Merged
Conversation
[ upstream commit f87ff38 ] In IPv4 code, we pull the ARP header into the linear section of the skb: [...] case bpf_htons(ETH_P_ARP): if (is_defined(ENABLE_ARP_PASSTHROUGH) || is_defined(ENABLE_ARP_RESPONDER) || CONFIG(enable_l2_announcements)) { if (!revalidate_data_arp_pull(ctx, &data, &data_end, &arp)) { ret = DROP_INVALID; goto drop_err_ingress; } [...] if (CONFIG(enable_l2_announcements)) { ret = handle_l2_announcement(ctx, NULL); [...] This is however not the case in IPv6, and so a NIC driver which does not pull in anything the handle_l2_announcement() could fail given only the Ethernet + IPv6 header is in the linear section. Then we return with CTX_ACT_OK and the packet goes up the stack. Given this is slow-path, pull in skb->len. For XDP its a no-op. Related: #43774 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Co-developed-by: Marc Suñé <marc.sune@isovalent.com> Signed-off-by: Marc Suñé <marc.sune@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
…f ipsec [ upstream commit 4f5a008 ] Currently, we regenerate the host endpoint before all other restored endpoints if IPSec is enabled. This might be problematic as it increases the overall time for the endpoint restoration - and might lead to issues if Envoy prematurely configures Envoy before all Endpoints are restored (default after 3 min). It looks like this code / special handling is no longer needed with v1.19. Let's remove it. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit b7c4147 ] The previous commit updating short ICMP error packet NAT handling improperly computed the length of a short packet by neglecting to account for the ihl field of the IP header representing 32 bit words rather than bytes. This caused a reversion of #33844. Furthermore, the change in short packet detection depends on the incoming bpf_context structure having the "len" field set correctly, which the BPF tests for that condition did not set. This corrects the comparison for the inner L4 packet length and updates the short ICMP error packet BPF tests to ensure the ctx->len field is set like the kernel does. Fixes: 1a018d56d623 ("bpf: Refine inner packet L4 checksum detection") Signed-off-by: Bill Reese <ReeseW@computer.org> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit aecd248 ] This time should have a shorter timeout so it doesn't take 1h30m of CI in case the step fails as seen in [1]. Since this step takes around 4 minutes on a successful run [2], 10 minutes of timeout seems to be a good limit. [1] https://github.com/cilium/cilium/actions/runs/21205723313/job/61001679788 [2] https://github.com/cilium/cilium/actions/runs/21216876084/job/61040455144 Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 517f163 ] Signed-off-by: xtine <xtineskim@gmail.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit b197d98 ] Signed-off-by: xtine <xtineskim@gmail.com> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
[ upstream commit 700b07e ] Re-add workflow_dispatch so that ariane can trigger this workflow on a scheduled basis since non-default branches don't support schedule event triggers made by GitHub. Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
aanm
approved these changes
Jan 22, 2026
Member
Author
|
/test |
mhofstetter
approved these changes
Jan 22, 2026
xtineskim
approved these changes
Jan 22, 2026
tklauser
approved these changes
Jan 22, 2026
brlbil
approved these changes
Jan 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Once this PR is merged, a GitHub action will update the labels of these PRs: