- 8e4fc0ad3e24826778966a806bb6ce6f4f399cbe changes to support ICMP type and code check in policy in bpf mode - ab0b1e94b396180f19434babfc7e04888e5500f4 changes addressing review comments - 4b7e4cbff9ac505df5e32516fef929a553bdd20f Auto-configure the IPv4/6 forwarding sysctls. - 7599679c3885f85994fd720202b71861a68f2426 CIDR filtering for src and dst net - fe7b969370233da7d4b24d796e7912cb783edb23 Add rule manager - 27f74a07c12a1b718f75a419f63ea5d63d7912e6 bpf/ut: defer RT map clean up to test that modify RT - e29c6fb2a880144e9d287aa6b2cad3c89cf7023f Test resync after deleting rule out-of-band - 46b7b926d14c59677a202709636b4e2c2efafb70 bpf/ut: NP tests should use the node IP - fe67a792fc1321e09fb5e91d9699c292da8f782e Semaphore Automatic Update - ea8ff98de87e4c1e8260448f39dfc878f6b210f0 Add a kernel version check for BPF mode. - e58c06f49bc7e458fd2ef87e2537d5ab03b20d65 bpf: NodePorts on multi-homed nodes - 2e2c5e8d1dbc5bedcd984970d494573923ce37b4 Delay felix startup - bcee1fac1e3181582c46f8bf67f9e91a5d1e60c6 Only route to wireguard for workload-originated flows - b9e99a98e74ad235115713249d04ee53828e8f9b Don't use log context in multiple go-routines - af2aedbd5aa68a260b66352c272e05a3bc53926a Ensure table index is assigned to wireguard even when disabled - 8a9bc7e17c211bfb1de39255bad19a6b5466f31f Semaphore Automatic Update - de8066e79a0fa516034d918eb5835469cc4ac4fc This commit has the following changes 1) Filter src net and dst net based on the IPversion of the rule 2) IPversion check and filtering rules based on IPversion are moved to a common function for both IPTables and BPF 3) UT to validate ICMP type and code rules 4) IN UT, for ICMP the dest port is copied to state->dport and not to post_nat_dport - ddde95e8ff6fa78c4d6e863c41fa3cfa76c72ddc Added comments for ICMP type and code related changes - 8af351149ad41aa9de5979521a4cc38c62ef9551 Improve diags if kube-proxy module fails to start. - b9f20ff8749defab1ae1cc64c098616af1198674 Wait for BPF map to exist before dumping it. - 6b633332aa41d0bbcd1a239efd91fc560d295cda Addressed review comments 1) Comparing 16 bits for ICMP type and code 2) Setting the dport in state to 0 just before adding to conntrack for ICMP packets - e37dfe52c970111e85851e2905154bf5e95c735f Corrected the formatting - efe5442a08e85bcdf96b0bafc2910aa96fe80dda bpf: Binary.PatchIPv4() logs incorrectly if not IPv4 - 08d0568a24ab59f37cbdb47b200130e9da20179b Add local throw routes to wireguard table - a58edf2263a79e1143acabc1b33e59c87742a515 Ensure conntrack tidied up when interface is deleted: - e2a2b34fbafa99790f7e4a3d32c3c5a32463bcd3 Semaphore Automatic Update - afe99ea919992ea92bdf567d5c56a7e9b2148ec5 Modified the comments - 548e49693a476629334a4becc09996b71b2dbb14 changes for UT and static check to pass - e08420b2d6ffb28a13458e4d616addf76562b3a6 Return os.ErrNotExists from map deletes. - 8c415f1d8d8e59cfb8e841f64201f7fa87e18275 Resolving static check issues - fbde084f30673cf6f965606cff28521309ce4685 Add UT for map deletion. - 7ff63b5c4666bee8bbbac08b6e4e11033304d276 Adding comments for godoc - dfcccaa5e6cf530db2d77f754d5c88e177727fe5 Typo and formatting issues - bf946f1f3b6a7187e266a048f747932dce0979b8 Markups - 3e4dd6fe2c8d4607a185c54ca08aab3ee2ba88e8 