From d5e5bf3485d4e035d21c8e845a2d5f1031e2e771 Mon Sep 17 00:00:00 2001
From: Chris Tarazi <chris@isovalent.com>
Date: Tue, 11 Apr 2023 16:40:34 -0700
Subject: [PATCH] node/manager: Remove ipset config from previous node state

Found by code inspection from
https://github.com/cilium/cilium/pull/23208#discussion_r1139462540,
thanks to Joe.

Fix this discrepancy so that we can potentially backport this fix if
needed to older branches. The surrounding logic will get refactored in
the aforementioned PR.

This affects users that are running with the following:
  - --tunnel=disabled (native routing)
  - --enable-bpf-masquerade=false
  - --enable-ipv{4,6}-masquerade=true

Fixes: 49cb220626b ("iptables: Don't masquerade traffic to cluster nodes")
Suggested-by: Joe Stringer <joe@cilium.io>
Signed-off-by: Chris Tarazi <chris@isovalent.com>
---
 pkg/node/manager/manager.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkg/node/manager/manager.go b/pkg/node/manager/manager.go
index 14083a191af3c..d78bde4687b74 100644
--- a/pkg/node/manager/manager.go
+++ b/pkg/node/manager/manager.go
@@ -484,6 +484,9 @@ func (m *manager) NodeUpdated(n nodeTypes.Node) {
 		// Delete the old node IP addresses if they have changed in this node.
 		var oldNodeIPAddrs []string
 		for _, address := range oldNode.IPAddresses {
+			if option.Config.NodeIpsetNeeded() && address.Type == addressing.NodeInternalIP {
+				iptables.RemoveFromNodeIpset(address.IP)
+			}
 			if skipIPCache(address) {
 				continue
 			}