diff --git a/api/pkg/apis/projectcalico/v3/felixconfig.go b/api/pkg/apis/projectcalico/v3/felixconfig.go index a44240514e2..4728d7807bb 100644 --- a/api/pkg/apis/projectcalico/v3/felixconfig.go +++ b/api/pkg/apis/projectcalico/v3/felixconfig.go @@ -611,6 +611,39 @@ type FelixConfigurationSpec struct { // [Default: Auto] BPFConntrackCleanupMode *BPFConntrackMode `json:"bpfConntrackMode,omitempty" validate:"omitempty,oneof=Auto Userspace BPFProgram"` + // BPFConntrackTimers overides the default values for the specified conntrack timer if + // set. It is a key-value make, where each value can be either a duration or a name of + // a Linux conntrack timeout to use. + // + // Possible values for the keys are: CreationGracePeriod, TCPPreEstablished, + // TCPEstablished, TCPFinsSeen, TCPResetSeen, UDPLastSeen, GenericIPLastSeen, + // ICMPLastSeen. + // + // Example: + // + // CreationGracePeriod: 15s + // TCPPreEstablished: nf_conntrack_tcp_timeout_syn_sent + // TCPFinsSeen: nf_conntrack_tcp_timeout_time_wait + // + // This would override 3 timers, one with 15 seconds and two with respective values + // taken from /proc/sys/net/netfilter/ files. + // + // Unset or incorrect values are replaced by the default values with a warning log for + // incorrect values. + // + // [Default: + // CreationGracePeriod: 10s + // TCPPreEstablished: 20s + // TCPEstablished: 1h + // TCPFinsSeen: nf_conntrack_tcp_timeout_time_wait + // TCPResetSeen: 40s + // UDPLastSeen: 60s + // GenericIPLastSeen: 10m + // ICMPLastSeen: 5s + // ] + // +optional + BPFConntrackTimeouts *map[string]string `json:"bpfConntrackTimeouts,omitempty" validate:"omitempty"` + // BPFLogFilters is a map of key=values where the value is // a pcap filter expression and the key is an interface name with 'all' // denoting all interfaces, 'weps' all workload endpoints and 'heps' all host diff --git a/api/pkg/apis/projectcalico/v3/zz_generated.deepcopy.go b/api/pkg/apis/projectcalico/v3/zz_generated.deepcopy.go index cd872dde573..613fff2713f 100644 --- a/api/pkg/apis/projectcalico/v3/zz_generated.deepcopy.go +++ b/api/pkg/apis/projectcalico/v3/zz_generated.deepcopy.go @@ -1406,6 +1406,17 @@ func (in *FelixConfigurationSpec) DeepCopyInto(out *FelixConfigurationSpec) { *out = new(BPFConntrackMode) **out = **in } + if in.BPFConntrackTimeouts != nil { + in, out := &in.BPFConntrackTimeouts, &out.BPFConntrackTimeouts + *out = new(map[string]string) + if **in != nil { + in, out := *in, *out + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + } if in.BPFLogFilters != nil { in, out := &in.BPFLogFilters, &out.BPFLogFilters *out = new(map[string]string) diff --git a/api/pkg/openapi/generated.openapi.go b/api/pkg/openapi/generated.openapi.go index cac73b1f9da..ec2b0bd47f8 100644 --- a/api/pkg/openapi/generated.openapi.go +++ b/api/pkg/openapi/generated.openapi.go @@ -2986,6 +2986,22 @@ func schema_pkg_apis_projectcalico_v3_FelixConfigurationSpec(ref common.Referenc Format: "", }, }, + "bpfConntrackTimeouts": { + SchemaProps: spec.SchemaProps{ + Description: "BPFConntrackTimers overides the default values for the specified conntrack timer if set. It is a key-value make, where each value can be either a duration or a name of a Linux conntrack timeout to use.\n\nPossible values for the keys are: CreationGracePeriod, TCPPreEstablished, TCPEstablished, TCPFinsSeen, TCPResetSeen, UDPLastSeen, GenericIPLastSeen, ICMPLastSeen.\n\nExample:\n\nCreationGracePeriod: 15s TCPPreEstablished: nf_conntrack_tcp_timeout_syn_sent TCPFinsSeen: nf_conntrack_tcp_timeout_time_wait\n\nThis would override 3 timers, one with 15 seconds and two with respective values taken from /proc/sys/net/netfilter/ files.