agent: fix nodeport service snat

We snat when endpoint is not local, no need to do it when it is local. This is for the returned traffic to pass by the node.
projectcalico · Jul 26, 2023 · c8a2e7c · c8a2e7c
1 parent c7cf3ef
commit c8a2e7c
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/calico-vpp-agent/services/service_handler.go b/calico-vpp-agent/services/service_handler.go
@@ -108,8 +108,8 @@ func buildCnatEntryForServicePort(servicePort *v1.ServicePort, service *v1.Servi
 							},
 							Flags: flags,
 						}
-						/* In nodeports, we also sNAT */
-						if isNodePort {
+						/* In nodeports, we need to sNAT when endpoint is not local to have a symmetric traffic */
+						if isNodePort && !isEndpointAddressLocal(&endpointAddress) {
 							backend.SrcEndpoint.IP = serviceIP
 						}
 						backends = append(backends, backend)