Does Envoy Support LVS-DR (Direct Routing) Without NAT?

[sasi1212]

Title: Does Envoy Support LVS-DR (Direct Routing) Without NAT?

Description:
I am exploring ways to implement Direct Routing (LVS-DR) in OpenShift (RHOCP) without performing NAT.
Brief Overview of Direct Routing (LVS-DR):
LVS-DR is a load balancing technique where:

• The LVS router (load balancer) receives incoming traffic on a Virtual IP (VIP) and forwards it to real servers.
• The real servers respond directly to the clients (bypassing the LVS router), preserving both source and destination IPs for better performance.
• This method relies on modifying the destination MAC address rather than using SNAT/DNAT.

The ARP Challenge in LVS-DR:
Since both the LVS router and real servers share the same VIP, ARP requests can cause issues where the VIP is wrongly associated with a real server, bypassing the load balancer. This is typically solved by suppressing ARP responses on the real servers.
My Query:
Can Envoy be configured to function like LVS-DR? Specifically:

1. Can Envoy forward traffic based on MAC address changes instead of NAT (SNAT/DNAT)?
2. Is there a way for Envoy to forward traffic to real servers while allowing them to respond directly to clients (LVS-DR behavior)?

Note: I have already explored original_src and original_dst filters. However, the packet does not come out from Envoy pod if such filters are used. More details are attached in the PDF.

Envoy_Original_Src_Dst_Troubleshoot.pdf

[mattklein123]

This is not my area of expertise but AFAIK there is no way to do this at the Envoy/app layer. I think you will need OS collaboration to do this (ebpf, iptables, etc.).