\n\nUnset or incorrect values are replaced by the default values with a warning log for incorrect values.\n\n[Default:\n\tCreationGracePeriod: 10s\n\tTCPPreEstablished: 20s\n\tTCPEstablished: 1h\n\tTCPFinsSeen: nf_conntrack_tcp_timeout_time_wait\n\tTCPResetSeen: 40s\n\tUDPLastSeen: 60s\n\tGenericIPLastSeen: 10m\n\tICMPLastSeen: 5s\n]", + Type: []string{"object"}, + AdditionalProperties: &spec.SchemaOrBool{ + Allows: true, + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, "bpfLogFilters": { SchemaProps: spec.SchemaProps{ Description: "BPFLogFilters is a map of key=values where the value is a pcap filter expression and the key is an interface name with 'all' denoting all interfaces, 'weps' all workload endpoints and 'heps' all host endpoints.\n\nWhen specified as an env var, it accepts a comma-separated list of key=values. [Default: unset - means all debug logs are emitted]", diff --git a/felix/bpf/conntrack/timeouts.go b/felix/bpf/conntrack/timeouts.go index e440bcc44af..02f9c85dc7b 100644 --- a/felix/bpf/conntrack/timeouts.go +++ b/felix/bpf/conntrack/timeouts.go @@ -15,6 +15,12 @@ package conntrack import ( + "bufio" + "fmt" + "os" + "reflect" + "strconv" + "strings" "time" log "github.com/sirupsen/logrus" @@ -99,3 +105,76 @@ func DefaultTimeouts() Timeouts { ICMPLastSeen: 5 * time.Second, } } + +func GetTimeouts(config map[string]string) Timeouts { + t := DefaultTimeouts() + + v := reflect.ValueOf(&t) + v = v.Elem() + + for key, value := range config { + field := v.FieldByName(key) + if !field.IsValid() { + log.WithField("value", key).Warn("Not a valid BPF conntrack timeout, skipping") + continue + } + + d, err := time.ParseDuration(value) + if err == nil { + log.WithFields(log.Fields{"name": key, "value": d}).Info("BPF conntrack timeout set") + field.SetInt(int64(d)) + continue + } + + seconds, err := readSecondsFromFile(value) + if err == nil { + d := time.Duration(seconds) * time.Second + log.WithFields(log.Fields{"name": key, "value": d}).Infof("BPF conntrack timeout set from %s", value) + field.SetInt(int64(d)) + continue + } + + log.WithField("value", key).Warnf("Not a valid BPF conntrack timeout value, using default %s", + time.Duration(field.Int())) + } + + fields := make(log.Fields) + + tt := reflect.TypeOf(t) + + for i := 0; i < v.NumField(); i++ { + fields[tt.Field(i).Name] = v.Field(i).Interface() + } + + log.WithFields(fields).Infof("BPF conntrack timers") + + return t +} + +func readSecondsFromFile(nfTimeout string) (int, error) { + filePath := "/proc/sys/net/netfilter/" + nfTimeout + + file, err := os.Open(filePath) + if err != nil { + return 0, fmt.Errorf("error opening file: %w", err) + } + defer file.Close() + + scanner := bufio.NewScanner(file) + if scanner.Scan() { + line := scanner.Text() + line = strings.TrimSpace(line) + seconds, err := strconv.Atoi(line) + if err != nil { + return 0, fmt.Errorf("error converting the value to an integer: %w", err) + } + + return seconds, nil + } + + if err := scanner.Err(); err != nil { + return 0, fmt.Errorf("error reading from file: %w", err) + } + + return 0, fmt.Errorf("file is empty or cannot read a line") +} diff --git a/felix/config/config_params.go b/felix/config/config_params.go index 5fd538eec9d..c412283e73b 100644 --- a/felix/config/config_params.go +++ b/felix/config/config_params.go @@ -180,6 +180,7 @@ type Config struct { BPFLogLevel string `config:"oneof(off,info,debug);off;non-zero"` BPFConntrackLogLevel string `config:"oneof(off,debug);off;non-zero"` BPFConntrackCleanupMode string `config:"oneof(Auto,Userspace,BPFProgram);Auto"` + BPFConntrackTimeouts map[string]string `config:"keyvaluelist;CreationGracePeriod=10s,TCPPreEstablished=20s,TCPEstablished=1h,TCPFinsSeen=nf_conntrack_tcp_timeout_time_wait,TCPResetSeen=40s,UDPLastSeen=60s,GenericIPLastSeen=10m,ICMPLastSeen=5s"` BPFLogFilters map[string]string `config:"keyvaluelist;;"` BPFCTLBLogFilter string `config:"oneof(all);;"` BPFDataIfacePattern *regexp.Regexp `config:"regexp;^((en|wl|ww|sl|ib)[Popsx].