From a22b9be7d80f1d02d74017660b4aace9c08012d1 Mon Sep 17 00:00:00 2001
From: rene-dekker <rene@tigera.io>
Date: Mon, 3 Feb 2025 10:33:29 -0800
Subject: [PATCH] commit the make-versions changes

---
 ...projectcalico.org_felixconfigurations.yaml | 22 +++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/pkg/crds/enterprise/crd.projectcalico.org_felixconfigurations.yaml b/pkg/crds/enterprise/crd.projectcalico.org_felixconfigurations.yaml
index 1e43c94de5..148cf32d56 100644
--- a/pkg/crds/enterprise/crd.projectcalico.org_felixconfigurations.yaml
+++ b/pkg/crds/enterprise/crd.projectcalico.org_felixconfigurations.yaml
@@ -578,8 +578,8 @@ spec:
 
                   This setting is ignored by eBPF and BPFDNSPolicyMode is used instead.
 
-                  Inline policy mode is not supported in NFTables mode. Default mode in DelayDeniedPacket in case of NFTables.
-                  [Default: DelayDeniedPacket]
+                  This field has no effect in NFTables mode. Please use NFTablesDNSPolicyMode instead.
+                  [Default: Inline]
                 enum:
                 - NoDelay
                 - DelayDeniedPacket
@@ -1351,6 +1351,24 @@ spec:
                   are used to report flow verdicts from the kernel.  Warning: currently increasing the value may cause errors
                   due to a bug in the netlink library.
                 type: string
+              nftablesDNSPolicyMode:
+                description: |-
+                  NFTablesDNSPolicyMode specifies how DNS policy programming will be handled for NFTables.
+                  DelayDeniedPacket - Felix delays any denied packet that traversed a policy that included egress domain matches,
+                  but did not match. The packet is released after a fixed time, or after the destination IP address was programmed.
+                  DelayDNSResponse - Felix delays any DNS response until related IPSets are programmed. This introduces some
+                  latency to all DNS packets (even when no IPSet programming is required), but it ensures policy hit statistics
+                  are accurate. This is the recommended setting when you are making use of staged policies or policy rule hit
+                  statistics.
+                  NoDelay - Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time
+                  the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial
+                  connection attempts fail. This may be problematic for some applications or for very low DNS TTLs.
+                  [Default: DelayDeniedPacket]
+                enum:
+                - NoDelay
+                - DelayDeniedPacket
+                - DelayDNSResponse
+                type: string
               nftablesFilterAllowAction:
                 description: |-
                   NftablesFilterAllowAction controls the nftables action that Felix uses to represent the "allow" policy verdict