address Arko's comment

zirain · zirain · commit 800141baac3d · 2026-02-03T10:57:46.000+08:00
Signed-off-by: zirain &lt;zirain2009@gmail.com&gt;
diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go
@@ -819,22 +819,9 @@ func (t *Translator) processTCPListenerXdsTranslation(
 						errs = errors.Join(errs, err)
 					}
 				}
-			}
-			if err := t.addXdsTCPFilterChain(
-				xdsListener,
-				route,
-				route.Destination.Name,
-				accesslog,
-				tcpListener.Timeout,
-				tcpListener.Connection,
-			); err != nil {
-				errs = errors.Join(errs, err)
-			}
-		}
-
-		// add TCPRoute client certs
-		for _, route := range tcpListener.Routes {
-			if route.Destination != nil {
+			} else if route.Destination != nil {
+				// TCPRoute with BackendTLSPolicy
+				// add tcp route client certs
 				for _, st := range route.Destination.Settings {
 					if st.TLS != nil {
 						for _, clientCert := range st.TLS.ClientCertificates {
@@ -846,6 +833,16 @@ func (t *Translator) processTCPListenerXdsTranslation(
 					}
 				}
 			}
+			if err := t.addXdsTCPFilterChain(
+				xdsListener,
+				route,
+				route.Destination.Name,
+				accesslog,
+				tcpListener.Timeout,
+				tcpListener.Connection,
+			); err != nil {
+				errs = errors.Join(errs, err)
+			}
 		}
 
 		// If there are no routes, add a route without a destination to the listener to create a filter chain
