tigera · tomastigera · Sep 18, 2024 · Sep 19, 2024 · Sep 19, 2024 · Oct 1, 2024
@@ -103,12 +103,6 @@
 | `FeatureDetectOverride`             | `FELIX_FEATUREDETECTOVERRIDE`             | Is used to override the feature detection. Values are specified in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=true,IPIPDeviceIsL3=true. "true" or "false" will force the feature, empty or omitted values are auto-detected. [Default: `""`]                                                                                                                                                                                                                                                                                                                                                                                                                | string                                                                                          |
 | `FeatureGates`			| `FELIX_FEATUREGATES`			| Is used to enable or disable tech-preview Calico features. Values are specified in a comma separated list with no spaces. This is used to enable features that are not fully production ready. Example; "AbC=enabled,XyZ=false" [Default: not set] | string
 
-#### Feature Gates
-
-* `BPFConnectTimeLoadBalancingWorkaround` - Use when connect-time loadbalancer (CTLB) is turned off or if you want to turn it off for UDP only. When CTLB is turned off, host networked processes cannot always reach services. This workaround makes sure that they can. When CTLB is turned on, UDP clients may get stuck sending traffic to endpoint that does not exist anymore. So CTLB needs to be turned off sometimes.
-	* `enabled` - when CTLB is turned off make sure that services are always accessible.
-	* `udp` - turns off CTLB for UDP only and makes sure that services are always accessible. Preferred setting to make sure that DNS works.
-
 ### Go runtime configuration
 
 These configuration pararmeters allow configuration of the Go language runtime.
@@ -180,7 +174,9 @@
 | BPFEnabled / <br/> FELIX_BPFENABLED                                                 | Enable eBPF dataplane mode. eBPF mode has a number of limitations, see the [HOWTO guide](../../operations/ebpf/enabling-ebpf.mdx).                                                                                                                                                                                                                                                | true, false           | false   |
 | BPFDisableUnprivileged / <br/> FELIX_BPFDISABLEUNPRIVILEGED                         | If true, Felix sets the kernel.unprivileged_bpf_disabled sysctl to disable unprivileged use of BPF. This ensures that unprivileged users cannot access Calico's BPF maps and cannot insert their own BPF programs to interfere with the ones that {{prodname}} installs.                                                                                                          | true, false           | true    |
 | BPFLogLevel / <br/> FELIX_BPFLOGLEVEL                                               | The log level used by the BPF programs. The logs are emitted to the BPF trace pipe, accessible with the command `tc exec BPF debug`.                                                                                                                                                                                                                                              | Off,Info,Debug        | Off     |
-| BPFDataIfacePattern / <br/> FELIX_BPFDATAIFACEPATTERN                               | Controls which interfaces Felix should attach BPF programs to catch traffic to/from the external network. This needs to match the interfaces that Calico workload traffic flows over as well as any interfaces that handle incoming traffic to NodePorts and services from outside the cluster. It should not match the workload interfaces (usually named cali...).. | regular expression    | ^((en&#124;wl&#124;ww&#124;sl&#124;ib)[Popsx].\*&#124;(eth&#124;wlan&#124;wwan&#124;bond).\*&#124;tunl0$&#124;vxlan.calico$&#124;vxlan-v6.calico$&#124;wireguard.cali$&#124;wg-v6.cali$) |
+| BPFLogFilters / <br/> FELIX_ BPFLOGFILTERS                                          | Limits logging for selected interfaces and packets. It is a map of key=values where the value is a `pcap` filter expression that select packets and the key is an interface name that selects the interface to log. Special values of `all` denotes all interfaces, `weps` all workload endpoints and `heps` all host endpoints. When specified as an environment variable, it accepts a comma-separated list of key=values. It is unset by default which means all debug logs are emitted when BPFLogLevel is Debug.                                                                                                                                                                                                                                                 | string                | ""      |
+| BPFCTLBLogFilter / <br/> FELIX_BPFCTLBLOGFILTER                                     | Specifies, what is logged by connect time load balancer (CTLB) when BPFLogLevel is debug and BPFLogFilters is set. Must be set to `all` to see CTLB logs.                                                                                                                                                                                                                         | string                | ""      |
+| BPFDataIfacePattern / <br/> FELIX_BPFDATAIFACEPATTERN                               | Controls which interfaces Felix should attach BPF programs to catch traffic to/from the external network. This needs to match the interfaces that Calico workload traffic flows over as well as any interfaces that handle incoming traffic to NodePorts and services from outside the cluster. It should not match the workload interfaces (usually named cali...).. | regular expression    | ^((en&#124;wl&#124;ww&#124;sl&#124;ib) [Popsvx]&#46;&#124;&#42; &#124;(eth &#124;wlan &#124;wwan)&#46;&#124;&#42;&#124;tunl0$ &#124; vxlan.calico$ &#124; wireguard.cali$ &#124; wg-v6.cali$) |
 | BPFL3IfacePattern / <br/> FELIX_BPFL3IFACEPATTERN                                   | Allows to list tunnel devices like wireguard or vxlan (i.e., L3 devices) in addition to BPFDataIfacePattern. That is, tunnel interfaces not created by Calico, that Calico workload traffic flows over as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster.                                                                 | regular expression    | ""      |
 | BPFConnectTimeLoadBalancingEnabled / <br/> FELIX_BPFCONNECTTIMELOADBALANCINGENABLED | Controls whether Felix installs the connect-time load balancer. In the current release, the connect-time load balancer is required for the host to reach kubernetes services.                                                                                                                                                                                                     | true,false            | true    |
 | BPFConnectTimeLoadBalancing / <br/> FELIX_BPFCONNECTTIMELOADBALANCING               | Controls whether Felix installs the connect-time load balancer.  It improves the performance of pod-to-service connections. When set to TCP (default), connect-time load balancing is available only for services with TCP ports. If set to Enabled, it is enabled for any protocol - with that, UDP applications may keep sending data to a service (e.g., DNS) backend that does not exist anymore. When set to Disabled or TCP, bpfHostNetworkedNATWithoutCTLB must be set to Enabled for host networked processed to be able to reach all service correctly. If ebpf is used with a service mesh that uses sidecars like Istio, set this option to Disabled and bpfHostNetworkedNATWithoutCTLB to Enabled (default). That allows the mesh to intercept service IPs before they get resolved.                                                                                                        | TCP,Enabled,Disabled  | TCP     |
@@ -199,7 +195,13 @@
 | BPFMapSizeIPSets / <br/> FELIX_BPFMapSizeIPSets                                     | Controls the size of the IPSets map. The IP sets map must be large enough to hold an entry for each endpoint matched by every selector in the source/destination matches in network policy. Selectors such as "all()" can result in large numbers of entries (one entry per endpoint in that case).                                                                               | int                   | 1048576 |
 | BPFMapSizeRoute / <br/> FELIX_BPFMapSizeRoute                                       | Controls the size of the route map. The routes map should be large enough to hold one entry per workload and a handful of entries per host (enough to cover its own IPs and tunnel IPs).                                                                                                                                                                                          | int                   | 262144  |
 | BPFHostConntrackBypass / <br/> FELIX_BPFHostConntrackBypass                         | Controls whether to bypass Linux conntrack in BPF mode for workloads and services.                                                                                                                                                                                                                                                                                                | true,false            | true    |
+| BPFEnforceRPF / <br/>  FELIX_BPFEnforceRPF                                          | Controls RPF on all host interfaces with BPF programs regardless of the interface or global settings. To prevent spoofing, we also enforce it in IPv6 mode. Possible values are `Disabled`, `Strict` or `Loose`.                                                                                                                                                      | string                | "Loose" |
+
 | BPFPolicyDebugEnabled / <br/> FELIX_BPFPOLICYDEBUGENABLED                           | In eBPF dataplane mode, Felix records detailed information about the BPF policy programs, which can be examined with the calico-bpf command-line tool.                                                                                                                                                                                                                            | true, false           | true    |
+| BPFForceTrackPacketsFromIfaces / <br/> FELIX_BPFFORCETRACKPACKETSFROMIFACES         | In BPF mode, forces traffic from these interfaces to skip Calico's iptables NOTRACK rule, allowing traffic from those interfaces to be tracked by Linux conntrack.  Should only be used for interfaces that are not used for the Calico fabric.  For example, a Docker bridge device for non-Calico-networked containers. [Default: docker+]                                      | string                | "docker+" |
+| BPFDisableGROForIfaces / <br/> FELIX_BPFDISABLEGROFORIFACES                         | A regular expression that controls which interfaces Felix should disable the Generic Receive Offload [GRO] option. It should not match the workload interfaces (usually named cali...).                                                                                                                                                                                           | string                | ""      |
+| BPFExcludeCIDRsFromNAT / <br/> FELIX_BPFEXCLUDECIDRSFROMNATIS                       | A list of CIDRs that are to be excluded from NAT resolution so that the host can handle them. A typical use case is node local DNS cache. Set it to your kube-dns service IP if you want to use node local DNS cache.                                                                                                                                                                  | string                | ""      |
+| BPFRedirectToPeer <br/> FELIX_BPFREDIRECTTOPEER                                     | Controls whether it is allowed to forward straight to the peer side of the workload devices, which makes ingress into the workloads from outside the node faster. It is enabled for any host L2 devices by default (`L2Only`), but it breaks tcpdump on the host side of workload device as it bypasses it on ingress. Set it to `Disabled` to make tcpdump work as expected. Value of `Enabled` also allows redirection from L3 host devices like IPIP tunnel or Wireguard directly to the peer side of the workload's device. However, it breaks tools like tcpdump on the peer side. Use `Enabled` with caution.                                                                                                                                                                                                                                                                                            | string                | "L2Only" |
 
 ### Kubernetes-specific configuration