From 2413c5675cb491889d5f42c4091cb6e9d44dbe5c Mon Sep 17 00:00:00 2001 From: Tomas Hruby Date: Mon, 16 Dec 2024 16:44:46 -0800 Subject: [PATCH] [BPF] make conntrack timeouts configurable BPFConntrackTimers overides the default values for the specified conntrack timer if set. It is a struct of values, where each value can be either a duration or `auto` to pick the value from a Linux conntrack timeout. Possible values for the keys are: CreationGracePeriod, TCPPreEstablished, TCPEstablished, TCPFinsSeen, TCPResetSeen, UDPLastSeen, GenericIPLastSeen, ICMPLastSeen. Unset or incorrect values are replaced by the default values with a warning log for incorrect values. Current auto mappings: TCPPreEstablished: nf_conntrack_tcp_timeout_syn_sent TCPEstablished: nf_conntrack_tcp_timeout_established TCPFinsSeen: nf_conntrack_tcp_timeout_time_wait GenericIPLastSeen: nf_conntrack_generic_timeout ICMPLastSeen: nf_conntrack_icmp_timeout If there is no mapping, 'auto' is replaced by the default value. [Default: CreationGracePeriod: 10s TCPPreEstablished: 20s TCPEstablished: 1h TCPFinsSeen: auto (30s is default) TCPResetSeen: 40s UDPLastSeen: 60s GenericIPLastSeen: 10m ICMPLastSeen: 5s ] --- api/pkg/apis/projectcalico/v3/felixconfig.go | 48 ++++++++++ .../projectcalico/v3/zz_generated.deepcopy.go | 21 +++++ api/pkg/openapi/generated.openapi.go | 69 +++++++++++++- felix/bpf/conntrack/timeouts.go | 92 +++++++++++++++++++ felix/config/config_params.go | 1 + felix/dataplane/driver.go | 2 +- felix/docs/config-params.json | 26 ++++++ felix/docs/config-params.md | 32 +++++++ ...projectcalico.org_felixconfigurations.yaml | 42 +++++++++ .../configurationprocessor_test.go | 2 +- .../updateprocessors/felixconfigprocessor.go | 36 ++++++++ manifests/calico-bpf.yaml | 42 +++++++++ manifests/calico-policy-only.yaml | 42 +++++++++ manifests/calico-typha.yaml | 42 +++++++++ manifests/calico-vxlan.yaml | 42 +++++++++ manifests/calico.yaml | 42 +++++++++ manifests/canal.yaml | 42 +++++++++ manifests/crds.yaml | 42 +++++++++ manifests/flannel-migration/calico.yaml | 42 +++++++++ manifests/operator-crds.yaml | 42 +++++++++ 20 files changed, 746 insertions(+), 3 deletions(-) diff --git a/api/pkg/apis/projectcalico/v3/felixconfig.go b/api/pkg/apis/projectcalico/v3/felixconfig.go index bb62c894357..461f50a0a8d 100644 --- a/api/pkg/apis/projectcalico/v3/felixconfig.go +++ b/api/pkg/apis/projectcalico/v3/felixconfig.go @@ -611,6 +611,40 @@ type FelixConfigurationSpec struct { // [Default: Auto] BPFConntrackCleanupMode *BPFConntrackMode `json:"bpfConntrackMode,omitempty" validate:"omitempty,oneof=Auto Userspace BPFProgram"` + // BPFConntrackTimers overides the default values for the specified conntrack timer if + // set. It is a key-value make, where each value can be either a duration or `auto` to + // pick the value from a Linux conntrack timeout. + // + // Possible values for the keys are: CreationGracePeriod, TCPPreEstablished, + // TCPEstablished, TCPFinsSeen, TCPResetSeen, UDPLastSeen, GenericIPLastSeen, + // ICMPLastSeen. + // + // Unset or incorrect values are replaced by the default values with a warning log for + // incorrect values. + // + // Current auto mappings: + // + // TCPPreEstablished: nf_conntrack_tcp_timeout_syn_sent + // TCPEstablished: nf_conntrack_tcp_timeout_established + // TCPFinsSeen: nf_conntrack_tcp_timeout_time_wait + // GenericIPLastSeen: nf_conntrack_generic_timeout + // ICMPLastSeen: nf_conntrack_icmp_timeout + // + // If there is no mapping, 'auto' is replaced by the default value. + // + // [Default: + // CreationGracePeriod: 10s + // TCPPreEstablished: 20s + // TCPEstablished: 1h + // TCPFinsSeen: auto (30s is default) + // TCPResetSeen: 40s + // UDPLastSeen: 60s + // GenericIPLastSeen: 10m + // ICMPLastSeen: 5s + // ] + // +optional + BPFConntrackTimeouts *BPFConntrackTimeouts `json:"bpfConntrackTimeouts,omitempty" validate:"omitempty"` + // BPFLogFilters is a map of key=values where the value is // a pcap filter expression and the key is an interface name with 'all' // denoting all interfaces, 'weps' all workload endpoints and 'heps' all host @@ -941,6 +975,20 @@ type ProtoPort struct { Net string `json:"net,omitempty"` } +// +kubebuilder:validation:Pattern=`^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$` +type BPFConntrackTimeout string + +type BPFConntrackTimeouts struct { + CreationGracePeriod BPFConntrackTimeout `json:"creationGracePeriod,omitempty"` + TCPPreEstablished BPFConntrackTimeout `json:"tcpPreEstablished,omitempty"` + TCPEstablished BPFConntrackTimeout `json:"tcpEstablished,omitempty"` + TCPFinsSeen BPFConntrackTimeout `json:"tcpFinsSeen,omitempty"` + TCPResetSeen BPFConntrackTimeout `json:"tcpResetSeen,omitempty"` + UDPLastSeen BPFConntrackTimeout `json:"udpLastSeen,omitempty"` + GenericIPLastSeen BPFConntrackTimeout `json:"genericIPLastSeen,omitempty"` + ICMPLastSeen BPFConntrackTimeout `json:"icmpLastSeen,omitempty"` +} + // New FelixConfiguration creates a new (zeroed) FelixConfiguration struct with the TypeMetadata // initialized to the current version. func NewFelixConfiguration() *FelixConfiguration { diff --git a/api/pkg/apis/projectcalico/v3/zz_generated.deepcopy.go b/api/pkg/apis/projectcalico/v3/zz_generated.deepcopy.go index cd872dde573..37a7cbb0bdc 100644 --- a/api/pkg/apis/projectcalico/v3/zz_generated.deepcopy.go +++ b/api/pkg/apis/projectcalico/v3/zz_generated.deepcopy.go @@ -499,6 +499,22 @@ func (in *BGPPeerSpec) DeepCopy() *BGPPeerSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *BPFConntrackTimeouts) DeepCopyInto(out *BPFConntrackTimeouts) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BPFConntrackTimeouts. +func (in *BPFConntrackTimeouts) DeepCopy() *BPFConntrackTimeouts { + if in == nil { + return nil + } + out := new(BPFConntrackTimeouts) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BlockAffinity) DeepCopyInto(out *BlockAffinity) { *out = *in @@ -1406,6 +1422,11 @@ func (in *FelixConfigurationSpec) DeepCopyInto(out *FelixConfigurationSpec) { *out = new(BPFConntrackMode) **out = **in } + if in.BPFConntrackTimeouts != nil { + in, out := &in.BPFConntrackTimeouts, &out.BPFConntrackTimeouts + *out = new(BPFConntrackTimeouts) + **out = **in + } if in.BPFLogFilters != nil { in, out := &in.BPFLogFilters, &out.BPFLogFilters *out = new(map[string]string) diff --git a/api/pkg/openapi/generated.openapi.go b/api/pkg/openapi/generated.openapi.go index a1099d0339c..037e7c577b4 100644 --- a/api/pkg/openapi/generated.openapi.go +++ b/api/pkg/openapi/generated.openapi.go @@ -33,6 +33,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/projectcalico/api/pkg/apis/projectcalico/v3.BGPPeer": schema_pkg_apis_projectcalico_v3_BGPPeer(ref), "github.com/projectcalico/api/pkg/apis/projectcalico/v3.BGPPeerList": schema_pkg_apis_projectcalico_v3_BGPPeerList(ref), "github.com/projectcalico/api/pkg/apis/projectcalico/v3.BGPPeerSpec": schema_pkg_apis_projectcalico_v3_BGPPeerSpec(ref), + "github.com/projectcalico/api/pkg/apis/projectcalico/v3.BPFConntrackTimeouts": schema_pkg_apis_projectcalico_v3_BPFConntrackTimeouts(ref), "github.com/projectcalico/api/pkg/apis/projectcalico/v3.BlockAffinity": schema_pkg_apis_projectcalico_v3_BlockAffinity(ref), "github.com/projectcalico/api/pkg/apis/projectcalico/v3.BlockAffinityList": schema_pkg_apis_projectcalico_v3_BlockAffinityList(ref), "github.com/projectcalico/api/pkg/apis/projectcalico/v3.BlockAffinitySpec": schema_pkg_apis_projectcalico_v3_BlockAffinitySpec(ref), @@ -1259,6 +1260,66 @@ func schema_pkg_apis_projectcalico_v3_BGPPeerSpec(ref common.ReferenceCallback) } } +func schema_pkg_apis_projectcalico_v3_BPFConntrackTimeouts(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "creationGracePeriod": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, + "tcpPreEstablished": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, + "tcpEstablished": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, + "tcpFinsSeen": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, + "tcpResetSeen": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, + "udpLastSeen": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, + "genericIPLastSeen": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, + "icmpLastSeen": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + func schema_pkg_apis_projectcalico_v3_BlockAffinity(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -2986,6 +3047,12 @@ func schema_pkg_apis_projectcalico_v3_FelixConfigurationSpec(ref common.Referenc Format: "", }, }, + "bpfConntrackTimeouts": { + SchemaProps: spec.SchemaProps{ + Description: "BPFConntrackTimers overides the default values for the specified conntrack timer if set. It is a key-value make, where each value can be either a duration or `auto` to pick the value from a Linux conntrack timeout.\n\nPossible values for the keys are: CreationGracePeriod, TCPPreEstablished, TCPEstablished, TCPFinsSeen, TCPResetSeen, UDPLastSeen, GenericIPLastSeen, ICMPLastSeen.\n\nUnset or incorrect values are replaced by the default values with a warning log for incorrect values.\n\nCurrent auto mappings:\n\nTCPPreEstablished: nf_conntrack_tcp_timeout_syn_sent TCPEstablished: nf_conntrack_tcp_timeout_established TCPFinsSeen: nf_conntrack_tcp_timeout_time_wait GenericIPLastSeen: nf_conntrack_generic_timeout ICMPLastSeen: nf_conntrack_icmp_timeout\n\nIf there is no mapping, 'auto' is replaced by the default value.