controller: fix vpc egress gateway forward policy not working for targets within the internal subnet's cidr (#6222)

zhangzujian · zhangzujian · commit 949ea6ec5122 · 2026-01-28T03:46:15.000Z
Signed-off-by: zhangzujian &lt;zhangzujian.7@gmail.com&gt;
diff --git a/pkg/controller/vpc_egress_gateway.go b/pkg/controller/vpc_egress_gateway.go
@@ -311,35 +311,16 @@ func (c *Controller) reconcileVpcEgressGatewayWorkload(gw *kubeovnv1.VpcEgressGa
 	internalCIDRv4, internalCIDRv6 := util.SplitStringIP(intSubnet.Spec.CIDRBlock)
 
 	// collect egress policies
-	ipv4Src, ipv6Src := set.New[string](), set.New[string]()
 	ipv4ForwardSrc, ipv6ForwardSrc := set.New[string](), set.New[string]()
 	ipv4SNATSrc, ipv6SNATSrc := set.New[string](), set.New[string]()
-	fnFilter := func(internalCIDR string, ipBlocks []string) set.Set[string] {
-		if internalCIDR == "" {
-			return nil
-		}
-
-		ret := set.New[string]()
-		for _, cidr := range ipBlocks {
-			if ok, _ := util.CIDRContainsCIDR(internalCIDR, cidr); !ok {
-				ret.Insert(cidr)
-			}
-		}
-		return ret
-	}
-
 	for _, policy := range gw.Spec.Policies {
 		ipv4, ipv6 := util.SplitIpsByProtocol(policy.IPBlocks)
-		ipv4Src = ipv4Src.Insert(ipv4...)
-		ipv6Src = ipv6Src.Insert(ipv6...)
-		filteredV4 := fnFilter(internalCIDRv4, ipv4)
-		filteredV6 := fnFilter(internalCIDRv6, ipv6)
 		if policy.SNAT {
-			ipv4SNATSrc = ipv4SNATSrc.Union(filteredV4)
-			ipv6SNATSrc = ipv6SNATSrc.Union(filteredV6)
+			ipv4SNATSrc = ipv4SNATSrc.Insert(ipv4...)
+			ipv6SNATSrc = ipv6SNATSrc.Insert(ipv6...)
 		} else {
-			ipv4ForwardSrc = ipv4ForwardSrc.Union(filteredV4)
-			ipv6ForwardSrc = ipv6ForwardSrc.Union(filteredV6)
+			ipv4ForwardSrc = ipv4ForwardSrc.Insert(ipv4...)
+			ipv6ForwardSrc = ipv6ForwardSrc.Insert(ipv6...)
 		}
 		for _, subnetName := range policy.Subnets {
 			subnet, err := c.subnetsLister.Get(subnetName)
@@ -354,8 +335,6 @@ func (c *Controller) reconcileVpcEgressGatewayWorkload(gw *kubeovnv1.VpcEgressGa
 			}
 			// TODO: check subnet's vpc and vlan
 			ipv4, ipv6 := util.SplitStringIP(subnet.Spec.CIDRBlock)
-			ipv4Src = ipv4Src.Insert(ipv4)
-			ipv6Src = ipv6Src.Insert(ipv6)
 			if policy.SNAT {
 				ipv4SNATSrc.Insert(ipv4)
 				ipv6SNATSrc.Insert(ipv6)
@@ -367,13 +346,29 @@ func (c *Controller) reconcileVpcEgressGatewayWorkload(gw *kubeovnv1.VpcEgressGa
 	}
 
 	// calculate internal route destinations and forward source CIDR blocks
-	ipv4Src.Delete("")
-	ipv6Src.Delete("")
 	ipv4ForwardSrc.Delete("")
 	ipv6ForwardSrc.Delete("")
 	ipv4SNATSrc.Delete("")
 	ipv6SNATSrc.Delete("")
-	intRouteDstIPv4, intRouteDstIPv6 := ipv4ForwardSrc.Union(ipv4SNATSrc), ipv6ForwardSrc.Union(ipv6SNATSrc)
+	ipv4Src := ipv4ForwardSrc.Union(ipv4SNATSrc)
+	ipv6Src := ipv6ForwardSrc.Union(ipv6SNATSrc)
+
+	// filter out ip blocks within the internal subnet CIDR(s) to avoid route(s) configuration failure
+	fnFilter := func(internalCIDR string, ipBlocks set.Set[string]) set.Set[string] {
+		if internalCIDR == "" {
+			return nil
+		}
+
+		ret := set.New[string]()
+		for cidr := range ipBlocks {
+			if ok, _ := util.CIDRContainsCIDR(internalCIDR, cidr); !ok {
+				ret.Insert(cidr)
+			}
+		}
+		return ret
+	}
+	intRouteDstIPv4 := fnFilter(internalCIDRv4, ipv4Src)
+	intRouteDstIPv6 := fnFilter(internalCIDRv6, ipv6Src)
 
 	// generate route annotations used to configure routes in the pod
 	routes := util.NewPodRoutes()
