{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":468757854,"defaultBranch":"main","name":"cilium","ownerLogin":"julianwiedmann","currentUserCanPush":false,"isFork":true,"isEmpty":false,"createdAt":"2022-03-11T13:17:52.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/24281077?v=4","public":true,"private":false,"isOrgOwned":false},"refInfo":{"name":"","listCacheKey":"v0:1718799662.0","currentOid":""},"activityList":{"items":[{"before":null,"after":"c45b81cd1d912932253727f7ee8e1317439c2991","ref":"refs/heads/1.16-bpf-nodeport-ct-cleanup","pushedAt":"2024-06-19T12:21:02.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"},"commit":{"message":"bpf: nodeport: clean up redundant 0-initializations\n\nThe whole ct_state_new struct is already 0-initialized.\n\nSigned-off-by: Julian Wiedmann ","shortMessageHtmlLink":"bpf: nodeport: clean up redundant 0-initializations"}},{"before":"4201e60e04b398b136fd6bdd7890dbcce62cba98","after":null,"ref":"refs/heads/1.16-bpf-lxc-trace","pushedAt":"2024-06-19T08:23:32.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"}},{"before":"9802312870d72358527d513378c7565f6a7cab85","after":null,"ref":"refs/heads/1.16-bpf-ct-error","pushedAt":"2024-06-19T06:54:58.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"}},{"before":"11c7583de763fc7879cfe951f0604740eda3d8bc","after":null,"ref":"refs/heads/1.16-bpf-lxc-seclabel","pushedAt":"2024-06-19T03:10:44.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"}},{"before":"20562f3f5204845c5d5a5cadcfd98a6e4d2eca14","after":null,"ref":"refs/heads/1.16-bpf-netdev","pushedAt":"2024-06-19T03:10:44.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"}},{"before":"e8317549bd90a243f7b1ce6614d612cc0c8db677","after":"173c6dca58e88c07f7b0f5cf171ff0cb42e4ff5c","ref":"refs/heads/1.16-bpf-lxc-proxy","pushedAt":"2024-06-18T14:39:21.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"},"commit":{"message":"bpf: lxc: only handle L7 LB in forward direction\n\nWhen `proxy_port` is set for a L7 LB connection, the CT lookup for the\ncorresponding `client -> VIP` connection should always CT_NEW or\nCT_ESTABLISHED (as the connection is in forward direction). Add this\nbit of wisdom to the datapath in bpf_lxc.\n\nTake this moment to turn the code section into a switch statement for the\nCT lookup result.\n\nIdeally we would even constrain the CT lookup for such a case (and thus\nlimit the actual range of returned CT results), but that's future work in\nhttps://github.com/cilium/cilium/issues/33233.\n\nSigned-off-by: Julian Wiedmann ","shortMessageHtmlLink":"bpf: lxc: only handle L7 LB in forward direction"}},{"before":"a93f7dac19316ab367973b011926626278387a46","after":"e8317549bd90a243f7b1ce6614d612cc0c8db677","ref":"refs/heads/1.16-bpf-lxc-proxy","pushedAt":"2024-06-18T14:30:26.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"},"commit":{"message":"bpf: lxc: only handle L7 LB in forward direction\n\nWhen `proxy_port` is set for a L7 LB connection, the CT lookup for the\ncorresponding `client -> backend` connection should always CT_NEW or\nCT_ESTABLISHED (as the connection is in forward direction). Add this\nbit of wisdom to the datapath in bpf_lxc.\n\nTake this moment to turn the code section into a switch statement for the\nCT lookup result.\n\nIdeally we would even constrain the CT lookup for such a case (and thus\nlimit the actual range of returned CT results), but that's future work in\nhttps://github.com/cilium/cilium/issues/33233.\n\nSigned-off-by: Julian Wiedmann ","shortMessageHtmlLink":"bpf: lxc: only handle L7 LB in forward direction"}},{"before":null,"after":"a93f7dac19316ab367973b011926626278387a46","ref":"refs/heads/1.16-bpf-lxc-proxy","pushedAt":"2024-06-18T14:28:34.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"},"commit":{"message":"bpf: lxc: only handle L7 LB in forward direction\n\nWhen `proxy_port` is set for a L7 LB connection, the CT lookup for the\ncorresponding `client -> backend` connection should always CT_NEW or\nCT_ESTABLISHED (as the connection is in forward direction). Add this\nbit of wisdom to the datapath in bpf_lxc.\n\nTake this moment to turn the code section into a switch statement for the\nCT lookup result.\n\nIdeally we would even constrain the CT lookup for such a case (and thus\nlimit the actual range of returned CT results), but that's future work in\nhttps://github.com/cilium/cilium/issues/33233.\n\nSigned-off-by: Julian Wiedmann ","shortMessageHtmlLink":"bpf: lxc: only handle L7 LB in forward direction"}},{"before":"0e2aaae20d45740cdf361b821757416d711f0d79","after":"6e128867a1285d88316ce3905ebb1ffec8a4e57b","ref":"refs/heads/1.16-bpf-trace-ifindex","pushedAt":"2024-06-18T10:08:36.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"},"commit":{"message":"bpf: host: use NATIVE_DEV_IFINDEX in to-netdev\n\nIndicate the current interface in the trace notification.\n\nSigned-off-by: Julian Wiedmann ","shortMessageHtmlLink":"bpf: host: use NATIVE_DEV_IFINDEX in to-netdev"}},{"before":null,"after":"0e2aaae20d45740cdf361b821757416d711f0d79","ref":"refs/heads/1.16-bpf-trace-ifindex","pushedAt":"2024-06-18T10:02:40.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"},"commit":{"message":"bpf: host: use NATIVE_DEV_IFINDEX in to-netdev\n\nIndicate the current interface in the trace notification.\n\nSigned-off-by: Julian Wiedmann ","shortMessageHtmlLink":"bpf: host: use NATIVE_DEV_IFINDEX in to-netdev"}},{"before":"d1ec2d2d03c352ffa00904f2420e78609fd7fce5","after":null,"ref":"refs/heads/1.16-bpf-seclabel-nb","pushedAt":"2024-06-18T08:55:28.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"}},{"before":null,"after":"9802312870d72358527d513378c7565f6a7cab85","ref":"refs/heads/1.16-bpf-ct-error","pushedAt":"2024-06-18T07:51:43.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"},"commit":{"message":"bpf: ct: return actual error from CT lookup\n\nThe CT lookup potentially returns an error (with some DROP_* value). But\nthere are a few code paths that currently handle such an error as part of\ntheir `default` case for the `switch(ct_result)` statement, and just\nreturn DROP_UNKNOWN_CT. Fix them up to return the actual error.\n\nSigned-off-by: Julian Wiedmann ","shortMessageHtmlLink":"bpf: ct: return actual error from CT lookup"}},{"before":null,"after":"d1ec2d2d03c352ffa00904f2420e78609fd7fce5","ref":"refs/heads/1.16-bpf-seclabel-nb","pushedAt":"2024-06-17T17:49:30.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"},"commit":{"message":"datapath: clean up unused SECLABEL_NB\n\nLooks like the last user was removed with\n32a921aab817 (\"bpf: Remove flowlabel optimization for identity\").\n\nSigned-off-by: Julian Wiedmann ","shortMessageHtmlLink":"datapath: clean up unused SECLABEL_NB"}},{"before":null,"after":"20562f3f5204845c5d5a5cadcfd98a6e4d2eca14","ref":"refs/heads/1.16-bpf-netdev","pushedAt":"2024-06-17T06:06:36.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"},"commit":{"message":"bpf: host: sanitize whole skb->cb in to-netdev\n\nWe can't trust the cb if a packet passed through the network stack.\nInstead of selectively clearing cb slots, just clear the whole array.\n\nSigned-off-by: Julian Wiedmann ","shortMessageHtmlLink":"bpf: host: sanitize whole skb->cb in to-netdev"}},{"before":null,"after":"11c7583de763fc7879cfe951f0604740eda3d8bc","ref":"refs/heads/1.16-bpf-lxc-seclabel","pushedAt":"2024-06-17T05:51:51.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"},"commit":{"message":"bpf: lxc: prefer SECLABEL_IPV4 over SECLABEL in ipv4_policy()\n\nMatch what ipv6_policy() uses in these locations.\n\nSigned-off-by: Julian Wiedmann ","shortMessageHtmlLink":"bpf: lxc: prefer SECLABEL_IPV4 over SECLABEL in ipv4_policy()"}},{"before":"18114a4b92d28843140fb73e6b7939cffcf37eed","after":null,"ref":"refs/heads/1.16-bpf-host-l2-proto","pushedAt":"2024-06-14T14:51:10.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"}},{"before":"26be12c1f43a2bc371ea01510a8db8d57f3fbe15","after":null,"ref":"refs/heads/1.16-bpf-wireguard-test","pushedAt":"2024-06-14T12:28:49.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"}},{"before":"93592242f5fb7f1d0b9408e22824b590297e435d","after":"4201e60e04b398b136fd6bdd7890dbcce62cba98","ref":"refs/heads/1.16-bpf-lxc-trace","pushedAt":"2024-06-14T12:04:22.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"},"commit":{"message":"bpf: lxc: report ifindex in ingress trace notifications\n\nipv*_policy() takes an `ifindex` parameter, and exclusively uses it to\nfill trace notifications. But for some cases the provided ifindex is\ncurrently 0 (for instance in a configuration with per-EP routing, when\ncalling from to-container).\n\nJust provide the actual interface index instead.\n\nReported-by: Tomasz Tarczyński \nSigned-off-by: Julian Wiedmann ","shortMessageHtmlLink":"bpf: lxc: report ifindex in ingress trace notifications"}},{"before":"6461fc8e0304c75a70de6dc721d3f0f5609a818c","after":null,"ref":"refs/heads/1.16-bpf-loopback-revnat","pushedAt":"2024-06-14T11:52:28.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"}},{"before":"7047c29bebaec91d567bb1b824c6c967ab699b98","after":"93592242f5fb7f1d0b9408e22824b590297e435d","ref":"refs/heads/1.16-bpf-lxc-trace","pushedAt":"2024-06-14T11:42:48.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"},"commit":{"message":"bpf: lxc: report ifindex in ingress trace notifications\n\nipv*_policy() takes an `ifindex` parameter, and exclusively uses it to\nfill trace notifications. But for some cases the provided ifindex is\ncurrently 0 (for instance in a configuration with per-EP routing, when\ncalling from to-container).\n\nJust provide the actual interface index instead.\n\nReported-by: Tomasz Tarczyński \nSigned-off-by: Julian Wiedmann ","shortMessageHtmlLink":"bpf: lxc: report ifindex in ingress trace notifications"}},{"before":"e7c8cdc00912724d611300ea88c8e339ca6a5fd7","after":"18114a4b92d28843140fb73e6b7939cffcf37eed","ref":"refs/heads/1.16-bpf-host-l2-proto","pushedAt":"2024-06-14T11:39:34.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"},"commit":{"message":"bpf: extract ethertype in to-netdev / to-overlay just once\n\nRemove some duplicated logic.\n\nIdeally we would only do the extraction if at least *one* feature is\nenabled that actually requires the ethertype. But managing these\ndependencies doesn't seem worth the hassle.\n\nSigned-off-by: Julian Wiedmann ","shortMessageHtmlLink":"bpf: extract ethertype in to-netdev / to-overlay just once"}},{"before":"7609baa64124c6788941b2c7482d8be761b2a135","after":"e7c8cdc00912724d611300ea88c8e339ca6a5fd7","ref":"refs/heads/1.16-bpf-host-l2-proto","pushedAt":"2024-06-14T11:38:30.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"},"commit":{"message":"bpf: extract ethertype in to-netdev / to-overlay just once\n\nRemove some duplicated logic.\n\nIdeally we would only do the extraction if at least *one* feature is\nenabled that actually requires the ethertype. But managing these\ndependencies doesn't seem worth the hassle.\n\nSigned-off-by: Julian Wiedmann ","shortMessageHtmlLink":"bpf: extract ethertype in to-netdev / to-overlay just once"}},{"before":"ec96881d19ea9a62f760933a0d509b0915789d84","after":null,"ref":"refs/heads/1.16-ct-format-backendid","pushedAt":"2024-06-14T07:33:16.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"}},{"before":"8e84c4ed7aab98be26b972fb67e8c989f73143d3","after":null,"ref":"refs/heads/1.16-dns-proxy-docs","pushedAt":"2024-06-14T06:59:33.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"}},{"before":"74115aa83284df511bed2c3363f81992e187ccd7","after":"ec96881d19ea9a62f760933a0d509b0915789d84","ref":"refs/heads/1.16-ct-format-backendid","pushedAt":"2024-06-14T06:37:03.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"},"commit":{"message":"ctmap: dump CT entry's BackendID\n\nService connections store their selected backend ID in the SVC-type CT\nentry. Dump this field on `cilium-dbg bpf ct list global`.\n\nThis then looks like:\nTCP SVC 10.244.0.62:55394 -> 10.96.0.1:443 expires=158116 ... BackendID=1\n\nSigned-off-by: Julian Wiedmann ","shortMessageHtmlLink":"ctmap: dump CT entry's BackendID"}},{"before":"7420401c6de6826beeab83d97ad5552c82f6372f","after":"8e84c4ed7aab98be26b972fb67e8c989f73143d3","ref":"refs/heads/1.16-dns-proxy-docs","pushedAt":"2024-06-14T06:20:19.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"},"commit":{"message":"docs: egressgw: remove stale enable-l7-proxy option\n\nThis option was suggested to deal with an incompatibility between EGW and\nL7 policies. The incompatibility has been addressed by\nhttps://github.com/cilium/cilium/pull/32828.\n\nSigned-off-by: Julian Wiedmann ","shortMessageHtmlLink":"docs: egressgw: remove stale enable-l7-proxy option"}},{"before":"2eb113b725275564b0ace5dae4261924e01e4249","after":null,"ref":"refs/heads/1.16-bpf-maps","pushedAt":"2024-06-14T04:32:43.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"}},{"before":"44118c2c187e3210ea1d4df5a7ef57befe6bc3a2","after":null,"ref":"refs/heads/1.16-bpf-encap-trace","pushedAt":"2024-06-14T04:29:34.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"}},{"before":"b25cb8d60e0a8f9ea095541aa729de8437c34ab7","after":"7047c29bebaec91d567bb1b824c6c967ab699b98","ref":"refs/heads/1.16-bpf-lxc-trace","pushedAt":"2024-06-13T12:58:02.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"},"commit":{"message":"bpf: lxc: report ifindex in ingress trace notifications\n\nipv*_policy() takes an `ifindex` parameter, and exclusively uses it to\nfill trace notifications. But for some cases the provided ifindex is\ncurrently 0 (for instance in a configuration with per-EP routing, when\ncalling from to-container).\n\nJust provide the actual interface index instead.\n\nReported-by: Tomasz Tarczyński \nSigned-off-by: Julian Wiedmann ","shortMessageHtmlLink":"bpf: lxc: report ifindex in ingress trace notifications"}},{"before":null,"after":"26be12c1f43a2bc371ea01510a8db8d57f3fbe15","ref":"refs/heads/1.16-bpf-wireguard-test","pushedAt":"2024-06-13T12:47:48.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"julianwiedmann","name":"Julian Wiedmann","path":"/julianwiedmann","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/24281077?s=80&v=4"},"commit":{"message":"bpf: test Wireguard with ENCRYPTION_STRICT_MODE\n\nRun compile & complexity tests for Wireguard with Strict-mode enabled.\n\nSigned-off-by: Julian Wiedmann ","shortMessageHtmlLink":"bpf: test Wireguard with ENCRYPTION_STRICT_MODE"}}],"hasNextPage":true,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAAEaYPSYgA","startCursor":null,"endCursor":null}},"title":"Activity · julianwiedmann/cilium"}