Semaphore Automatic Update - 6627f2407e33b2b814b18a61bec7c42b860d352f Drop all packets with IP options from/to workload end points. Additional UT to test packet with IP options - 2870cbc81cafd5b4e7a605d05a7d3b7bd73f5624 Filter interface update to avoid flapping. - 56d7966299c9b7967669a19008d7c8632f425d2a Update of libcalico-go - 7c52a12c1f99bf37f27b0b11fc6e4ed695f8a56b Semaphore Automatic Update - c95b393982a4129f1edd084052a3ea6af6e9a480 Improve diags when attaching BPF program. - 29d76112c51b233b61687c99e58e5a6ce1aa909c Avoid flapping BPF programs in more cases. - 790d2bbfdb14209277e1a8b9afd2b1efb60ae12a Markups. - 9396d724d3437f7be8608b0adbc04d916136d71c Only parse output from bpftool. - 4376b1e812995b152cd4b2ab1100fed4104ba7e6 Add map iteration test. - 5e460ea97d846b8b365caf8baf3d73324fe9149d Add dedicated error for device being missing. - d4711f99eda516cafaf17df11ab2de6cb56f7373 WireGuard FV (#2289) - 2c330acf76bc08d6089f3394b7ced7bd53bee4dc Drop all packets with IP options, irrespective of whether it is to host or workload EP. - f78ae1effb5be1bbe7886bcc23fe92dce6e57a62 Markups. - a6cc83f400f1e37f25fc23cf4c9be2afe1b7c558 Semaphore Automatic Update - 46e8182cb1d13e7d9559107e9778c8e8c89d51d2 bpf: do not accept tunnel from non-node src IP - 2e35fc4a4e90bd4fa59111ad5ed4432732429084 bpf: check source of tunnel pkts on dest node - 69da54c7968987f916f7f6fade3381f1bdbf8b54 bpf: store tunnel dest in conntrack - ff2609b4cb115e7b399b2daf61d2d1d135b7728d bpf: rename ct_ctx->nat_tun_src to tun_ip - 91a208ed4dc7c54dc3e448096719695b5677fcd6 bpf rename calico_ct_result->tun_ret_ip to tun_ip - 9be35e1f49ea2870c7536b1f69c60ab22e5d336e bpf: no RP lookup for conntracked nodeport tunnel - 596ed13102d132bf8506aae940ca68324921dc4f bpf: check source of tunnel pkts on both nodes - 3c00bd9128a4ee7d864aa111c1352f33235d3e7d bpf: fix typos and comments - 2f2fe9b1767b0fe274dc457930c71c43674381f0 bpf: merge tw if (encap_needed) blocks - 33b3c64373999ae1245261062518a8db588a820a 1) Drop malformed IP packets (IHL < 5) 2) Drop packets with IP options from/to wep and dest IP not host IP 3) Allow packets with IP options if dest IP is host IP 4) UT for the above changes - 59f53cd044a1b1fb13182d80581ac7e9129c1f93 Changes to use syscall version for deleting BPF maps instead of bpftool - 8e44984dcbe75ec8cbe5798816b99d209e25fe4a Merging master with branch - fd6aacefca8a30a48919e05c345e4bd5fa2d52bb Revert "WireGuard FV (#2289)" - 78330f804f0b619e4f5b0c8f3b5d5a138980a2b1 Changes to handle deleting non-existent entry in the map - fe499a9f55174fa50e2468b0453bfafc337ca8bc Removing unused functions - 9deb3b45342526927354952dfaced212b5110ac1 Check for dest IP only if its FROM_HEP - 9a187e8940855446de3dbda7f88cc687d4e8a8a8 Markups. - 054dc7f07d46fbe57a55f0ae6af5d7f423332c77 Building calico-bpf with CGO enabled and handling errors - 42dd62bcab3aff5ebd4a7c2230ebfa08829943ce Only program iptables chains that are referenced. - 42b586fee7e831a314f3720fbb814ce297093b11 Updated RecvMessage, payload.WireguardStatusUpdate - 7ed73090f7b6f45b45c3d179fb122fa504d55cd7 Markups. - 6eb093f77ccd4e499c298370633b282c639de7bf Derive interface IPs from local routes instead of addresses. - b508d6f1eab18ddf33d2d02dc0cb37b50ee6dabd Changes