*|(eth|wlan|wwan|bond).*)"` diff --git a/felix/dataplane/driver.go b/felix/dataplane/driver.go index 03258ba1859..50e4e186fcc 100644 --- a/felix/dataplane/driver.go +++ b/felix/dataplane/driver.go @@ -378,7 +378,7 @@ func StartDataplaneDriver( BPFDisableGROForIfaces: configParams.BPFDisableGROForIfaces, XDPEnabled: configParams.XDPEnabled, XDPAllowGeneric: configParams.GenericXDPEnabled, - BPFConntrackTimeouts: conntrack.DefaultTimeouts(), // FIXME make timeouts configurable + BPFConntrackTimeouts: conntrack.GetTimeouts(configParams.BPFConntrackTimeouts), BPFConntrackCleanupMode: apiv3.BPFConntrackMode(configParams.BPFConntrackCleanupMode), RouteTableManager: routeTableIndexAllocator, MTUIfacePattern: configParams.MTUIfacePattern, diff --git a/felix/docs/config-params.json b/felix/docs/config-params.json index 02f3adf3d90..17315aa9882 100644 --- a/felix/docs/config-params.json +++ b/felix/docs/config-params.json @@ -2701,6 +2701,32 @@ "UserEditable": true, "GoType": "string" }, + { + "Group": "Dataplane: eBPF", + "GroupWithSortPrefix": "22 Dataplane: eBPF", + "NameConfigFile": "BPFConntrackTimeouts", + "NameEnvVar": "FELIX_BPFConntrackTimeouts", + "NameYAML": "bpfConntrackTimeouts", + "NameGoAPI": "BPFConntrackTimeouts", + "StringSchema": "Comma-delimited list of key=value pairs", + "StringSchemaHTML": "Comma-delimited list of key=value pairs", + "StringDefault": "CreationGracePeriod=10s,TCPPreEstablished=20s,TCPEstablished=1h,TCPFinsSeen=nf_conntrack_tcp_timeout_time_wait,TCPResetSeen=40s,UDPLastSeen=60s,GenericIPLastSeen=10m,ICMPLastSeen=5s", + "ParsedDefault": "map[CreationGracePeriod:10s GenericIPLastSeen:10m ICMPLastSeen:5s TCPEstablished:1h TCPFinsSeen:nf_conntrack_tcp_timeout_time_wait TCPPreEstablished:20s TCPResetSeen:40s UDPLastSeen:60s]", + "ParsedDefaultJSON": "{\"CreationGracePeriod\":\"10s\",\"GenericIPLastSeen\":\"10m\",\"ICMPLastSeen\":\"5s\",\"TCPEstablished\":\"1h\",\"TCPFinsSeen\":\"nf_conntrack_tcp_timeout_time_wait\",\"TCPPreEstablished\":\"20s\",\"TCPResetSeen\":\"40s\",\"UDPLastSeen\":\"60s\"}", + "ParsedType": "map[string]string", + "YAMLType": "object", + "YAMLSchema": "", + "YAMLEnumValues": null, + "YAMLSchemaHTML": "", + "YAMLDefault": "", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "BPFConntrackTimers overides the default values for the specified conntrack timer if\nset. It is a key-value make, where each value can be either a duration or a name of\na Linux conntrack timeout to use.\n\nPossible values for the keys are: CreationGracePeriod, TCPPreEstablished,\nTCPEstablished, TCPFinsSeen, TCPResetSeen, UDPLastSeen, GenericIPLastSeen,\nICMPLastSeen.\n\nExample:\n\nCreationGracePeriod: 15s\nTCPPreEstablished: nf_conntrack_tcp_timeout_syn_sent\nTCPFinsSeen: nf_conntrack_tcp_timeout_time_wait\n\nThis would override 3 timers, one with 15 seconds and two with respective values\ntaken from /proc/sys/net/netfilter/ files.\n\nUnset or incorrect values are replaced by the default values with a warning log for\nincorrect values.", + "DescriptionHTML": "

BPFConntrackTimers overides the default values for the specified conntrack timer if\nset. It is a key-value make, where each value can be either a duration or a name of\na Linux conntrack timeout to use.

\n

Possible values for the keys are: CreationGracePeriod, TCPPreEstablished,\nTCPEstablished, TCPFinsSeen, TCPResetSeen, UDPLastSeen, GenericIPLastSeen,\nICMPLastSeen.

\n

Example:

\n

CreationGracePeriod: 15s\nTCPPreEstablished: nf_conntrack_tcp_timeout_syn_sent\nTCPFinsSeen: nf_conntrack_tcp_timeout_time_wait

\n

This would override 3 timers, one with 15 seconds and two with respective values\ntaken from /proc/sys/net/netfilter/<name> files.

\n

Unset or incorrect values are replaced by the default values with a warning log for\nincorrect values.

", + "UserEditable": true, + "GoType": "*map[string]string" + }, { "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", diff --git a/felix/docs/config-params.md b/felix/docs/config-params.md index 8837b315ef6..29ac745ca59 100644 --- a/felix/docs/config-params.md +++ b/felix/docs/config-params.md @@ -1474,6 +1474,37 @@ to clean up expired BPF conntrack entries. | Default value (YAML) | `off` | | Notes | Required. | +### `BPFConntrackTimeouts` (config file) / `bpfConntrackTimeouts` (YAML) + +BPFConntrackTimers overides the default values for the specified conntrack timer if +set. It is a key-value make, where each value can be either a duration or a name of +a Linux conntrack timeout to use. + +Possible values for the keys are: CreationGracePeriod, TCPPreEstablished, +TCPEstablished, TCPFinsSeen, TCPResetSeen, UDPLastSeen, GenericIPLastSeen, +ICMPLastSeen. + +Example: + +CreationGracePeriod: 15s +TCPPreEstablished: nf_conntrack_tcp_timeout_syn_sent +TCPFinsSeen: nf_conntrack_tcp_timeout_time_wait + +This would override 3 timers, one with 15 seconds and two with respective values +taken from /proc/sys/net/netfilter/ files. + +Unset or incorrect values are replaced by the default values with a warning log for +incorrect values. + +| Detail | | +| --- | --- | +| Environment variable | `FELIX_BPFConntrackTimeouts` | +| Encoding (env var/config file) | Comma-delimited list of key=value pairs | +| Default value (above encoding) | `CreationGracePeriod=10s,TCPPreEstablished=20s,TCPEstablished=1h,TCPFinsSeen=nf_conntrack_tcp_timeout_time_wait,TCPResetSeen=40s,UDPLastSeen=60s,GenericIPLastSeen=10m,ICMPLastSeen=5s` | +| `FelixConfiguration` field | `bpfConntrackTimeouts` (YAML) `BPFConntrackTimeouts` (Go API) | +| `FelixConfiguration` schema | `object` | +| Default value (YAML) | none | + ### `BPFDSROptoutCIDRs` (config file) / `bpfDSROptoutCIDRs` (YAML) A list of CIDRs which are excluded from DSR. That is, clients diff --git a/libcalico-go/config/crd/crd.projectcalico.org_felixconfigurations.yaml b/libcalico-go/config/crd/crd.projectcalico.org_felixconfigurations.yaml index acaf94c355c..b5fae021236 100644 --- a/libcalico-go/config/crd/crd.projectcalico.org_felixconfigurations.yaml +++ b/libcalico-go/config/crd/crd.projectcalico.org_felixconfigurations.yaml @@ -107,6 +107,24 @@ spec: - Userspace - BPFProgram type: string + bpfConntrackTimeouts: + additionalProperties: + type: string + description: "BPFConntrackTimers overides the default values for the + specified conntrack timer if\nset. It is a key-value make, where + each value can be either a duration or a name of\na Linux conntrack + timeout to use.\n\nPossible values for the keys are: CreationGracePeriod, + TCPPreEstablished,\nTCPEstablished, TCPFinsSeen, TCPResetSeen, UDPLastSeen, + GenericIPLastSeen,\nICMPLastSeen.\n\nExample:\n\nCreationGracePeriod: + 15s\nTCPPreEstablished: nf_conntrack_tcp_timeout_syn_sent\nTCPFinsSeen: + nf_conntrack_tcp_timeout_time_wait\n\nThis would override 3 timers, + one with 15 seconds and two with respective values\ntaken from /proc/sys/net/netfilter/ + files.\n\nUnset or incorrect values are replaced by the default + values with a warning log for\nincorrect values.\n\n[Default:\n\tCreationGracePeriod: + 10s\n\tTCPPreEstablished: 20s\n\tTCPEstablished: 1h\n\tTCPFinsSeen: + \ nf_conntrack_tcp_timeout_time_wait\n\tTCPResetSeen: 40s\n\tUDPLastSeen: + \ 60s\n\tGenericIPLastSeen: 10m\n\tICMPLastSeen: 5s\n]" + type: object bpfDSROptoutCIDRs: description: |- BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients diff --git a/libcalico-go/lib/backend/syncersv1/updateprocessors/configurationprocessor_test.go b/libcalico-go/lib/backend/syncersv1/updateprocessors/configurationprocessor_test.go index 7c24e5aa68f..9cfe34d6ee6 100644 --- a/libcalico-go/lib/backend/syncersv1/updateprocessors/configurationprocessor_test.go +++ b/libcalico-go/lib/backend/syncersv1/updateprocessors/configurationprocessor_test.go @@ -43,7 +43,7 @@ const ( ) const ( - numBaseFelixConfigs = 151 + numBaseFelixConfigs = 152 ) var _ = Describe("Test the generic configuration update processor and the concrete implementations", func() { diff --git a/manifests/calico-bpf.yaml b/manifests/calico-bpf.yaml index 021c067d763..1e809df6335 100644 --- a/manifests/calico-bpf.yaml +++ b/manifests/calico-bpf.yaml @@ -1119,6 +1119,24 @@ spec: - Userspace - BPFProgram type: string + bpfConntrackTimeouts: + additionalProperties: + type: string + description: "BPFConntrackTimers overides the default values for the + specified conntrack timer if\nset. It is a key-value make, where + each value can be either a duration or a name of\na Linux conntrack + timeout to use.\n\nPossible values for the keys are: CreationGracePeriod, + TCPPreEstablished,\nTCPEstablished, TCPFinsSeen, TCPResetSeen, UDPLastSeen, + GenericIPLastSeen,\nICMPLastSeen.\n\nExample:\n\nCreationGracePeriod: + 15s\nTCPPreEstablished: nf_conntrack_tcp_timeout_syn_sent\nTCPFinsSeen: + nf_conntrack_tcp_timeout_time_wait\n\nThis would override 3 timers, + one with 15 seconds and two with respective values\ntaken from /proc/sys/net/netfilter/ + files.\n\nUnset or incorrect values are replaced by the default + values with a warning log for\nincorrect values.\n\n[Default:\n\tCreationGracePeriod: + 10s\n\tTCPPreEstablished: 20s\n\tTCPEstablished: 1h\n\tTCPFinsSeen: + \ nf_conntrack_tcp_timeout_time_wait\n\tTCPResetSeen: 40s\n\tUDPLastSeen: + \ 60s\n\tGenericIPLastSeen: 10m\n\tICMPLastSeen: 5s\n]" + type: object bpfDSROptoutCIDRs: description: |- BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients diff --git a/manifests/calico-policy-only.yaml b/manifests/calico-policy-only.yaml index ec66dab3d6d..8863d50df70 100644 --- a/manifests/calico-policy-only.yaml +++ b/manifests/calico-policy-only.yaml @@ -1129,6 +1129,24 @@ spec: - Userspace - BPFProgram type: string + bpfConntrackTimeouts: + additionalProperties: + type: string + description: "BPFConntrackTimers overides the default values for the + specified conntrack timer if\nset. It is a key-value make, where + each value can be either a duration or a name of\na Linux conntrack + timeout to use.\n\nPossible values for the keys are: CreationGracePeriod, + TCPPreEstablished,\nTCPEstablished, TCPFinsSeen, TCPResetSeen, UDPLastSeen, + GenericIPLastSeen,\nICMPLastSeen.\n\nExample:\n\nCreationGracePeriod: + 15s\nTCPPreEstablished: nf_conntrack_tcp_timeout_syn_sent\nTCPFinsSeen: + nf_conntrack_tcp_timeout_time_wait\n\nThis would override 3 timers, + one with 15 seconds and two with respective values\ntaken from /proc/sys/net/netfilter/ + files.\n\nUnset or incorrect values are replaced by the default + values with a warning log for\nincorrect values.\n\n[Default:\n\tCreationGracePeriod: + 10s\n\tTCPPreEstablished: 20s\n\tTCPEstablished: 1h\n\tTCPFinsSeen: + \ nf_conntrack_tcp_timeout_time_wait\n\tTCPResetSeen: 40s\n\tUDPLastSeen: + \ 60s\n\tGenericIPLastSeen: 10m\n\tICMPLastSeen: 5s\n]" + type: object bpfDSROptoutCIDRs: description: |- BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients diff --git a/manifests/calico-typha.yaml b/manifests/calico-typha.yaml index dccc035ff5e..33c2843bad1 100644 --- a/manifests/calico-typha.yaml +++ b/manifests/calico-typha.yaml @@ -1130,6 +1130,24 @@ spec: - Userspace - BPFProgram type: string + bpfConntrackTimeouts: + additionalProperties: + type: string + description: "BPFConntrackTimers overides the default values for the + specified conntrack timer if\nset. It is a key-value make, where + each value can be either a duration or a name of\na Linux conntrack + timeout to use.\n\nPossible values for the keys are: CreationGracePeriod, + TCPPreEstablished,\nTCPEstablished, TCPFinsSeen, TCPResetSeen, UDPLastSeen, + GenericIPLastSeen,\nICMPLastSeen.\n\nExample:\n\nCreationGracePeriod: + 15s\nTCPPreEstablished: nf_conntrack_tcp_timeout_syn_sent\nTCPFinsSeen: + nf_conntrack_tcp_timeout_time_wait\n\nThis would override 3 timers, + one with 15 seconds and two with respective values\ntaken from /proc/sys/net/netfilter/ + files.\n\nUnset or incorrect values are replaced by the default + values with a warning log for\nincorrect values.\n\n[Default:\n\tCreationGracePeriod: + 10s\n\tTCPPreEstablished: 20s\n\tTCPEstablished: 1h\n\tTCPFinsSeen: + \ nf_conntrack_tcp_timeout_time_wait\n\tTCPResetSeen: 40s\n\tUDPLastSeen: + \ 60s\n\tGenericIPLastSeen: 10m\n\tICMPLastSeen: 5s\n]" + type: object bpfDSROptoutCIDRs: description: |- BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients diff --git a/manifests/calico-vxlan.yaml b/manifests/calico-vxlan.yaml index c598d1d261d..e2a412f7857 100644 --- a/manifests/calico-vxlan.yaml +++ b/manifests/calico-vxlan.yaml @@ -1114,6 +1114,24 @@ spec: - Userspace - BPFProgram type: string + bpfConntrackTimeouts: + additionalProperties: + type: string + description: "BPFConntrackTimers overides the default values for the + specified conntrack timer if\nset. It is a key-value make, where + each value can be either a duration or a name of\na Linux conntrack + timeout to use.\n\nPossible values for the keys are: CreationGracePeriod, + TCPPreEstablished,\nTCPEstablished, TCPFinsSeen, TCPResetSeen, UDPLastSeen, + GenericIPLastSeen,\nICMPLastSeen.\n\nExample:\n\nCreationGracePeriod: + 15s\nTCPPreEstablished: nf_conntrack_tcp_timeout_syn_sent\nTCPFinsSeen: + nf_conntrack_tcp_timeout_time_wait\n\nThis would override 3 timers, + one with 15 seconds and two with respective values\ntaken from /proc/sys/net/netfilter/ + files.\n\nUnset or incorrect values are replaced by the default + values with a warning log for\nincorrect values.\n\n[Default:\n\tCreationGracePeriod: + 10s\n\tTCPPreEstablished: 20s\n\tTCPEstablished: 1h\n\tTCPFinsSeen: + \ nf_conntrack_tcp_timeout_time_wait\n\tTCPResetSeen: 40s\n\tUDPLastSeen: + \ 60s\n\tGenericIPLastSeen: 10m\n\tICMPLastSeen: 5s\n]" + type: object bpfDSROptoutCIDRs: description: |- BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients diff --git a/manifests/calico.yaml b/manifests/calico.yaml index 314e8ecebe1..1669fa39102 100644 --- a/manifests/calico.yaml +++ b/manifests/calico.yaml @@ -1114,6 +1114,24 @@ spec: - Userspace - BPFProgram type: string + bpfConntrackTimeouts: + additionalProperties: + type: string + description: "BPFConntrackTimers overides the default values for the + specified conntrack timer if\nset. It is a key-value make, where + each value can be either a duration or a name of\na Linux conntrack + timeout to use.\n\nPossible values for the keys are: CreationGracePeriod, + TCPPreEstablished,\nTCPEstablished, TCPFinsSeen, TCPResetSeen, UDPLastSeen, + GenericIPLastSeen,\nICMPLastSeen.\n\nExample:\n\nCreationGracePeriod: + 15s\nTCPPreEstablished: nf_conntrack_tcp_timeout_syn_sent\nTCPFinsSeen: + nf_conntrack_tcp_timeout_time_wait\n\nThis would override 3 timers, + one with 15 seconds and two with respective values\ntaken from /proc/sys/net/netfilter/ + files.\n\nUnset or incorrect values are replaced by the default + values with a warning log for\nincorrect values.\n\n[Default:\n\tCreationGracePeriod: + 10s\n\tTCPPreEstablished: 20s\n\tTCPEstablished: 1h\n\tTCPFinsSeen: + \ nf_conntrack_tcp_timeout_time_wait\n\tTCPResetSeen: 40s\n\tUDPLastSeen: + \ 60s\n\tGenericIPLastSeen: 10m\n\tICMPLastSeen: 5s\n]" + type: object bpfDSROptoutCIDRs: description: |- BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients diff --git a/manifests/canal.yaml b/manifests/canal.yaml index c78676e025d..d315a763a13 100644 --- a/manifests/canal.yaml +++ b/manifests/canal.yaml @@ -1131,6 +1131,24 @@ spec: - Userspace - BPFProgram type: string + bpfConntrackTimeouts: + additionalProperties: + type: string + description: "BPFConntrackTimers overides the default values for the + specified conntrack timer if\nset. It is a key-value make, where + each value can be either a duration or a name of\na Linux conntrack + timeout to use.\n\nPossible values for the keys are: CreationGracePeriod, + TCPPreEstablished,\nTCPEstablished, TCPFinsSeen, TCPResetSeen, UDPLastSeen, + GenericIPLastSeen,\nICMPLastSeen.\n\nExample:\n\nCreationGracePeriod: + 15s\nTCPPreEstablished: nf_conntrack_tcp_timeout_syn_sent\nTCPFinsSeen: + nf_conntrack_tcp_timeout_time_wait\n\nThis would override 3 timers, + one with 15 seconds and two with respective values\ntaken from /proc/sys/net/netfilter/ + files.\n\nUnset or incorrect values are replaced by the default + values with a warning log for\nincorrect values.\n\n[Default:\n\tCreationGracePeriod: + 10s\n\tTCPPreEstablished: 20s\n\tTCPEstablished: 1h\n\tTCPFinsSeen: + \ nf_conntrack_tcp_timeout_time_wait\n\tTCPResetSeen: 40s\n\tUDPLastSeen: + \ 60s\n\tGenericIPLastSeen: 10m\n\tICMPLastSeen: 5s\n]" + type: object bpfDSROptoutCIDRs: description: |- BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients diff --git a/manifests/crds.yaml b/manifests/crds.yaml index 884ab9944bd..b32749e8f14 100644 --- a/manifests/crds.yaml +++ b/manifests/crds.yaml @@ -1024,6 +1024,24 @@ spec: - Userspace - BPFProgram type: string + bpfConntrackTimeouts: + additionalProperties: + type: string + description: "BPFConntrackTimers overides the default values for the + specified conntrack timer if\nset. It is a key-value make, where + each value can be either a duration or a name of\na Linux conntrack + timeout to use.\n\nPossible values for the keys are: CreationGracePeriod, + TCPPreEstablished,\nTCPEstablished, TCPFinsSeen, TCPResetSeen, UDPLastSeen, + GenericIPLastSeen,\nICMPLastSeen.\n\nExample:\n\nCreationGracePeriod: + 15s\nTCPPreEstablished: nf_conntrack_tcp_timeout_syn_sent\nTCPFinsSeen: + nf_conntrack_tcp_timeout_time_wait\n\nThis would override 3 timers, + one with 15 seconds and two with respective values\ntaken from /proc/sys/net/netfilter/ + files.\n\nUnset or incorrect values are replaced by the default + values with a warning log for\nincorrect values.\n\n[Default:\n\tCreationGracePeriod: + 10s\n\tTCPPreEstablished: 20s\n\tTCPEstablished: 1h\n\tTCPFinsSeen: + \ nf_conntrack_tcp_timeout_time_wait\n\tTCPResetSeen: 40s\n\tUDPLastSeen: + \ 60s\n\tGenericIPLastSeen: 10m\n\tICMPLastSeen: 5s\n]" + type: object bpfDSROptoutCIDRs: description: |- BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients diff --git a/manifests/flannel-migration/calico.yaml b/manifests/flannel-migration/calico.yaml index 679778b19c8..5083f878a50 100644 --- a/manifests/flannel-migration/calico.yaml +++ b/manifests/flannel-migration/calico.yaml @@ -1114,6 +1114,24 @@ spec: - Userspace - BPFProgram type: string + bpfConntrackTimeouts: + additionalProperties: + type: string + description: "BPFConntrackTimers overides the default values for the + specified conntrack timer if\nset. It is a key-value make, where + each value can be either a duration or a name of\na Linux conntrack + timeout to use.\n\nPossible values for the keys are: CreationGracePeriod, + TCPPreEstablished,\nTCPEstablished, TCPFinsSeen, TCPResetSeen, UDPLastSeen, + GenericIPLastSeen,\nICMPLastSeen.\n\nExample:\n\nCreationGracePeriod: + 15s\nTCPPreEstablished: nf_conntrack_tcp_timeout_syn_sent\nTCPFinsSeen: + nf_conntrack_tcp_timeout_time_wait\n\nThis would override 3 timers, + one with 15 seconds and two with respective values\ntaken from /proc/sys/net/netfilter/ + files.\n\nUnset or incorrect values are replaced by the default + values with a warning log for\nincorrect values.\n\n[Default:\n\tCreationGracePeriod: + 10s\n\tTCPPreEstablished: 20s\n\tTCPEstablished: 1h\n\tTCPFinsSeen: + \ nf_conntrack_tcp_timeout_time_wait\n\tTCPResetSeen: 40s\n\tUDPLastSeen: + \ 60s\n\tGenericIPLastSeen: 10m\n\tICMPLastSeen: 5s\n]" + type: object bpfDSROptoutCIDRs: description: |- BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients diff --git a/manifests/operator-crds.yaml b/manifests/operator-crds.yaml index 031462672f8..231734413cd 100644 --- a/manifests/operator-crds.yaml +++ b/manifests/operator-crds.yaml @@ -19650,6 +19650,24 @@ spec: - Userspace - BPFProgram type: string + bpfConntrackTimeouts: + additionalProperties: + type: string + description: "BPFConntrackTimers overides the default values for the + specified conntrack timer if\nset. It is a key-value make, where + each value can be either a duration or a name of\na Linux conntrack + timeout to use.\n\nPossible values for the keys are: CreationGracePeriod, + TCPPreEstablished,\nTCPEstablished, TCPFinsSeen, TCPResetSeen, UDPLastSeen, + GenericIPLastSeen,\nICMPLastSeen.\n\nExample:\n\nCreationGracePeriod: + 15s\nTCPPreEstablished: nf_conntrack_tcp_timeout_syn_sent\nTCPFinsSeen: + nf_conntrack_tcp_timeout_time_wait\n\nThis would override 3 timers, + one with 15 seconds and two with respective values\ntaken from /proc/sys/net/netfilter/ + files.\n\nUnset or incorrect values are replaced by the default + values with a warning log for\nincorrect values.\n\n[Default:\n\tCreationGracePeriod: + 10s\n\tTCPPreEstablished: 20s\n\tTCPEstablished: 1h\n\tTCPFinsSeen: + \ nf_conntrack_tcp_timeout_time_wait\n\tTCPResetSeen: 40s\n\tUDPLastSeen: + \ 60s\n\tGenericIPLastSeen: 10m\n\tICMPLastSeen: 5s\n]" + type: object bpfDSROptoutCIDRs: description: |- BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients