.
So it's save to choose the pod range for IPv4NativeRoutingCIDR.
As a result, our own iptables masquerade rules are not needed anymore. SnatOutOfCluster and SnatToUpstreamDNS can be switched off as default.
---
 .../internal/cilium/charts/config/templates/configmap.yaml   | 2 +-
 pkg/charts/utils.go                                          | 5 ++++-
 pkg/controller/actuator_reconcile.go                         | 4 ----
 3 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/charts/internal/cilium/charts/config/templates/configmap.yaml b/charts/internal/cilium/charts/config/templates/configmap.yaml
index d1ab22865..6f587ed31 100644
--- a/charts/internal/cilium/charts/config/templates/configmap.yaml
+++ b/charts/internal/cilium/charts/config/templates/configmap.yaml
@@ -319,7 +319,7 @@ data:
   enable-ipv4-masquerade: {{ .Values.global.enableIpv4Masquerade | quote }}
   enable-ipv6-big-tcp: {{ .Values.global.enableIpv6BigTCP | quote }}
   enable-ipv6-masquerade: {{ .Values.global.enableIpv6Masquerade | quote }}
-{{- if not .Values.global.snatToUpstreamDNS.enabled }}
+{{- if ne .Values.global.tunnel "disabled" }}
   enable-bpf-masquerade:  {{ .Values.global.enableBPFMasquerade | quote }}
 {{- end }}
 
diff --git a/pkg/charts/utils.go b/pkg/charts/utils.go
index 3c1d5add7..7ac9b9747 100644
--- a/pkg/charts/utils.go
+++ b/pkg/charts/utils.go
@@ -274,7 +274,10 @@ func generateChartValues(config *ciliumv1alpha1.NetworkConfig, network *extensio
 
 	// check if ipv4 native routing cidr is set
 	if config.IPv4NativeRoutingCIDREnabled != nil && *config.IPv4NativeRoutingCIDREnabled {
-		globalConfig.IPv4NativeRoutingCIDR = "0.0.0.0/0"
+		if cluster.Shoot.Spec.Networking.Pods == nil {
+			return requirementsConfig, globalConfig, fmt.Errorf("pods cidr required for setting ipv4 native routing cidr was not yet set")
+		}
+		globalConfig.IPv4NativeRoutingCIDR = *cluster.Shoot.Spec.Networking.Pods
 	}
 
 	if config.SnatToUpstreamDNS != nil && config.SnatToUpstreamDNS.Enabled {
diff --git a/pkg/controller/actuator_reconcile.go b/pkg/controller/actuator_reconcile.go
index 9bd3214c1..1f25bac1b 100644
--- a/pkg/controller/actuator_reconcile.go
+++ b/pkg/controller/actuator_reconcile.go
@@ -105,10 +105,6 @@ func (a *actuator) Reconcile(ctx context.Context, _ logr.Logger, network *extens
 		if networkConfig.Overlay != nil && !networkConfig.Overlay.Enabled {
 			networkConfig.TunnelMode = (*ciliumv1alpha1.TunnelMode)(pointer.String(string(ciliumv1alpha1.Disabled)))
 			networkConfig.IPv4NativeRoutingCIDREnabled = pointer.Bool(true)
-			networkConfig.SnatOutOfCluster = &ciliumv1alpha1.SnatOutOfCluster{Enabled: true}
-			if networkConfig.SnatToUpstreamDNS == nil {
-				networkConfig.SnatToUpstreamDNS = &ciliumv1alpha1.SnatToUpstreamDNS{Enabled: true}
-			}
 		}
 	}