Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

commit the make-versions changes #3750

Merged
merged 1 commit into from
Feb 3, 2025
Merged

commit the make-versions changes #3750

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 20 additions & 2 deletions pkg/crds/enterprise/crd.projectcalico.org_felixconfigurations.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -578,8 +578,8 @@ spec:

This setting is ignored by eBPF and BPFDNSPolicyMode is used instead.

Inline policy mode is not supported in NFTables mode. Default mode in DelayDeniedPacket in case of NFTables.
[Default: DelayDeniedPacket]
This field has no effect in NFTables mode. Please use NFTablesDNSPolicyMode instead.
[Default: Inline]
enum:
- NoDelay
- DelayDeniedPacket
Expand Down Expand Up @@ -1351,6 +1351,24 @@ spec:
are used to report flow verdicts from the kernel. Warning: currently increasing the value may cause errors
due to a bug in the netlink library.
type: string
nftablesDNSPolicyMode:
description: |-
NFTablesDNSPolicyMode specifies how DNS policy programming will be handled for NFTables.
DelayDeniedPacket - Felix delays any denied packet that traversed a policy that included egress domain matches,
but did not match. The packet is released after a fixed time, or after the destination IP address was programmed.
DelayDNSResponse - Felix delays any DNS response until related IPSets are programmed. This introduces some
latency to all DNS packets (even when no IPSet programming is required), but it ensures policy hit statistics
are accurate. This is the recommended setting when you are making use of staged policies or policy rule hit
statistics.
NoDelay - Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time
the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial
connection attempts fail. This may be problematic for some applications or for very low DNS TTLs.
[Default: DelayDeniedPacket]
enum:
- NoDelay
- DelayDeniedPacket
- DelayDNSResponse
type: string
nftablesFilterAllowAction:
description: |-
NftablesFilterAllowAction controls the nftables action that Felix uses to represent the "allow" policy verdict
Expand Down
Loading