\n\n[Default:\n\tCreationGracePeriod: 10s\n\tTCPPreEstablished: 20s\n\tTCPEstablished: 1h\n\tTCPFinsSeen: auto (30s is default)\n\tTCPResetSeen: 40s\n\tUDPLastSeen: 60s\n\tGenericIPLastSeen: 10m\n\tICMPLastSeen: 5s\n]", + Ref: ref("github.com/projectcalico/api/pkg/apis/projectcalico/v3.BPFConntrackTimeouts"), + }, + }, "bpfLogFilters": { SchemaProps: spec.SchemaProps{ Description: "BPFLogFilters is a map of key=values where the value is a pcap filter expression and the key is an interface name with 'all' denoting all interfaces, 'weps' all workload endpoints and 'heps' all host endpoints.\n\nWhen specified as an env var, it accepts a comma-separated list of key=values. [Default: unset - means all debug logs are emitted]", @@ -3411,7 +3478,7 @@ func schema_pkg_apis_projectcalico_v3_FelixConfigurationSpec(ref common.Referenc }, }, Dependencies: []string{ - "github.com/projectcalico/api/pkg/apis/projectcalico/v3.HealthTimeoutOverride", "github.com/projectcalico/api/pkg/apis/projectcalico/v3.ProtoPort", "github.com/projectcalico/api/pkg/apis/projectcalico/v3.RouteTableIDRange", "github.com/projectcalico/api/pkg/apis/projectcalico/v3.RouteTableRange", "github.com/projectcalico/api/pkg/lib/numorstring.Port", "k8s.io/apimachinery/pkg/apis/meta/v1.Duration"}, + "github.com/projectcalico/api/pkg/apis/projectcalico/v3.BPFConntrackTimeouts", "github.com/projectcalico/api/pkg/apis/projectcalico/v3.HealthTimeoutOverride", "github.com/projectcalico/api/pkg/apis/projectcalico/v3.ProtoPort", "github.com/projectcalico/api/pkg/apis/projectcalico/v3.RouteTableIDRange", "github.com/projectcalico/api/pkg/apis/projectcalico/v3.RouteTableRange", "github.com/projectcalico/api/pkg/lib/numorstring.Port", "k8s.io/apimachinery/pkg/apis/meta/v1.Duration"}, } } diff --git a/felix/bpf/conntrack/timeouts.go b/felix/bpf/conntrack/timeouts.go index e440bcc44af..498f40b9fd0 100644 --- a/felix/bpf/conntrack/timeouts.go +++ b/felix/bpf/conntrack/timeouts.go @@ -15,6 +15,12 @@ package conntrack import ( + "bufio" + "fmt" + "os" + "reflect" + "strconv" + "strings" "time" log "github.com/sirupsen/logrus" @@ -99,3 +105,89 @@ func DefaultTimeouts() Timeouts { ICMPLastSeen: 5 * time.Second, } } + +var linuxSysctls = map[string]string{ + "TCPPreEstablished": "nf_conntrack_tcp_timeout_syn_sent", + "TCPEstablished": "nf_conntrack_tcp_timeout_established", + "TCPFinsSeen": "nf_conntrack_tcp_timeout_time_wait", + "GenericIPLastSeen": "nf_conntrack_generic_timeout", + "ICMPLastSeen": "nf_conntrack_icmp_timeout", +} + +func GetTimeouts(config map[string]string) Timeouts { + t := DefaultTimeouts() + + v := reflect.ValueOf(&t) + v = v.Elem() + + for key, value := range config { + field := v.FieldByName(key) + if !field.IsValid() { + log.WithField("value", key).Warn("Not a valid BPF conntrack timeout, skipping") + continue + } + + d, err := time.ParseDuration(value) + if err == nil { + log.WithFields(log.Fields{"name": key, "value": d}).Info("BPF conntrack timeout set") + field.SetInt(int64(d)) + continue + } + + if value == "auto" { + sysctl := linuxSysctls[key] + if sysctl != "" { + seconds, err := readSecondsFromFile(sysctl) + if err == nil { + d := time.Duration(seconds) * time.Second + log.WithFields(log.Fields{"name": key, "value": d}).Infof("BPF conntrack timeout set from %s", sysctl) + field.SetInt(int64(d)) + continue + } + } + } + + log.WithField("value", key).Warnf("Not a valid BPF conntrack timeout value, using default %s", + time.Duration(field.Int())) + } + + fields := make(log.Fields) + + tt := reflect.TypeOf(t) + + for i := 0; i < v.NumField(); i++ { + fields[tt.Field(i).Name] = v.Field(i).Interface() + } + + log.WithFields(fields).Infof("BPF conntrack timers") + + return t +} + +func readSecondsFromFile(nfTimeout string) (int, error) { + filePath := "/proc/sys/net/netfilter/" + nfTimeout + + file, err := os.Open(filePath) + if err != nil { + return 0, fmt.Errorf("error opening file: %w", err) + } + defer file.Close() + + scanner := bufio.NewScanner(file) + if scanner.Scan() { + line := scanner.Text() + line = strings.TrimSpace(line) + seconds, err := strconv.Atoi(line) + if err != nil { + return 0, fmt.Errorf("error converting the value to an integer: %w", err) + } + + return seconds, nil + } + + if err := scanner.Err(); err != nil { + return 0, fmt.Errorf("error reading from file: %w", err) + } + + return 0, fmt.Errorf("file is empty or cannot read a line") +} diff --git a/felix/config/config_params.go b/felix/config/config_params.go index