to fix the issues with conntrack test - eec86fece6161bd307a573b8edff05758ba103a8 Error handling for deleting non-existent KV in map - eded3f063ec63298c0e71256943a87d2c8a990be bpf: Proxy healthCheckNodeport unittest - 0e18010e7dcd28273bd7136aa5d04d904630722c bpf: do not set BPF_FIB_LOOKUP_OUTPUT after encap - 0ea8da1aed1ab58476e06fd754b724fa4d41a4d3 bpf: NP pkts after decap need to skip rpf check - 7694a5c1991c133e7d797821e2480465611a7acf bpf/fv: multi-NIC np test requires non-strict rp_filter - 33f7f27cf4862ac23f422240c7576322dfa58a56 bpf: always try rt lookup and only relax if from tunnel - 762ea151ce50118474ce04741ede5f6c563752fd Undo revert, fix flakes by: - 49fba93e6fad64ba28e7de8940f566e8243e5d7f ) Added new git pre-commit hook to check for copyright and license in .C and .h files under bpf-gpl and bpf-apache directory 2) Fixed the license and copyright information of the source files in bpf-gpl and bpf-apache directory - e64a20d0548daa7f48978986ae95c4fc52826026 Fixed the compilation error - 9971a56fd295b534c75a95aabacd92d78285a153 Fixing the bpf-gpl build issue - 1b654ef4b8ce5f6dafa32ff6507c9463285da4c4 bpf: decap vxlan tunnel if for local host - 3dd524091f2b134fc690be96a47054c3b1ea7985 bpf: use rt_addr_is_local_host() in ip options test - f21735977bc5d5f3f0ecc50b36eb6fca568cece7 Disable accept_ra in workloads - c52b9fa6f90658a89b51bf76867045b0783fd3bf Revert special-casing for OpenStack - 37e8b6fd29a88fed7be72e7e450e2044cb917b45 WireGuard FVs: - 336c2b9ef9447c4c111bdefe7256c4a3c04f990b Reverting copyright for unchanged files - 1cde782c3f4fe49be3c43cb407f64b74df19be90 Modified the in container hook to handle .c and .h files - aab686bb1d7313f375cc837659ee46d9f7c9bae7 Make calico-felix-wrapper greppable in the output. - b2c2cc4632ca009538aaefcc7ccc877606cf9559 Send SIGHUP to felix only, not the wrapper. - 7db65890af772b3abc45c2b1fe5bceb7f2a08ea6 Markups. - 3d86cd6bfb7803fee5ce2bdcddf2bcdfc10d0369 Add Kubernetes API server port (6443) to failsafes - 7dcbcc00188062226cee7a63b7d5a7ea300dadc7 Add FV for Kubernetes API server connectivity - c2b7eeddc6c35fb30a211b4ff0a349a47a665b24 Canonicalise names of config fields before checking inheritance - f6b5c2b5217515b44783c82b60c35c77bfcd61f2 Clean up duplicate BPF kernel check. - a7206d86db8a137d4f1c6e638166fffcbb50ae0b NAT FE map changes to support source IP range with LB in BPF mode - 57e6463a95b8c0e664f1cfef7981417af1eef650 changes to fix bpf ut - b3dbb0a0415c9bbda20425e4919c0fcd4353d62c When starting the metric server, only retry the ListenAndServe. - 75d8ca4b540f3e5608f55106e55db480974681f5 Only log on err (#2334) - 92ab434d90e74511d3febe26b44a4eb7e2e8b1e2 Semaphore Automatic Update - fc28684f84467fd454d9e843cf100c9751f91411 bpf: HOST_IP represents the same node ip on all host ifaces - 448ff6af706b71ae9d6fe83bda42822e18de8f26 bpf: relax RPF check in multi-nic FV - c1e325423d69e7c4a485fb0daa70b47f1f14f524 1) Changes to drop the packet after level1 nat lookup 2) Handling source IP range while deleting the service - acea05f167a1ec98c131d15eea8b4cae9db76d4c Fixed UT issues with affinity key - caa7361a69ee91134e10898d4f4b5e27b0d99c22 UT for testing Syncer with LBSourceIPRange - 3582d7fb6aa5cf73b753871608225d19813d677f UT to drop and allow packets based on src IP - 165a94335f46e6dc517357f5b903c5f9623188f3 bpf/proxy: collect stale UDP services - b4555592266aca5ca2736db5c1e0b8a42a40c395 Address WireGuard FV flake -- * adjust wireguard disabled test * adjust wireguard config change test * increase time-out - e2a558ff007abb7a2ee810cc0a0826b2c3d5bfd7 Versioning of the NAT FE BPF MAP - 6ac9aed4ac9a41441ca45fc27dcad42d2cd54fd8 Versioning changes and removing debugs - e301550029fcee776e08c6385247a6962b6397ff Semaphore Automatic Update - fdf21e348a4063cb544589dbb3b5ccfeb4d39980 Fixing static check issues - 4d8170f720f955b28f8f374749b2b924d9e88c5f Handling endianness explicitly when copying prefix length - 22d3aa02373222a25f2173c87b9002159ca5b851 static checks - 53aa1be34aec471a09b6b92f25ba8492b6e3e4d3 Revert "Semaphore Automatic Update" - b5f31d3a68db30cd27917fcf6628f287b6db4775 Connect directly to Typha rather than via ClusterIP - 72571f183b8e1312ff9482d4b67cf65cdb9368db Markups, adjust tests to use fake k8s client. - 5f6c98654dc9cf2c21bbbd2369e41111000c8850 1) Changes to copy the src addr to the nat fe key 2) Ignoring IPv6 CIDRs in source IP range - e53b47bd94200ffbe3afda5e39162011d46d31d2 Using macro for prefixlen for nat fe lookup - 7ff31804a8b5f16ddea487709a2f7429b37afceb bpf: EndpointSlices support for kube-proxy - 5c160550d91f777586cdac3b27be3967c5d70501 bpf/proxy: test EndpointSlices with ExternalPolicy=Local - cf7d792346d444070a3f2b817ed3094755b9003e bpf: no special case with hostIP for tunl0 ifaces - 91ff776bc334cc78c209b852dc3884a741440de9 bpf/proxy: port names need to match for stale UDP detection - 1143b164cfbe7413feffa90a9e77c90b221caf29 update pins for EndpointSlicesEnabled - 7b0fa8098a22d7c2877605d5ca8f8f911c95acf0 Update of libcalico-go to use new CRDs (#2351) - 3ed7b6c16cba0c87c657ddf596704eaf36e351d4 setting affinity value to 0 for the nat fe drop entry and few macro definitions - d7efcf1ff34b71a7be92b36ccdbebd1f92d93adb Semaphore Automatic Update - 57f0f683d00c60359c7c2783e77265f4a4ef8b1a Changes to add NAT entries for 1) External IP 2) Modify the drop entry with count 0xffffffff 3) Added new UT test case - 06b85a64bb3110e3bb4f21f99a5cc5118654e434 update k8s libraries to v1.17.2 - 45afef27cdcc6346747c07be4caf60064bb78211 bpf/proxy serviceInfo.TopologyKeys() implemented - aacfac2ffc6726ec0929d73d52c65abbc0cc5819 bpf/proxy: remove a stale comment - 7e0a33fde1a80bfc068efe480b51e9f9f7313a27 Semaphore Automatic Update - c9167a3b0a9320952035c0a231506897bb5ae989 Added a new FV test - f84872160603d001dcd233e5d87f0ba8c1e3be3c Fixed few issues with UT and added new UT cases - 693ccec9c65d9bfcc06809cd62ca75cc9a18543d Collect core files when felix crashes in FV. - d24140d1eab26a7e486541b766b9518e24a4323a Add on-test-vm script to reduce verbosity of semaphore yaml. - d96ebdf5a6b0ab62e2cc7c3fc0f1da67620a8dd8 Add artifact collection. - f05115e8a2edfc03fb2952bfb699476f1512a8c9 Remove spammy log from FVs. - 905135f0e8a2f11faadb2b0b7cf352929c34e27b WiP on artifact collection. - 616a7ca53284ea9b22c038ef8cf45afd6c4727ac Compress artifacts - ec677b8c44445358454ad06baca67c8b6373dbe6 Fix artifact collection. - 1b9d01e2f43b587a009941f82ca81be72d3b4d1f Avoid dumping core from expected failures of the test-connection binary. - 6d5a5db79e2497238e4ca27770ac8869a28daa64 Collect artifacts from non-BPF runs too. - 4ddc9dd2976acc8a3ce31129094a62a9f3354286 Markups - 00f57b6ca049584c2d4d59581d3646a43946c6bf Semaphore Automatic Update - 522a3664d0deb2263cdc1ac526c8ffc84368692f Added new FV tests to test 1) ExternalIP functionality 2) LB source range with externalClient - ca89db15d80c6e60f1ef4afad3c9b7e531676392 Fix up README badges - 765cbc4891621f209489f7aaaf5630164a0797d7 update pins - b06505102d9ecfd321c343fad822c4b71a3be322 bpf: sendrecv4 entries not for TCP - ca7a5c396023c00602d01fe23e695c59dbe15318 cmd/calico-bpf: nat dump shows local counts as well - 24a7a78b1768c3c85845bc9fb6697c878ae72bfc grouped related FV tests error handling when we delete keys while deleting service - 8f090e4cf1e496d3d69b4a7bb4dbae632e434aae Fixed issues in fv tests - 2da3e397908019417fec5827a2776e6b248da60d Indentation fix - 40eb7e2e0fb9891d861b9df6e27976ed06f5068b bpf/fv: host networked pods not picked up by policy - e8569f941da20a5f6da624e4b55f1b4dc1f1f5ad bpf/fv: fix typos - be96fc3614e863c804b7d22588d5681e770964f6 Addressing workload trafic flake. - e550b39fa96ff57af7794049a3e4bc5cb44319d6 Semaphore Automatic Update - cee676ed1ef1295a9fe09e28829b985779b64254 Avoid extra directory when publishing artifacts. - ace4cd2702e8c5e89c87195db8155b497f9c3513 Collect data race reports from felix during FV. - 00bffd05578795d33d21345c35955ef20f83b057 Fix race in RegisterManager(). - bde43effdde200a08bdb0aca5c19096f0d5f2e9e Markups. - 692877076e12551c54c05af5c3cad1b1d1db51d6 Fix another race when logging out manager. - 68b65ab2848b4db893249ee293c0f3238974cdfa Avoid mutating config from multiple goroutines. - a47dc19ce336c8fde0204d14838dc796d8db39c6 Add test for the race detection machinery. - b4946330fdfb7a39bc1b321ec5cd8c26e69a693c Markups. - e5613154570edb0d32a360611ab3583580aaed98 Update wireguard tests: use functions for Eventually, stop checking Felix PIDs - 560cfeb0c57edaf66ca60e25f4a4226dff18133b Only install wireguard-tools package. - fc179295a607408501ae418a82d644bee75d91f5 Rev new kernel test image to Ubuntu 20.04. - cbc96bf704fc859ed99fdf96c7ddcd9f026f3c8c Add ability for Felix to act as passive standby - a7ef6de43ba600a21d00b9696087fedd6bf3ae23 Update libcalico-go and pins - c372e9be72166c7dc7aaeb0e1b4580f6421ad885 Use 20.04 for the wgtool image. - 2db644e67a31eb3fcf50af99e1bc0cef433c7528 Markups. - 9d49c8c1d29ce3e4015bd73f8690d29ad8605ded Update pins / fix prometheus client - 088528c2eb4407733b48bcad443e93960ca0aebf Add typha port to failsafes - 7698e0e10aa0523be0a2e9ca67fd810207323d4b Include wireguard tunnel IP address in wireguard routing - b5f47f1adb69d28e54658f67f7fa6fe8df0fb893 Update pins - 9442b83844ecdb104cc1a1c0d585f5879fae0917 Add AWSSrcDstCheck config param to satisfy UT - 2f18c267294cb7cf34c4ee42528d4a0cc6d9055d Update libcalico-go pin - 358d815e33bdb7b6aa4d9a7793d7c80475972d96 Remove unused config option - e0df1cce20653f3f3809fd6116d704f5ece3d7a0 Fix flake in config FV test. - acf1dabee5c42c84bad4cd5cec635a81083fac72 Make race detector optional. Enable by default. - 857265f1f453aaa45e96a666ae523321243e5462 Free up space on the build machine as recommended by Semaphore support.