Skip to content

Commit

Permalink
fix bpfDataIfacePattern (#1698)
Browse files Browse the repository at this point in the history
  • Loading branch information
@tomastigera
tomastigera authored Oct 10, 2024
1 parent 905ffe9 commit 8233345
Show file tree
Hide file tree
Showing 9 changed files with 9 additions and 9 deletions.
2 changes: 1 addition & 1 deletion calico-enterprise/reference/resources/felixconfig.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -180,7 +180,7 @@ spec:
| bpfEnabled | Enable eBPF dataplane mode. eBPF mode has some limitations, see the [HOWTO guide](../../operations/ebpf/enabling-ebpf.mdx) for more details. | true, false | boolean | false |
| bpfDisableUnprivileged | If true, Felix sets the kernel.unprivileged_bpf_disabled sysctl to disable unprivileged use of BPF. This ensures that unprivileged users cannot access Calico's BPF maps and cannot insert their own BPF programs to interfere with the ones that {{prodname}} installs. | true, false | boolean | true |
| bpfLogLevel | In eBPF dataplane mode, the log level used by the BPF programs. The logs are emitted to the BPF trace pipe, accessible with the command `tc exec bpf debug`. This is a tech preview feature and subject to change in future releases. | Off,Info,Debug | string | Off |
| bpfDataIfacePattern | In eBPF dataplane mode, controls which interfaces Felix should attach BPF programs to catch traffic to/from the external network. This needs to match the interfaces that Calico workload traffic flows over as well as any interfaces that handle incoming traffic to NodePorts and services from outside the cluster. It should not match the workload interfaces (usually named cali...).. This is a tech preview feature and subject to change in future releases. | regular expression | string | ^(en.*|eth.*|tunl0$) |
| bpfDataIfacePattern | In eBPF dataplane mode, controls which interfaces Felix should attach BPF programs to catch traffic to/from the external network. This needs to match the interfaces that Calico workload traffic flows over as well as any interfaces that handle incoming traffic to NodePorts and services from outside the cluster. It should not match the workload interfaces (usually named cali...).. This is a tech preview feature and subject to change in future releases. | regular expression | string | ^((en|wl|ww|sl|ib)[Popsx].\*|(eth|wlan|wwan|bond).\*|tunl0$|vxlan.calico$|vxlan-v6.calico$|wireguard.cali$|wg-v6.cali$) |
| bpfConnectTimeLoadBalancingEnabled | In eBPF dataplane mode, controls whether Felix installs the connect-time load balancer. In the current release, the connect-time load balancer is required for the host to reach kubernetes services. This is a tech preview feature and subject to change in future releases. | true,false | boolean | true |
| bpfExternalServiceMode | In eBPF dataplane mode, controls how traffic from outside the cluster to NodePorts and ClusterIPs is handled. In Tunnel mode, packet is tunneled from the ingress host to the host with the backing pod and back again. In DSR mode, traffic is tunneled to the host with the backing pod and then returned directly; this requires a network that allows direct return. | Tunnel,DSR | string | Tunnel |
| bpfKubeProxyIptablesCleanupEnabled | In eBPF dataplane mode, controls whether Felix will clean up the iptables rules created by the Kubernetes `kube-proxy`; should only be enabled if `kube-proxy` is not running. This is a tech preview feature and subject to change in future releases. | true,false | boolean | true |
Expand Down
2 changes: 1 addition & 1 deletion ..._docs/version-3.19-2/reference/component-resources/node/felix/configuration.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,7 @@ See [Enable the eBPF dataplane](../../../../operations/ebpf/enabling-ebpf.mdx) f
| BPFEnabled / <br/> FELIX_BPFENABLED | Enable eBPF dataplane mode. eBPF mode has a number of limitations, see the [HOWTO guide](../../../../operations/ebpf/enabling-ebpf.mdx). | true, false | false |
| BPFDisableUnprivileged / <br/> FELIX_BPFDISABLEUNPRIVILEGED | If true, Felix sets the kernel.unprivileged_bpf_disabled sysctl to disable unprivileged use of BPF. This ensures that unprivileged users cannot access Calico's BPF maps and cannot insert their own BPF programs to interfere with the ones that {{prodname}} installs. | true, false | true |
| BPFLogLevel / <br/> FELIX_BPFLOGLEVEL | The log level used by the BPF programs. The logs are emitted to the BPF trace pipe, accessible with the command `tc exec BPF debug`. | Off,Info,Debug | Off |
| BPFDataIfacePattern / <br/> FELIX_BPFDATAIFACEPATTERN | Controls which interfaces Felix should attach BPF programs to catch traffic to/from the external network. This needs to match the interfaces that Calico workload traffic flows over as well as any interfaces that handle incoming traffic to NodePorts and services from outside the cluster. It should not match the workload interfaces (usually named cali...).. | regular expression | `^(en[opsvx].\* | eth.\* | tunl0$ | wireguard.cali$)` |
| BPFDataIfacePattern / <br/> FELIX_BPFDATAIFACEPATTERN | Controls which interfaces Felix should attach BPF programs to catch traffic to/from the external network. This needs to match the interfaces that Calico workload traffic flows over as well as any interfaces that handle incoming traffic to NodePorts and services from outside the cluster. It should not match the workload interfaces (usually named cali...).. | regular expression | ^((en&#124;wl&#124;ww&#124;sl&#124;ib)[Popsx].\*&#124;(eth&#124;wlan&#124;wwan&#124;bond).\*&#124;tunl0$&#124;vxlan.calico$&#124;vxlan-v6.calico$&#124;wireguard.cali$&#124;wg-v6.cali$) |
| BPFConnectTimeLoadBalancingEnabled / <br/> FELIX_BPFCONNECTTIMELOADBALANCINGENABLED | Controls whether Felix installs the connect-time load balancer. In the current release, the connect-time load balancer is required for the host to reach kubernetes services. | true,false | true |
| BPFExternalServiceMode / <br/> FELIX_BPFEXTERNALSERVICEMODE | Controls how traffic from outside the cluster to NodePorts and ClusterIPs is handled. In Tunnel mode, packet is tunneled from the ingress host to the host with the backing pod and back again. In DSR mode, traffic is tunneled to the host with the backing pod and then returned directly; this requires a network that allows direct return. | Tunnel,DSR | Tunnel |
| BPFDSROptoutCIDRs / <br/> FELIX_BPFDSROPTOUTCIDRS | BPFDSROptoutCIDRs is a list of CIDRs that are excluded from DSR. That is, clients in those CIDRs will access nodeports as if BPFExternalServiceMode was set to Tunnel. | string | "" |
Expand Down
Loading

0 comments on commit 8233345

Please sign in to comment.