e8a5b2714e7..df7cb3038cb 100644 --- a/felix/config/config_params.go +++ b/felix/config/config_params.go @@ -180,6 +180,7 @@ type Config struct { BPFLogLevel string `config:"oneof(off,info,debug);off;non-zero"` BPFConntrackLogLevel string `config:"oneof(off,debug);off;non-zero"` BPFConntrackCleanupMode string `config:"oneof(Auto,Userspace,BPFProgram);Auto"` + BPFConntrackTimeouts map[string]string `config:"keyvaluelist;CreationGracePeriod=10s,TCPPreEstablished=20s,TCPEstablished=1h,TCPFinsSeen=auto,TCPResetSeen=40s,UDPLastSeen=60s,GenericIPLastSeen=10m,ICMPLastSeen=5s"` BPFLogFilters map[string]string `config:"keyvaluelist;;"` BPFCTLBLogFilter string `config:"oneof(all);;"` BPFDataIfacePattern *regexp.Regexp `config:"regexp;^((en|wl|ww|sl|ib)[Popsx].*|(eth|wlan|wwan|bond).*)"` diff --git a/felix/dataplane/driver.go b/felix/dataplane/driver.go index c68c311dd5a..980b2403166 100644 --- a/felix/dataplane/driver.go +++ b/felix/dataplane/driver.go @@ -378,7 +378,7 @@ func StartDataplaneDriver( BPFDisableGROForIfaces: configParams.BPFDisableGROForIfaces, XDPEnabled: configParams.XDPEnabled, XDPAllowGeneric: configParams.GenericXDPEnabled, - BPFConntrackTimeouts: conntrack.DefaultTimeouts(), // FIXME make timeouts configurable + BPFConntrackTimeouts: conntrack.GetTimeouts(configParams.BPFConntrackTimeouts), BPFConntrackCleanupMode: apiv3.BPFConntrackMode(configParams.BPFConntrackCleanupMode), RouteTableManager: routeTableIndexAllocator, MTUIfacePattern: configParams.MTUIfacePattern, diff --git a/felix/docs/config-params.json b/felix/docs/config-params.json index 097cd45c14c..a58e7902995 100644 --- a/felix/docs/config-params.json +++ b/felix/docs/config-params.json @@ -2701,6 +2701,32 @@ "UserEditable": true, "GoType": "string" }, + { + "Group": "Dataplane: eBPF", + "GroupWithSortPrefix": "22 Dataplane: eBPF", + "NameConfigFile": "BPFConntrackTimeouts", + "NameEnvVar": "FELIX_BPFConntrackTimeouts", + "NameYAML": "bpfConntrackTimeouts", + "NameGoAPI": "BPFConntrackTimeouts", + "StringSchema": "Comma-delimited list of key=value pairs", + "StringSchemaHTML": "Comma-delimited list of key=value pairs", + "StringDefault": "CreationGracePeriod=10s,TCPPreEstablished=20s,TCPEstablished=1h,TCPFinsSeen=auto,TCPResetSeen=40s,UDPLastSeen=60s,GenericIPLastSeen=10m,ICMPLastSeen=5s", + "ParsedDefault": "map[CreationGracePeriod:10s GenericIPLastSeen:10m ICMPLastSeen:5s TCPEstablished:1h TCPFinsSeen:auto TCPPreEstablished:20s TCPResetSeen:40s UDPLastSeen:60s]", + "ParsedDefaultJSON": "{\"CreationGracePeriod\":\"10s\",\"GenericIPLastSeen\":\"10m\",\"ICMPLastSeen\":\"5s\",\"TCPEstablished\":\"1h\",\"TCPFinsSeen\":\"auto\",\"TCPPreEstablished\":\"20s\",\"TCPResetSeen\":\"40s\",\"UDPLastSeen\":\"60s\"}", + "ParsedType": "map[string]string", + "YAMLType": "object", + "YAMLSchema": "", + "YAMLEnumValues": null, + "YAMLSchemaHTML": "", + "YAMLDefault": "", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "BPFConntrackTimers overides the default values for the specified conntrack timer if\nset. It is a key-value make, where each value can be either a duration or `auto` to\npick the value from a Linux conntrack timeout.\n\nPossible values for the keys are: CreationGracePeriod, TCPPreEstablished,\nTCPEstablished, TCPFinsSeen, TCPResetSeen, UDPLastSeen, GenericIPLastSeen,\nICMPLastSeen.\n\nUnset or incorrect values are replaced by the default values with a warning log for\nincorrect values.\n\nCurrent auto mappings:\n\nTCPPreEstablished: nf_conntrack_tcp_timeout_syn_sent\nTCPEstablished: nf_conntrack_tcp_timeout_established\nTCPFinsSeen: nf_conntrack_tcp_timeout_time_wait\nGenericIPLastSeen: nf_conntrack_generic_timeout\nICMPLastSeen: nf_conntrack_icmp_timeout\n\nIf there is no mapping, 'auto' is replaced by the default value.", + "DescriptionHTML": "

BPFConntrackTimers overides the default values for the specified conntrack timer if\nset. It is a key-value make, where each value can be either a duration or auto to\npick the value from a Linux conntrack timeout.

\n

Possible values for the keys are: CreationGracePeriod, TCPPreEstablished,\nTCPEstablished, TCPFinsSeen, TCPResetSeen, UDPLastSeen, GenericIPLastSeen,\nICMPLastSeen.

\n

Unset or incorrect values are replaced by the default values with a warning log for\nincorrect values.

\n

Current auto mappings:

\n

TCPPreEstablished: nf_conntrack_tcp_timeout_syn_sent\nTCPEstablished: nf_conntrack_tcp_timeout_established\nTCPFinsSeen: nf_conntrack_tcp_timeout_time_wait\nGenericIPLastSeen: nf_conntrack_generic_timeout\nICMPLastSeen: nf_conntrack_icmp_timeout

\n

If there is no mapping, 'auto' is replaced by the default value.

", + "UserEditable": true, + "GoType": "*v3.BPFConntrackTimeouts" + }, { "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", diff --git a/felix/docs/config-params.md b/felix/docs/config-params.md index dd3cc623eae..d8f07668866 100644 --- a/felix/docs/config-params.md +++ b/felix/docs/config-params.md @@ -1474,6 +1474,38 @@ to clean up expired BPF conntrack entries. | Default value (YAML) | `off` | | Notes | Required. | +### `BPFConntrackTimeouts` (config file) / `bpfConntrackTimeouts` (YAML) + +BPFConntrackTimers overides the default values for the specified conntrack timer if +set. It is a key-value make, where each value can be either a duration or `auto` to +pick the value from a Linux conntrack timeout. + +Possible values for the keys are: CreationGracePeriod, TCPPreEstablished, +TCPEstablished, TCPFinsSeen, TCPResetSeen, UDPLastSeen, GenericIPLastSeen, +ICMPLastSeen. + +Unset or incorrect values are replaced by the default values with a warning log for +incorrect values. + +Current auto mappings: + +TCPPreEstablished: nf_conntrack_tcp_timeout_syn_sent +TCPEstablished: nf_conntrack_tcp_timeout_established +TCPFinsSeen: nf_conntrack_tcp_timeout_time_wait +GenericIPLastSeen: nf_conntrack_generic_timeout +ICMPLastSeen: nf_conntrack_icmp_timeout + +If there is no mapping, 'auto' is replaced by the default value. + +| Detail | | +| --- | --- | +| Environment variable | `FELIX_BPFConntrackTimeouts` | +| Encoding (env var/config file) | Comma-delimited list of key=value pairs | +| Default value (above encoding) | `CreationGracePeriod=10s,TCPPreEstablished=20s,TCPEstablished=1h,TCPFinsSeen=auto,TCPResetSeen=40s,UDPLastSeen=60s,GenericIPLastSeen=10m,ICMPLastSeen=5s` | +| `FelixConfiguration` field | `bpfConntrackTimeouts` (YAML) `BPFConntrackTimeouts` (Go API) | +| `FelixConfiguration` schema | `object` | +| Default value (YAML) | none | + ### `BPFDSROptoutCIDRs` (config file) / `bpfDSROptoutCIDRs` (YAML) A list of CIDRs which are excluded from DSR. That is, clients diff --git a/libcalico-go/config/crd/crd.projectcalico.org_felixconfigurations.yaml b/libcalico-go/config/crd/crd.projectcalico.org_felixconfigurations.yaml index 7e4c7bf3532..462650232c5 100644 --- a/libcalico-go/config/crd/crd.projectcalico.org_felixconfigurations.yaml +++ b/libcalico-go/config/crd/crd.projectcalico.org_felixconfigurations.yaml @@ -107,6 +107,48 @@ spec: - Userspace - BPFProgram type: string + bpfConntrackTimeouts: + description: "BPFConntrackTimers overides the default values for the + specified conntrack timer if\nset. It is a key-value make, where + each value can be either a duration or `auto` to\npick the value + from a Linux conntrack timeout.\n\nPossible values for the keys + are: CreationGracePeriod, TCPPreEstablished,\nTCPEstablished, TCPFinsSeen, + TCPResetSeen, UDPLastSeen, GenericIPLastSeen,\nICMPLastSeen.\n\nUnset + or incorrect values are replaced by the default values with a warning + log for\nincorrect values.\n\nCurrent auto mappings:\n\nTCPPreEstablished: + nf_conntrack_tcp_timeout_syn_sent\nTCPEstablished: nf_conntrack_tcp_timeout_established\nTCPFinsSeen: + \ nf_conntrack_tcp_timeout_time_wait\nGenericIPLastSeen: nf_conntrack_generic_timeout\nICMPLastSeen: + \ nf_conntrack_icmp_timeout\n\nIf there is no mapping, 'auto' + is replaced by the default value.\n\n[Default:\n\tCreationGracePeriod: + 10s\n\tTCPPreEstablished: 20s\n\tTCPEstablished: 1h\n\tTCPFinsSeen: + \ auto (30s is default)\n\tTCPResetSeen: 40s\n\tUDPLastSeen: + \ 60s\n\tGenericIPLastSeen: 10m\n\tICMPLastSeen: 5s\n]" + properties: + creationGracePeriod: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + genericIPLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + icmpLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpEstablished: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpFinsSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpPreEstablished: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpResetSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + udpLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + type: object bpfDSROptoutCIDRs: description: |- BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients diff --git a/libcalico-go/lib/backend/syncersv1/updateprocessors/configurationprocessor_test.go b/libcalico-go/lib/backend/syncersv1/updateprocessors/configurationprocessor_test.go index 9cfe34d6ee6..f66e76b2acb 100644 --- a/libcalico-go/lib/backend/syncersv1/updateprocessors/configurationprocessor_test.go +++ b/libcalico-go/lib/backend/syncersv1/updateprocessors/configurationprocessor_test.go @@ -43,7 +43,7 @@ const ( ) const ( - numBaseFelixConfigs = 152 + numBaseFelixConfigs = 153 ) var _ = Describe("Test the generic configuration update processor and the concrete implementations", func() { diff --git a/libcalico-go/lib/backend/syncersv1/updateprocessors/felixconfigprocessor.go b/libcalico-go/lib/backend/syncersv1/updateprocessors/felixconfigprocessor.go index 39940014671..9807c45cad1 100644 --- a/libcalico-go/lib/backend/syncersv1/updateprocessors/felixconfigprocessor.go +++ b/libcalico-go/lib/backend/syncersv1/updateprocessors/felixconfigprocessor.go @@ -41,6 +41,7 @@ func NewFelixConfigUpdateProcessor() watchersyncer.SyncerUpdateProcessor { "RouteTableRange": routeTableRangeToString, "RouteTableRanges": routeTableRangeListToString, "HealthTimeoutOverrides": healthTimeoutOverridesToString, + "BPFConntrackTimeouts": bpfConntrackTimeoutsToString, }, ) } @@ -99,3 +100,38 @@ func healthTimeoutOverridesToString(value interface{}) interface{} { } return strings.Join(parts, ",") } + +func structToKeyValueString(input interface{}) (string, error) { + // Get the type and value of the input struct + v := reflect.ValueOf(input) + t := reflect.TypeOf(input) + + // Ensure the input is a struct + if t.Kind() != reflect.Struct { + return "", fmt.Errorf("input must be a struct") + } + + // Build the key=value pairs + var parts []string + for i := 0; i < t.NumField(); i++ { + field := t.Field(i) + value := v.Field(i) + + // Check if the field is exportable and is a string + if field.PkgPath == "" && value.Kind() == reflect.String { + s := value.String() + if s == "" { + continue + } + + parts = append(parts, fmt.Sprintf("%s=%s", field.Name, s)) + } + } + + return strings.Join(parts, ","), nil +} + +func bpfConntrackTimeoutsToString(value interface{}) interface{} { + res, _ := structToKeyValueString(value) + return res +} diff --git a/manifests/calico-bpf.yaml b/manifests/calico-bpf.yaml index ac3836b9d5f..9e0ef4179ba 100644 --- a/manifests/calico-bpf.yaml +++ b/manifests/calico-bpf.yaml @@ -1119,6 +1119,48 @@ spec: - Userspace - BPFProgram type: string + bpfConntrackTimeouts: + description: "BPFConntrackTimers overides the default values for the + specified conntrack timer if\nset. It is a key-value make, where + each value can be either a duration or `auto` to\npick the value + from a Linux conntrack timeout.\n\nPossible values for the keys + are: CreationGracePeriod, TCPPreEstablished,\nTCPEstablished, TCPFinsSeen, + TCPResetSeen, UDPLastSeen, GenericIPLastSeen,\nICMPLastSeen.\n\nUnset + or incorrect values are replaced by the default values with a warning + log for\nincorrect values.\n\nCurrent auto mappings:\n\nTCPPreEstablished: + nf_conntrack_tcp_timeout_syn_sent\nTCPEstablished: nf_conntrack_tcp_timeout_established\nTCPFinsSeen: + \ nf_conntrack_tcp_timeout_time_wait\nGenericIPLastSeen: nf_conntrack_generic_timeout\nICMPLastSeen: + \ nf_conntrack_icmp_timeout\n\nIf there is no mapping, 'auto' + is replaced by the default value.\n\n[Default:\n\tCreationGracePeriod: + 10s\n\tTCPPreEstablished: 20s\n\tTCPEstablished: 1h\n\tTCPFinsSeen: + \ auto (30s is default)\n\tTCPResetSeen: 40s\n\tUDPLastSeen: + \ 60s\n\tGenericIPLastSeen: 10m\n\tICMPLastSeen: 5s\n]" + properties: + creationGracePeriod: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + genericIPLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + icmpLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpEstablished: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpFinsSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpPreEstablished: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpResetSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + udpLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + type: object bpfDSROptoutCIDRs: description: |- BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients diff --git a/manifests/calico-policy-only.yaml b/manifests/calico-policy-only.yaml index ae73767ff54..10986fb0989 100644 --- a/manifests/calico-policy-only.yaml +++ b/manifests/calico-policy-only.yaml @@ -1129,6 +1129,48 @@ spec: - Userspace - BPFProgram type: string + bpfConntrackTimeouts: + description: "BPFConntrackTimers overides the default values for the + specified conntrack timer if\nset. It is a key-value make, where + each value can be either a duration or `auto` to\npick the value + from a Linux conntrack timeout.\n\nPossible values for the keys + are: CreationGracePeriod, TCPPreEstablished,\nTCPEstablished, TCPFinsSeen, + TCPResetSeen, UDPLastSeen, GenericIPLastSeen,\nICMPLastSeen.\n\nUnset + or incorrect values are replaced by the default values with a warning + log for\nincorrect values.\n\nCurrent auto mappings:\n\nTCPPreEstablished: + nf_conntrack_tcp_timeout_syn_sent\nTCPEstablished: nf_conntrack_tcp_timeout_established\nTCPFinsSeen: + \ nf_conntrack_tcp_timeout_time_wait\nGenericIPLastSeen: nf_conntrack_generic_timeout\nICMPLastSeen: + \ nf_conntrack_icmp_timeout\n\nIf there is no mapping, 'auto' + is replaced by the default value.\n\n[Default:\n\tCreationGracePeriod: + 10s\n\tTCPPreEstablished: 20s\n\tTCPEstablished: 1h\n\tTCPFinsSeen: + \ auto (30s is default)\n\tTCPResetSeen: 40s\n\tUDPLastSeen: + \ 60s\n\tGenericIPLastSeen: 10m\n\tICMPLastSeen: 5s\n]" + properties: + creationGracePeriod: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + genericIPLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + icmpLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpEstablished: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpFinsSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpPreEstablished: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpResetSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + udpLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + type: object bpfDSROptoutCIDRs: description: |- BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients diff --git a/manifests/calico-typha.yaml b/manifests/calico-typha.yaml index be86b169b8b..2aff0ace3d2 100644 --- a/manifests/calico-typha.yaml +++ b/manifests/calico-typha.yaml @@ -1130,6 +1130,48 @@ spec: - Userspace - BPFProgram type: string + bpfConntrackTimeouts: + description: "BPFConntrackTimers overides the default values for the + specified conntrack timer if\nset. It is a key-value make, where + each value can be either a duration or `auto` to\npick the value + from a Linux conntrack timeout.\n\nPossible values for the keys + are: CreationGracePeriod, TCPPreEstablished,\nTCPEstablished, TCPFinsSeen, + TCPResetSeen, UDPLastSeen, GenericIPLastSeen,\nICMPLastSeen.\n\nUnset + or incorrect values are replaced by the default values with a warning + log for\nincorrect values.\n\nCurrent auto mappings:\n\nTCPPreEstablished: + nf_conntrack_tcp_timeout_syn_sent\nTCPEstablished: nf_conntrack_tcp_timeout_established\nTCPFinsSeen: + \ nf_conntrack_tcp_timeout_time_wait\nGenericIPLastSeen: nf_conntrack_generic_timeout\nICMPLastSeen: + \ nf_conntrack_icmp_timeout\n\nIf there is no mapping, 'auto' + is replaced by the default value.\n\n[Default:\n\tCreationGracePeriod: + 10s\n\tTCPPreEstablished: 20s\n\tTCPEstablished: 1h\n\tTCPFinsSeen: + \ auto (30s is default)\n\tTCPResetSeen: 40s\n\tUDPLastSeen: + \ 60s\n\tGenericIPLastSeen: 10m\n\tICMPLastSeen: 5s\n]" + properties: + creationGracePeriod: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + genericIPLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + icmpLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpEstablished: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpFinsSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpPreEstablished: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpResetSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + udpLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + type: object bpfDSROptoutCIDRs: description: |- BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients diff --git a/manifests/calico-vxlan.yaml b/manifests/calico-vxlan.yaml index 59a40041a3d..6a0613c9f98 100644 --- a/manifests/calico-vxlan.yaml +++ b/manifests/calico-vxlan.yaml @@ -1114,6 +1114,48 @@ spec: - Userspace - BPFProgram type: string + bpfConntrackTimeouts: + description: "BPFConntrackTimers overides the default values for the + specified conntrack timer if\nset. It is a key-value make, where + each value can be either a duration or `auto` to\npick the value + from a Linux conntrack timeout.\n\nPossible values for the keys + are: CreationGracePeriod, TCPPreEstablished,\nTCPEstablished, TCPFinsSeen, + TCPResetSeen, UDPLastSeen, GenericIPLastSeen,\nICMPLastSeen.\n\nUnset + or incorrect values are replaced by the default values with a warning + log for\nincorrect values.\n\nCurrent auto mappings:\n\nTCPPreEstablished: + nf_conntrack_tcp_timeout_syn_sent\nTCPEstablished: nf_conntrack_tcp_timeout_established\nTCPFinsSeen: + \ nf_conntrack_tcp_timeout_time_wait\nGenericIPLastSeen: nf_conntrack_generic_timeout\nICMPLastSeen: + \ nf_conntrack_icmp_timeout\n\nIf there is no mapping, 'auto' + is replaced by the default value.\n\n[Default:\n\tCreationGracePeriod: + 10s\n\tTCPPreEstablished: 20s\n\tTCPEstablished: 1h\n\tTCPFinsSeen: + \ auto (30s is default)\n\tTCPResetSeen: 40s\n\tUDPLastSeen: + \ 60s\n\tGenericIPLastSeen: 10m\n\tICMPLastSeen: 5s\n]" + properties: + creationGracePeriod: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + genericIPLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + icmpLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpEstablished: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpFinsSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpPreEstablished: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpResetSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + udpLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + type: object bpfDSROptoutCIDRs: description: |- BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients diff --git a/manifests/calico.yaml b/manifests/calico.yaml index 6428cef1e0d..1e11b0ea495 100644 --- a/manifests/calico.yaml +++ b/manifests/calico.yaml @@ -1114,6 +1114,48 @@ spec: - Userspace - BPFProgram type: string + bpfConntrackTimeouts: + description: "BPFConntrackTimers overides the default values for the + specified conntrack timer if\nset. It is a key-value make, where + each value can be either a duration or `auto` to\npick the value + from a Linux conntrack timeout.\n\nPossible values for the keys + are: CreationGracePeriod, TCPPreEstablished,\nTCPEstablished, TCPFinsSeen, + TCPResetSeen, UDPLastSeen, GenericIPLastSeen,\nICMPLastSeen.\n\nUnset + or incorrect values are replaced by the default values with a warning + log for\nincorrect values.\n\nCurrent auto mappings:\n\nTCPPreEstablished: + nf_conntrack_tcp_timeout_syn_sent\nTCPEstablished: nf_conntrack_tcp_timeout_established\nTCPFinsSeen: + \ nf_conntrack_tcp_timeout_time_wait\nGenericIPLastSeen: nf_conntrack_generic_timeout\nICMPLastSeen: + \ nf_conntrack_icmp_timeout\n\nIf there is no mapping, 'auto' + is replaced by the default value.\n\n[Default:\n\tCreationGracePeriod: + 10s\n\tTCPPreEstablished: 20s\n\tTCPEstablished: 1h\n\tTCPFinsSeen: + \ auto (30s is default)\n\tTCPResetSeen: 40s\n\tUDPLastSeen: + \ 60s\n\tGenericIPLastSeen: 10m\n\tICMPLastSeen: 5s\n]" + properties: + creationGracePeriod: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + genericIPLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + icmpLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpEstablished: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpFinsSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpPreEstablished: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpResetSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + udpLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + type: object bpfDSROptoutCIDRs: description: |- BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients diff --git a/manifests/canal.yaml b/manifests/canal.yaml index 412763fb68c..13af26c607a 100644 --- a/manifests/canal.yaml +++ b/manifests/canal.yaml @@ -1131,6 +1131,48 @@ spec: - Userspace - BPFProgram type: string + bpfConntrackTimeouts: + description: "BPFConntrackTimers overides the default values for the + specified conntrack timer if\nset. It is a key-value make, where + each value can be either a duration or `auto` to\npick the value + from a Linux conntrack timeout.\n\nPossible values for the keys + are: CreationGracePeriod, TCPPreEstablished,\nTCPEstablished, TCPFinsSeen, + TCPResetSeen, UDPLastSeen, GenericIPLastSeen,\nICMPLastSeen.\n\nUnset + or incorrect values are replaced by the default values with a warning + log for\nincorrect values.\n\nCurrent auto mappings:\n\nTCPPreEstablished: + nf_conntrack_tcp_timeout_syn_sent\nTCPEstablished: nf_conntrack_tcp_timeout_established\nTCPFinsSeen: + \ nf_conntrack_tcp_timeout_time_wait\nGenericIPLastSeen: nf_conntrack_generic_timeout\nICMPLastSeen: + \ nf_conntrack_icmp_timeout\n\nIf there is no mapping, 'auto' + is replaced by the default value.\n\n[Default:\n\tCreationGracePeriod: + 10s\n\tTCPPreEstablished: 20s\n\tTCPEstablished: 1h\n\tTCPFinsSeen: + \ auto (30s is default)\n\tTCPResetSeen: 40s\n\tUDPLastSeen: + \ 60s\n\tGenericIPLastSeen: 10m\n\tICMPLastSeen: 5s\n]" + properties: + creationGracePeriod: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + genericIPLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + icmpLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpEstablished: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpFinsSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpPreEstablished: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpResetSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + udpLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + type: object bpfDSROptoutCIDRs: description: |- BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients diff --git a/manifests/crds.yaml b/manifests/crds.yaml index 324fe1f770b..ac10d335e45 100644 --- a/manifests/crds.yaml +++ b/manifests/crds.yaml @@ -1024,6 +1024,48 @@ spec: - Userspace - BPFProgram type: string + bpfConntrackTimeouts: + description: "BPFConntrackTimers overides the default values for the + specified conntrack timer if\nset. It is a key-value make, where + each value can be either a duration or `auto` to\npick the value + from a Linux conntrack timeout.\n\nPossible values for the keys + are: CreationGracePeriod, TCPPreEstablished,\nTCPEstablished, TCPFinsSeen, + TCPResetSeen, UDPLastSeen, GenericIPLastSeen,\nICMPLastSeen.\n\nUnset + or incorrect values are replaced by the default values with a warning + log for\nincorrect values.\n\nCurrent auto mappings:\n\nTCPPreEstablished: + nf_conntrack_tcp_timeout_syn_sent\nTCPEstablished: nf_conntrack_tcp_timeout_established\nTCPFinsSeen: + \ nf_conntrack_tcp_timeout_time_wait\nGenericIPLastSeen: nf_conntrack_generic_timeout\nICMPLastSeen: + \ nf_conntrack_icmp_timeout\n\nIf there is no mapping, 'auto' + is replaced by the default value.\n\n[Default:\n\tCreationGracePeriod: + 10s\n\tTCPPreEstablished: 20s\n\tTCPEstablished: 1h\n\tTCPFinsSeen: + \ auto (30s is default)\n\tTCPResetSeen: 40s\n\tUDPLastSeen: + \ 60s\n\tGenericIPLastSeen: 10m\n\tICMPLastSeen: 5s\n]" + properties: + creationGracePeriod: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + genericIPLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + icmpLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpEstablished: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpFinsSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpPreEstablished: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpResetSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + udpLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + type: object bpfDSROptoutCIDRs: description: |- BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients diff --git a/manifests/flannel-migration/calico.yaml b/manifests/flannel-migration/calico.yaml index eb0775ba788..036048998be 100644 --- a/manifests/flannel-migration/calico.yaml +++ b/manifests/flannel-migration/calico.yaml @@ -1114,6 +1114,48 @@ spec: - Userspace - BPFProgram type: string + bpfConntrackTimeouts: + description: "BPFConntrackTimers overides the default values for the + specified conntrack timer if\nset. It is a key-value make, where + each value can be either a duration or `auto` to\npick the value + from a Linux conntrack timeout.\n\nPossible values for the keys + are: CreationGracePeriod, TCPPreEstablished,\nTCPEstablished, TCPFinsSeen, + TCPResetSeen, UDPLastSeen, GenericIPLastSeen,\nICMPLastSeen.\n\nUnset + or incorrect values are replaced by the default values with a warning + log for\nincorrect values.\n\nCurrent auto mappings:\n\nTCPPreEstablished: + nf_conntrack_tcp_timeout_syn_sent\nTCPEstablished: nf_conntrack_tcp_timeout_established\nTCPFinsSeen: + \ nf_conntrack_tcp_timeout_time_wait\nGenericIPLastSeen: nf_conntrack_generic_timeout\nICMPLastSeen: + \ nf_conntrack_icmp_timeout\n\nIf there is no mapping, 'auto' + is replaced by the default value.\n\n[Default:\n\tCreationGracePeriod: + 10s\n\tTCPPreEstablished: 20s\n\tTCPEstablished: 1h\n\tTCPFinsSeen: + \ auto (30s is default)\n\tTCPResetSeen: 40s\n\tUDPLastSeen: + \ 60s\n\tGenericIPLastSeen: 10m\n\tICMPLastSeen: 5s\n]" + properties: + creationGracePeriod: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + genericIPLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + icmpLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpEstablished: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpFinsSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpPreEstablished: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpResetSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + udpLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + type: object bpfDSROptoutCIDRs: description: |- BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients diff --git a/manifests/operator-crds.yaml b/manifests/operator-crds.yaml index b612e0616ec..d8fee98c015 100644 --- a/manifests/operator-crds.yaml +++ b/manifests/operator-crds.yaml @@ -19650,6 +19650,48 @@ spec: - Userspace - BPFProgram type: string + bpfConntrackTimeouts: + description: "BPFConntrackTimers overides the default values for the + specified conntrack timer if\nset. It is a key-value make, where + each value can be either a duration or `auto` to\npick the value + from a Linux conntrack timeout.\n\nPossible values for the keys + are: CreationGracePeriod, TCPPreEstablished,\nTCPEstablished, TCPFinsSeen, + TCPResetSeen, UDPLastSeen, GenericIPLastSeen,\nICMPLastSeen.\n\nUnset + or incorrect values are replaced by the default values with a warning + log for\nincorrect values.\n\nCurrent auto mappings:\n\nTCPPreEstablished: + nf_conntrack_tcp_timeout_syn_sent\nTCPEstablished: nf_conntrack_tcp_timeout_established\nTCPFinsSeen: + \ nf_conntrack_tcp_timeout_time_wait\nGenericIPLastSeen: nf_conntrack_generic_timeout\nICMPLastSeen: + \ nf_conntrack_icmp_timeout\n\nIf there is no mapping, 'auto' + is replaced by the default value.\n\n[Default:\n\tCreationGracePeriod: + 10s\n\tTCPPreEstablished: 20s\n\tTCPEstablished: 1h\n\tTCPFinsSeen: + \ auto (30s is default)\n\tTCPResetSeen: 40s\n\tUDPLastSeen: + \ 60s\n\tGenericIPLastSeen: 10m\n\tICMPLastSeen: 5s\n]" + properties: + creationGracePeriod: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + genericIPLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + icmpLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpEstablished: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpFinsSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpPreEstablished: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + tcpResetSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + udpLastSeen: + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|auto)$ + type: string + type: object bpfDSROptoutCIDRs: description: |- BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients