Skip to content

Convert ENABLE_IPSEC (pkg/datapath/linux/ipsec/cell.go - option.Config.EnableIPsec) to load-time config #42653

Open
Task
Open
Convert ENABLE_IPSEC (pkg/datapath/linux/ipsec/cell.go - option.Config.EnableIPsec) to load-time config#42653
Task
Assignees
rgo3
Labels
area/datapathImpacts bpf/ or low-level forwarding details, including map management and monitor messages.area/loaderImpacts the loading of BPF programs into the kernel.feature/ipsecRelates to Cilium's IPsec featurekind/enhancementThis would improve or streamline existing functionality.
@rgo3

Description

@rgo3
rgo3
opened on Nov 7, 2025

Convert this macro to use DECLARE_CONFIG or NODE_CONFIG for runtime configuration.

Current definition location: pkg/datapath/linux/ipsec/cell.go:52-54

if out.IPsecAgent.Enabled() {
    out.NodeDefines = map[string]string{
        "ENABLE_IPSEC": "1",
    }
}

BPF usage: Used in conditionals throughout the datapath, particularly in:

  • bpf/bpf_host.c - IPsec tunnel handling
  • bpf/lib/encap.h - Encryption encapsulation

Configuration source: option.Config.EnableIPsec

Metadata

Metadata

Assignees

Labels

area/datapathImpacts bpf/ or low-level forwarding details, including map management and monitor messages.area/loaderImpacts the loading of BPF programs into the kernel.feature/ipsecRelates to Cilium's IPsec featurekind/enhancementThis would improve or streamline existing functionality.

Type

Task

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions