diff --git a/calico-cloud/reference/component-resources/node/felix/configuration.mdx b/calico-cloud/reference/component-resources/node/felix/configuration.mdx
index da0c43dc32..90afa5fa0a 100644
--- a/calico-cloud/reference/component-resources/node/felix/configuration.mdx
+++ b/calico-cloud/reference/component-resources/node/felix/configuration.mdx
@@ -56,8 +56,8 @@ The full list of parameters which can be set is as follows.
| `EndpointReportingDelaySecs` | `FELIX_ENDPOINTREPORTINGDELAYSECS` | Set the endpoint reporting delay between status check intervals, in seconds. Only used if endpoint reporting is enabled. [Default: `1`] | int |
| `EndpointReportingEnabled` | `FELIX_ENDPOINTREPORTINGENABLED` | Enable the endpoint status reporter. [Default: `false`] | boolean |
| `ExternalNodesCIDRList` | `FELIX_EXTERNALNODESCIDRLIST` | Comma-delimited list of IPv4 or CIDR of external-non-calico-nodes from which IPIP traffic is accepted by calico-nodes. [Default: ""] | string |
-| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `none`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
-| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `none`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
+| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `[]`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `[{"port":22,"protocol":"tcp"},{"port":68,"protocol":"udp"},{"port":179,"protocol":"tcp"},{"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port":6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list |
+| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `[]`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `[{"port":53,"protocol":"udp"},{"port":67,"protocol":"udp"}, {"port":179,"protocol":"tcp"}, {"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port": 6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list | |
| `FelixHostname` | `FELIX_FELIXHOSTNAME` | The hostname Felix reports to the plugin. Should be used if the hostname Felix autodetects is incorrect or does not match what the plugin will expect. [Default: `socket.gethostname()`] | string |
| `HealthEnabled` | `FELIX_HEALTHENABLED` | When enabled, exposes felix health information via an http endpoint. | boolean |
| `HealthHost` | `FELIX_HEALTHHOST` | The address on which Felix will respond to health requests. [Default: `localhost`] | string |
diff --git a/calico-cloud/reference/host-endpoints/failsafe.mdx b/calico-cloud/reference/host-endpoints/failsafe.mdx
index 102a260e79..f866e551e1 100644
--- a/calico-cloud/reference/host-endpoints/failsafe.mdx
+++ b/calico-cloud/reference/host-endpoints/failsafe.mdx
@@ -23,7 +23,7 @@ The lists of failsafe ports can be configured via the configuration parameters
`FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts`
described in [Configuring Felix](../component-resources/node/felix/configuration.mdx)
. They
-can be disabled by setting each configuration value to "none".
+can be disabled by setting each configuration value to "[]".
:::note
diff --git a/calico-cloud/reference/resources/felixconfig.mdx b/calico-cloud/reference/resources/felixconfig.mdx
index 6edf2f0b4e..5c98f4552f 100644
--- a/calico-cloud/reference/resources/felixconfig.mdx
+++ b/calico-cloud/reference/resources/felixconfig.mdx
@@ -264,6 +264,25 @@ A timeout value of 0 disables the timeout.
| protocol | The protocol match | tcp, udp, sctp | string |
| net | The CIDR match | any valid CIDR (e.g. 192.168.0.0/16) | string |
+Keep in mind that in the following example, `net: ""` and `net: "0.0.0.0/0"` are processed as the same in the policy enforcement.
+
+```yaml noValidation
+ ...
+spec:
+ failsafeInboundHostPorts:
+ - net: "192.168.1.1/32"
+ port: 22
+ protocol: tcp
+ - net: ""
+ port: 67
+ protocol: udp
+failsafeOutboundHostPorts:
+ - net: "0.0.0.0/0"
+ port: 67
+ protocol: udp
+ ...
+```
+
### AggregationKind
| Value | Description |
diff --git a/calico-cloud_versioned_docs/version-19-1/reference/host-endpoints/failsafe.mdx b/calico-cloud_versioned_docs/version-19-1/reference/host-endpoints/failsafe.mdx
index 102a260e79..f866e551e1 100644
--- a/calico-cloud_versioned_docs/version-19-1/reference/host-endpoints/failsafe.mdx
+++ b/calico-cloud_versioned_docs/version-19-1/reference/host-endpoints/failsafe.mdx
@@ -23,7 +23,7 @@ The lists of failsafe ports can be configured via the configuration parameters
`FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts`
described in [Configuring Felix](../component-resources/node/felix/configuration.mdx)
. They
-can be disabled by setting each configuration value to "none".
+can be disabled by setting each configuration value to "[]".
:::note
diff --git a/calico-cloud_versioned_docs/version-19-1/reference/resources/felixconfig.mdx b/calico-cloud_versioned_docs/version-19-1/reference/resources/felixconfig.mdx
index 6edf2f0b4e..5c98f4552f 100644
--- a/calico-cloud_versioned_docs/version-19-1/reference/resources/felixconfig.mdx
+++ b/calico-cloud_versioned_docs/version-19-1/reference/resources/felixconfig.mdx
@@ -264,6 +264,25 @@ A timeout value of 0 disables the timeout.
| protocol | The protocol match | tcp, udp, sctp | string |
| net | The CIDR match | any valid CIDR (e.g. 192.168.0.0/16) | string |
+Keep in mind that in the following example, `net: ""` and `net: "0.0.0.0/0"` are processed as the same in the policy enforcement.
+
+```yaml noValidation
+ ...
+spec:
+ failsafeInboundHostPorts:
+ - net: "192.168.1.1/32"
+ port: 22
+ protocol: tcp
+ - net: ""
+ port: 67
+ protocol: udp
+failsafeOutboundHostPorts:
+ - net: "0.0.0.0/0"
+ port: 67
+ protocol: udp
+ ...
+```
+
### AggregationKind
| Value | Description |
diff --git a/calico-enterprise/reference/host-endpoints/failsafe.mdx b/calico-enterprise/reference/host-endpoints/failsafe.mdx
index 102a260e79..f866e551e1 100644
--- a/calico-enterprise/reference/host-endpoints/failsafe.mdx
+++ b/calico-enterprise/reference/host-endpoints/failsafe.mdx
@@ -23,7 +23,7 @@ The lists of failsafe ports can be configured via the configuration parameters
`FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts`
described in [Configuring Felix](../component-resources/node/felix/configuration.mdx)
. They
-can be disabled by setting each configuration value to "none".
+can be disabled by setting each configuration value to "[]".
:::note
diff --git a/calico-enterprise/reference/resources/felixconfig.mdx b/calico-enterprise/reference/resources/felixconfig.mdx
index 29d64b15b4..c7e2e80db8 100644
--- a/calico-enterprise/reference/resources/felixconfig.mdx
+++ b/calico-enterprise/reference/resources/felixconfig.mdx
@@ -267,6 +267,25 @@ A timeout value of 0 disables the timeout.
| protocol | The protocol match | tcp, udp, sctp | string |
| net | The CIDR match | any valid CIDR (e.g. 192.168.0.0/16) | string |
+Keep in mind that in the following example, `net: ""` and `net: "0.0.0.0/0"` are processed as the same in the policy enforcement.
+
+```yaml noValidation
+ ...
+spec:
+ failsafeInboundHostPorts:
+ - net: "192.168.1.1/32"
+ port: 22
+ protocol: tcp
+ - net: ""
+ port: 67
+ protocol: udp
+failsafeOutboundHostPorts:
+ - net: "0.0.0.0/0"
+ port: 67
+ protocol: udp
+ ...
+```
+
### AggregationKind
| Value | Description |
diff --git a/calico-enterprise_versioned_docs/version-3.16/reference/component-resources/node/felix/configuration.mdx b/calico-enterprise_versioned_docs/version-3.16/reference/component-resources/node/felix/configuration.mdx
index 8f78e7dcb3..d8db7a9ebb 100644
--- a/calico-enterprise_versioned_docs/version-3.16/reference/component-resources/node/felix/configuration.mdx
+++ b/calico-enterprise_versioned_docs/version-3.16/reference/component-resources/node/felix/configuration.mdx
@@ -56,8 +56,8 @@ The full list of parameters which can be set is as follows.
| `EndpointReportingDelaySecs` | `FELIX_ENDPOINTREPORTINGDELAYSECS` | Set the endpoint reporting delay between status check intervals, in seconds. Only used if endpoint reporting is enabled. [Default: `1`] | int |
| `EndpointReportingEnabled` | `FELIX_ENDPOINTREPORTINGENABLED` | Enable the endpoint status reporter. [Default: `false`] | boolean |
| `ExternalNodesCIDRList` | `FELIX_EXTERNALNODESCIDRLIST` | Comma-delimited list of IPv4 or CIDR of external-non-calico-nodes from which IPIP traffic is accepted by calico-nodes. [Default: ""] | string |
-| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `none`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
-| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `none`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
+| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `[]`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `[{"port":22,"protocol":"tcp"},{"port":68,"protocol":"udp"},{"port":179,"protocol":"tcp"},{"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port":6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list |
+| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `[]`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `[{"port":53,"protocol":"udp"},{"port":67,"protocol":"udp"}, {"port":179,"protocol":"tcp"}, {"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port": 6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list | |
| `FelixHostname` | `FELIX_FELIXHOSTNAME` | The hostname Felix reports to the plugin. Should be used if the hostname Felix autodetects is incorrect or does not match what the plugin will expect. [Default: `socket.gethostname()`] | string |
| `HealthEnabled` | `FELIX_HEALTHENABLED` | When enabled, exposes felix health information via an http endpoint. | boolean |
| `HealthHost` | `FELIX_HEALTHHOST` | The address on which Felix will respond to health requests. [Default: `localhost`] | string |
diff --git a/calico-enterprise_versioned_docs/version-3.16/reference/host-endpoints/failsafe.mdx b/calico-enterprise_versioned_docs/version-3.16/reference/host-endpoints/failsafe.mdx
index 102a260e79..f866e551e1 100644
--- a/calico-enterprise_versioned_docs/version-3.16/reference/host-endpoints/failsafe.mdx
+++ b/calico-enterprise_versioned_docs/version-3.16/reference/host-endpoints/failsafe.mdx
@@ -23,7 +23,7 @@ The lists of failsafe ports can be configured via the configuration parameters
`FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts`
described in [Configuring Felix](../component-resources/node/felix/configuration.mdx)
. They
-can be disabled by setting each configuration value to "none".
+can be disabled by setting each configuration value to "[]".
:::note
diff --git a/calico-enterprise_versioned_docs/version-3.16/reference/resources/felixconfig.mdx b/calico-enterprise_versioned_docs/version-3.16/reference/resources/felixconfig.mdx
index fe70b750d0..d6a6f44a0a 100644
--- a/calico-enterprise_versioned_docs/version-3.16/reference/resources/felixconfig.mdx
+++ b/calico-enterprise_versioned_docs/version-3.16/reference/resources/felixconfig.mdx
@@ -262,6 +262,25 @@ A timeout value of 0 disables the timeout.
| protocol | The protocol match | tcp, udp, sctp | string |
| net | The CIDR match | any valid CIDR (e.g. 192.168.0.0/16) | string |
+Keep in mind that in the following example, `net: ""` and `net: "0.0.0.0/0"` are processed as the same in the policy enforcement.
+
+```yaml noValidation
+ ...
+spec:
+ failsafeInboundHostPorts:
+ - net: "192.168.1.1/32"
+ port: 22
+ protocol: tcp
+ - net: ""
+ port: 67
+ protocol: udp
+failsafeOutboundHostPorts:
+ - net: "0.0.0.0/0"
+ port: 67
+ protocol: udp
+ ...
+```
+
### AggregationKind
| Value | Description |
diff --git a/calico-enterprise_versioned_docs/version-3.17/reference/host-endpoints/failsafe.mdx b/calico-enterprise_versioned_docs/version-3.17/reference/host-endpoints/failsafe.mdx
index 102a260e79..f866e551e1 100644
--- a/calico-enterprise_versioned_docs/version-3.17/reference/host-endpoints/failsafe.mdx
+++ b/calico-enterprise_versioned_docs/version-3.17/reference/host-endpoints/failsafe.mdx
@@ -23,7 +23,7 @@ The lists of failsafe ports can be configured via the configuration parameters
`FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts`
described in [Configuring Felix](../component-resources/node/felix/configuration.mdx)
. They
-can be disabled by setting each configuration value to "none".
+can be disabled by setting each configuration value to "[]".
:::note
diff --git a/calico-enterprise_versioned_docs/version-3.17/reference/resources/felixconfig.mdx b/calico-enterprise_versioned_docs/version-3.17/reference/resources/felixconfig.mdx
index e591b404dd..847d868088 100644
--- a/calico-enterprise_versioned_docs/version-3.17/reference/resources/felixconfig.mdx
+++ b/calico-enterprise_versioned_docs/version-3.17/reference/resources/felixconfig.mdx
@@ -262,6 +262,25 @@ A timeout value of 0 disables the timeout.
| protocol | The protocol match | tcp, udp, sctp | string |
| net | The CIDR match | any valid CIDR (e.g. 192.168.0.0/16) | string |
+Keep in mind that in the following example, `net: ""` and `net: "0.0.0.0/0"` are processed as the same in the policy enforcement.
+
+```yaml noValidation
+ ...
+spec:
+ failsafeInboundHostPorts:
+ - net: "192.168.1.1/32"
+ port: 22
+ protocol: tcp
+ - net: ""
+ port: 67
+ protocol: udp
+failsafeOutboundHostPorts:
+ - net: "0.0.0.0/0"
+ port: 67
+ protocol: udp
+ ...
+```
+
### AggregationKind
| Value | Description |
diff --git a/calico-enterprise_versioned_docs/version-3.18-2/reference/component-resources/node/felix/configuration.mdx b/calico-enterprise_versioned_docs/version-3.18-2/reference/component-resources/node/felix/configuration.mdx
index 8727eeba55..00dcbb6b3a 100644
--- a/calico-enterprise_versioned_docs/version-3.18-2/reference/component-resources/node/felix/configuration.mdx
+++ b/calico-enterprise_versioned_docs/version-3.18-2/reference/component-resources/node/felix/configuration.mdx
@@ -56,8 +56,8 @@ The full list of parameters which can be set is as follows.
| `EndpointReportingDelaySecs` | `FELIX_ENDPOINTREPORTINGDELAYSECS` | Set the endpoint reporting delay between status check intervals, in seconds. Only used if endpoint reporting is enabled. [Default: `1`] | int |
| `EndpointReportingEnabled` | `FELIX_ENDPOINTREPORTINGENABLED` | Enable the endpoint status reporter. [Default: `false`] | boolean |
| `ExternalNodesCIDRList` | `FELIX_EXTERNALNODESCIDRLIST` | Comma-delimited list of IPv4 or CIDR of external-non-calico-nodes from which IPIP traffic is accepted by calico-nodes. [Default: ""] | string |
-| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `none`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
-| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `none`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
+| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `[]`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `[{"port":22,"protocol":"tcp"},{"port":68,"protocol":"udp"},{"port":179,"protocol":"tcp"},{"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port":6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list |
+| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `[]`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `[{"port":53,"protocol":"udp"},{"port":67,"protocol":"udp"}, {"port":179,"protocol":"tcp"}, {"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port": 6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list | |
| `FelixHostname` | `FELIX_FELIXHOSTNAME` | The hostname Felix reports to the plugin. Should be used if the hostname Felix autodetects is incorrect or does not match what the plugin will expect. [Default: `socket.gethostname()`] | string |
| `HealthEnabled` | `FELIX_HEALTHENABLED` | When enabled, exposes felix health information via an http endpoint. | boolean |
| `HealthHost` | `FELIX_HEALTHHOST` | The address on which Felix will respond to health requests. [Default: `localhost`] | string |
diff --git a/calico-enterprise_versioned_docs/version-3.18-2/reference/host-endpoints/failsafe.mdx b/calico-enterprise_versioned_docs/version-3.18-2/reference/host-endpoints/failsafe.mdx
index 102a260e79..f866e551e1 100644
--- a/calico-enterprise_versioned_docs/version-3.18-2/reference/host-endpoints/failsafe.mdx
+++ b/calico-enterprise_versioned_docs/version-3.18-2/reference/host-endpoints/failsafe.mdx
@@ -23,7 +23,7 @@ The lists of failsafe ports can be configured via the configuration parameters
`FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts`
described in [Configuring Felix](../component-resources/node/felix/configuration.mdx)
. They
-can be disabled by setting each configuration value to "none".
+can be disabled by setting each configuration value to "[]".
:::note
diff --git a/calico-enterprise_versioned_docs/version-3.18-2/reference/resources/felixconfig.mdx b/calico-enterprise_versioned_docs/version-3.18-2/reference/resources/felixconfig.mdx
index 3652527699..25514884be 100644
--- a/calico-enterprise_versioned_docs/version-3.18-2/reference/resources/felixconfig.mdx
+++ b/calico-enterprise_versioned_docs/version-3.18-2/reference/resources/felixconfig.mdx
@@ -265,6 +265,25 @@ A timeout value of 0 disables the timeout.
| protocol | The protocol match | tcp, udp, sctp | string |
| net | The CIDR match | any valid CIDR (e.g. 192.168.0.0/16) | string |
+Keep in mind that in the following example, `net: ""` and `net: "0.0.0.0/0"` are processed as the same in the policy enforcement.
+
+```yaml noValidation
+ ...
+spec:
+ failsafeInboundHostPorts:
+ - net: "192.168.1.1/32"
+ port: 22
+ protocol: tcp
+ - net: ""
+ port: 67
+ protocol: udp
+failsafeOutboundHostPorts:
+ - net: "0.0.0.0/0"
+ port: 67
+ protocol: udp
+ ...
+```
+
### AggregationKind
| Value | Description |
diff --git a/calico-enterprise_versioned_docs/version-3.18/reference/component-resources/node/felix/configuration.mdx b/calico-enterprise_versioned_docs/version-3.18/reference/component-resources/node/felix/configuration.mdx
index 8727eeba55..00dcbb6b3a 100644
--- a/calico-enterprise_versioned_docs/version-3.18/reference/component-resources/node/felix/configuration.mdx
+++ b/calico-enterprise_versioned_docs/version-3.18/reference/component-resources/node/felix/configuration.mdx
@@ -56,8 +56,8 @@ The full list of parameters which can be set is as follows.
| `EndpointReportingDelaySecs` | `FELIX_ENDPOINTREPORTINGDELAYSECS` | Set the endpoint reporting delay between status check intervals, in seconds. Only used if endpoint reporting is enabled. [Default: `1`] | int |
| `EndpointReportingEnabled` | `FELIX_ENDPOINTREPORTINGENABLED` | Enable the endpoint status reporter. [Default: `false`] | boolean |
| `ExternalNodesCIDRList` | `FELIX_EXTERNALNODESCIDRLIST` | Comma-delimited list of IPv4 or CIDR of external-non-calico-nodes from which IPIP traffic is accepted by calico-nodes. [Default: ""] | string |
-| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `none`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
-| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `none`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
+| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `[]`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `[{"port":22,"protocol":"tcp"},{"port":68,"protocol":"udp"},{"port":179,"protocol":"tcp"},{"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port":6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list |
+| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `[]`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `[{"port":53,"protocol":"udp"},{"port":67,"protocol":"udp"}, {"port":179,"protocol":"tcp"}, {"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port": 6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list | |
| `FelixHostname` | `FELIX_FELIXHOSTNAME` | The hostname Felix reports to the plugin. Should be used if the hostname Felix autodetects is incorrect or does not match what the plugin will expect. [Default: `socket.gethostname()`] | string |
| `HealthEnabled` | `FELIX_HEALTHENABLED` | When enabled, exposes felix health information via an http endpoint. | boolean |
| `HealthHost` | `FELIX_HEALTHHOST` | The address on which Felix will respond to health requests. [Default: `localhost`] | string |
diff --git a/calico-enterprise_versioned_docs/version-3.18/reference/host-endpoints/failsafe.mdx b/calico-enterprise_versioned_docs/version-3.18/reference/host-endpoints/failsafe.mdx
index 102a260e79..f866e551e1 100644
--- a/calico-enterprise_versioned_docs/version-3.18/reference/host-endpoints/failsafe.mdx
+++ b/calico-enterprise_versioned_docs/version-3.18/reference/host-endpoints/failsafe.mdx
@@ -23,7 +23,7 @@ The lists of failsafe ports can be configured via the configuration parameters
`FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts`
described in [Configuring Felix](../component-resources/node/felix/configuration.mdx)
. They
-can be disabled by setting each configuration value to "none".
+can be disabled by setting each configuration value to "[]".
:::note
diff --git a/calico-enterprise_versioned_docs/version-3.18/reference/resources/felixconfig.mdx b/calico-enterprise_versioned_docs/version-3.18/reference/resources/felixconfig.mdx
index bf80b14784..1919bfd5f3 100644
--- a/calico-enterprise_versioned_docs/version-3.18/reference/resources/felixconfig.mdx
+++ b/calico-enterprise_versioned_docs/version-3.18/reference/resources/felixconfig.mdx
@@ -263,6 +263,25 @@ A timeout value of 0 disables the timeout.
| protocol | The protocol match | tcp, udp, sctp | string |
| net | The CIDR match | any valid CIDR (e.g. 192.168.0.0/16) | string |
+Keep in mind that in the following example, `net: ""` and `net: "0.0.0.0/0"` are processed as the same in the policy enforcement.
+
+```yaml noValidation
+ ...
+spec:
+ failsafeInboundHostPorts:
+ - net: "192.168.1.1/32"
+ port: 22
+ protocol: tcp
+ - net: ""
+ port: 67
+ protocol: udp
+failsafeOutboundHostPorts:
+ - net: "0.0.0.0/0"
+ port: 67
+ protocol: udp
+ ...
+```
+
### AggregationKind
| Value | Description |
diff --git a/calico-enterprise_versioned_docs/version-3.19-1/reference/component-resources/node/felix/configuration.mdx b/calico-enterprise_versioned_docs/version-3.19-1/reference/component-resources/node/felix/configuration.mdx
index 8727eeba55..00dcbb6b3a 100644
--- a/calico-enterprise_versioned_docs/version-3.19-1/reference/component-resources/node/felix/configuration.mdx
+++ b/calico-enterprise_versioned_docs/version-3.19-1/reference/component-resources/node/felix/configuration.mdx
@@ -56,8 +56,8 @@ The full list of parameters which can be set is as follows.
| `EndpointReportingDelaySecs` | `FELIX_ENDPOINTREPORTINGDELAYSECS` | Set the endpoint reporting delay between status check intervals, in seconds. Only used if endpoint reporting is enabled. [Default: `1`] | int |
| `EndpointReportingEnabled` | `FELIX_ENDPOINTREPORTINGENABLED` | Enable the endpoint status reporter. [Default: `false`] | boolean |
| `ExternalNodesCIDRList` | `FELIX_EXTERNALNODESCIDRLIST` | Comma-delimited list of IPv4 or CIDR of external-non-calico-nodes from which IPIP traffic is accepted by calico-nodes. [Default: ""] | string |
-| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `none`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
-| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `none`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
+| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `[]`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `[{"port":22,"protocol":"tcp"},{"port":68,"protocol":"udp"},{"port":179,"protocol":"tcp"},{"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port":6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list |
+| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `[]`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `[{"port":53,"protocol":"udp"},{"port":67,"protocol":"udp"}, {"port":179,"protocol":"tcp"}, {"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port": 6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list | |
| `FelixHostname` | `FELIX_FELIXHOSTNAME` | The hostname Felix reports to the plugin. Should be used if the hostname Felix autodetects is incorrect or does not match what the plugin will expect. [Default: `socket.gethostname()`] | string |
| `HealthEnabled` | `FELIX_HEALTHENABLED` | When enabled, exposes felix health information via an http endpoint. | boolean |
| `HealthHost` | `FELIX_HEALTHHOST` | The address on which Felix will respond to health requests. [Default: `localhost`] | string |
diff --git a/calico-enterprise_versioned_docs/version-3.19-1/reference/host-endpoints/failsafe.mdx b/calico-enterprise_versioned_docs/version-3.19-1/reference/host-endpoints/failsafe.mdx
index 102a260e79..f866e551e1 100644
--- a/calico-enterprise_versioned_docs/version-3.19-1/reference/host-endpoints/failsafe.mdx
+++ b/calico-enterprise_versioned_docs/version-3.19-1/reference/host-endpoints/failsafe.mdx
@@ -23,7 +23,7 @@ The lists of failsafe ports can be configured via the configuration parameters
`FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts`
described in [Configuring Felix](../component-resources/node/felix/configuration.mdx)
. They
-can be disabled by setting each configuration value to "none".
+can be disabled by setting each configuration value to "[]".
:::note
diff --git a/calico-enterprise_versioned_docs/version-3.19-1/reference/resources/felixconfig.mdx b/calico-enterprise_versioned_docs/version-3.19-1/reference/resources/felixconfig.mdx
index d0d9d9b1a2..123eccdc06 100644
--- a/calico-enterprise_versioned_docs/version-3.19-1/reference/resources/felixconfig.mdx
+++ b/calico-enterprise_versioned_docs/version-3.19-1/reference/resources/felixconfig.mdx
@@ -265,6 +265,25 @@ A timeout value of 0 disables the timeout.
| protocol | The protocol match | tcp, udp, sctp | string |
| net | The CIDR match | any valid CIDR (e.g. 192.168.0.0/16) | string |
+Keep in mind that in the following example, `net: ""` and `net: "0.0.0.0/0"` are processed as the same in the policy enforcement.
+
+```yaml noValidation
+ ...
+spec:
+ failsafeInboundHostPorts:
+ - net: "192.168.1.1/32"
+ port: 22
+ protocol: tcp
+ - net: ""
+ port: 67
+ protocol: udp
+failsafeOutboundHostPorts:
+ - net: "0.0.0.0/0"
+ port: 67
+ protocol: udp
+ ...
+```
+
### AggregationKind
| Value | Description |
diff --git a/calico/reference/felix/configuration.mdx b/calico/reference/felix/configuration.mdx
index f132cc356e..b8e2307985 100644
--- a/calico/reference/felix/configuration.mdx
+++ b/calico/reference/felix/configuration.mdx
@@ -54,8 +54,8 @@ The full list of parameters which can be set is as follows.
| `EndpointReportingEnabled` | `FELIX_ENDPOINTREPORTINGENABLED` | Enable the endpoint status reporter. [Default: `false`] | boolean |
| `EndpointStatusPathPrefix` | `FELIX_ENDPOINTSTATUSPATHPREFIX` | Path to the directory where Felix should create the `endpoint-status` directory. Choosing a mounted volume such as `/var/run/calico` is recommended as the directory can then be monitored by host processes such as the Calico CNI. Leaving this field empty disables endpoint-status files. [Default: ""] | string |
| `ExternalNodesCIDRList` | `FELIX_EXTERNALNODESCIDRLIST` | Comma-delimited list of IPv4 or CIDR of external-non-calico-nodes from which IPIP traffic is accepted by calico-nodes. [Default: ""] | string |
-| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `none`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
-| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `none`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
+| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `[]`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `[{"port":22,"protocol":"tcp"},{"port":68,"protocol":"udp"},{"port":179,"protocol":"tcp"},{"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port":6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list |
+| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `[]`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `[{"port":53,"protocol":"udp"},{"port":67,"protocol":"udp"}, {"port":179,"protocol":"tcp"}, {"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port": 6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list |
| `FelixHostname` | `FELIX_FELIXHOSTNAME` | The hostname Felix reports to the plugin. Should be used if the hostname Felix autodetects is incorrect or does not match what the plugin will expect. [Default: `socket.gethostname()`] | string |
| `HealthEnabled` | `FELIX_HEALTHENABLED` | When enabled, exposes felix health information via an http endpoint. | boolean |
| `HealthHost` | `FELIX_HEALTHHOST` | The address on which Felix will respond to health requests. [Default: `localhost`] | string |
diff --git a/calico/reference/host-endpoints/failsafe.mdx b/calico/reference/host-endpoints/failsafe.mdx
index 14e4425796..e3bd9ec4cd 100644
--- a/calico/reference/host-endpoints/failsafe.mdx
+++ b/calico/reference/host-endpoints/failsafe.mdx
@@ -28,7 +28,7 @@ The lists of failsafe ports can be configured via the configuration parameters
`FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts`
described in [Configuring Felix](../felix/configuration.mdx)
. They
-can be disabled by setting each configuration value to "none".
+can be disabled by setting each configuration value to "[]".
:::note
diff --git a/calico/reference/resources/felixconfig.mdx b/calico/reference/resources/felixconfig.mdx
index 0139df1bfd..a2d71532dc 100644
--- a/calico/reference/resources/felixconfig.mdx
+++ b/calico/reference/resources/felixconfig.mdx
@@ -46,8 +46,8 @@ spec:
| deviceRouteProtocol | This defines the route protocol added to programmed device routes. | Protocol | int | RTPROT_BOOT |
| endpointStatusPathPrefix | Path to the directory where Felix should create the `endpoint-status` directory. Choosing a mounted volume such as `/var/run/calico` is recommended as the directory can then be monitored by host processes such as the Calico CNI. Leaving this field empty disables endpoint-status files. | Any existing path in the calico-node container | string | `""`| | string |
| externalNodesCIDRList | A comma-delimited list of CIDRs of external non-calico nodes, which can source tunnel traffic for acceptance by calico-nodes. | IPv4 | string | `""` |
-| failsafeInboundHostPorts | UDP/TCP/SCTP protocol/cidr/port groupings that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. The default value allows SSH access, etcd, BGP, DHCP and the Kubernetes API. | | List of [ProtoPort](#protoport) | - protocol: tcp
port: 22
- protocol: udp
port: 68
- protocol: tcp
port: 179
- protocol: tcp
port: 2379
- protocol: tcp
port: 2380
- protocol: tcp
port: 5473
- protocol: tcp
port: 6443
- protocol: tcp
port: 6666
- protocol: tcp
port: 6667
|
-| failsafeOutboundHostPorts | UDP/TCP/SCTP protocol/port groupings that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. | | List of [ProtoPort](#protoport) | - protocol: udp
port: 53
- protocol: udp
port: 67
- protocol: tcp
port: 179
- protocol: tcp
port: 2379
- protocol: tcp
port: 2380
- protocol: tcp
port: 5473
- protocol: tcp
port: 6443
- protocol: tcp
port: 6666
- protocol: tcp
port: 6667
|
+| failsafeInboundHostPorts | UDP/TCP/SCTP protocol/cidr/port groupings that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. The default value allows SSH access, etcd, BGP, DHCP and the Kubernetes API. | | List of [ProtoPort](#protoport) | - net: ""
protocol: tcp
port: 22
- net: ""
protocol: udp
port: 68
- net: ""
protocol: tcp
port: 179
- net: ""
protocol: tcp
port: 2379
- net: ""
protocol: tcp
port: 2380
- net: ""
protocol: tcp
port: 5473
- net: ""
protocol: tcp
port: 6443
- net: ""
protocol: tcp
port: 6666
- net: ""
protocol: tcp
port: 6667
|
+| failsafeOutboundHostPorts | UDP/TCP/SCTP protocol/port groupings that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. | | List of [ProtoPort](#protoport) | - net: ""
protocol: udp
port: 53
- net: ""
protocol: udp
port: 67
- net: ""
protocol: tcp
port: 179
- net: ""
protocol: tcp
port: 2379
- net: ""
protocol: tcp
port: 2380
- net: ""
protocol: tcp
port: 5473
- net: ""
protocol: tcp
port: 6443
- net: ""
protocol: tcp
port: 6666
- net: ""
protocol: tcp
port: 6667
|
| featureDetectOverride | Is used to override the feature detection. Values are specified in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true" or "false" will force the feature, empty or omitted values are auto-detected. | string | string | `""` |
| genericXDPEnabled | When enabled, Felix can fallback to the non-optimized `generic` XDP mode. This should only be used for testing since it doesn't improve performance over the non-XDP mode. | true,false | boolean | `false` |
| interfaceExclude | A comma-separated list of interface names that should be excluded when Felix is resolving host endpoints. The default value ensures that Felix ignores Kubernetes' internal `kube-ipvs0` device. If you want to exclude multiple interface names using a single value, the list supports regular expressions. For regular expressions you must wrap the value with `/`. For example having values `/^kube/,veth1` will exclude all interfaces that begin with `kube` and also the interface `veth1`. | string | string | `kube-ipvs0` |
@@ -196,6 +196,25 @@ A timeout value of 0 disables the timeout.
| protocol | The protocol match | tcp, udp, sctp | string |
| net | The CIDR match | any valid CIDR (e.g. 192.168.0.0/16) | string |
+Keep in mind that in the following example, `net: ""` and `net: "0.0.0.0/0"` are processed as the same in the policy enforcement.
+
+```yaml noValidation
+ ...
+spec:
+ failsafeInboundHostPorts:
+ - net: "192.168.1.1/32"
+ port: 22
+ protocol: tcp
+ - net: ""
+ port: 67
+ protocol: udp
+failsafeOutboundHostPorts:
+ - net: "0.0.0.0/0"
+ port: 67
+ protocol: udp
+ ...
+```
+
### RouteTableRange
The `RouteTableRange` option is now deprecated in favor of [RouteTableRanges](#routetableranges).
diff --git a/calico_versioned_docs/version-3.25/reference/felix/configuration.mdx b/calico_versioned_docs/version-3.25/reference/felix/configuration.mdx
index 269d4cda35..69f2cf2ce1 100644
--- a/calico_versioned_docs/version-3.25/reference/felix/configuration.mdx
+++ b/calico_versioned_docs/version-3.25/reference/felix/configuration.mdx
@@ -53,8 +53,8 @@ The full list of parameters which can be set is as follows.
| `EndpointReportingDelaySecs` | `FELIX_ENDPOINTREPORTINGDELAYSECS` | Set the endpoint reporting delay between status check intervals, in seconds. Only used if endpoint reporting is enabled. [Default: `1`] | int |
| `EndpointReportingEnabled` | `FELIX_ENDPOINTREPORTINGENABLED` | Enable the endpoint status reporter. [Default: `false`] | boolean |
| `ExternalNodesCIDRList` | `FELIX_EXTERNALNODESCIDRLIST` | Comma-delimited list of IPv4 or CIDR of external-non-calico-nodes from which IPIP traffic is accepted by calico-nodes. [Default: ""] | string |
-| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `none`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
-| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `none`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
+| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `[]`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `[{"port":22,"protocol":"tcp"},{"port":68,"protocol":"udp"},{"port":179,"protocol":"tcp"},{"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port":6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list |
+| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `[]`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `[{"port":53,"protocol":"udp"},{"port":67,"protocol":"udp"}, {"port":179,"protocol":"tcp"}, {"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port": 6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list | |
| `FelixHostname` | `FELIX_FELIXHOSTNAME` | The hostname Felix reports to the plugin. Should be used if the hostname Felix autodetects is incorrect or does not match what the plugin will expect. [Default: `socket.gethostname()`] | string |
| `HealthEnabled` | `FELIX_HEALTHENABLED` | When enabled, exposes felix health information via an http endpoint. | boolean |
| `HealthHost` | `FELIX_HEALTHHOST` | The address on which Felix will respond to health requests. [Default: `localhost`] | string |
diff --git a/calico_versioned_docs/version-3.25/reference/host-endpoints/failsafe.mdx b/calico_versioned_docs/version-3.25/reference/host-endpoints/failsafe.mdx
index 14e4425796..e3bd9ec4cd 100644
--- a/calico_versioned_docs/version-3.25/reference/host-endpoints/failsafe.mdx
+++ b/calico_versioned_docs/version-3.25/reference/host-endpoints/failsafe.mdx
@@ -28,7 +28,7 @@ The lists of failsafe ports can be configured via the configuration parameters
`FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts`
described in [Configuring Felix](../felix/configuration.mdx)
. They
-can be disabled by setting each configuration value to "none".
+can be disabled by setting each configuration value to "[]".
:::note
diff --git a/calico_versioned_docs/version-3.25/reference/resources/felixconfig.mdx b/calico_versioned_docs/version-3.25/reference/resources/felixconfig.mdx
index f563bc4c61..d136bf99b3 100644
--- a/calico_versioned_docs/version-3.25/reference/resources/felixconfig.mdx
+++ b/calico_versioned_docs/version-3.25/reference/resources/felixconfig.mdx
@@ -190,6 +190,25 @@ A timeout value of 0 disables the timeout.
| protocol | The protocol match | tcp, udp, sctp | string |
| net | The CIDR match | any valid CIDR (e.g. 192.168.0.0/16) | string |
+Keep in mind that in the following example, `net: ""` and `net: "0.0.0.0/0"` are processed as the same in the policy enforcement.
+
+```yaml noValidation
+ ...
+spec:
+ failsafeInboundHostPorts:
+ - net: "192.168.1.1/32"
+ port: 22
+ protocol: tcp
+ - net: ""
+ port: 67
+ protocol: udp
+failsafeOutboundHostPorts:
+ - net: "0.0.0.0/0"
+ port: 67
+ protocol: udp
+ ...
+```
+
### RouteTableRange
The `RouteTableRange` option is now deprecated in favor of [RouteTableRanges](#routetableranges).
diff --git a/calico_versioned_docs/version-3.26/reference/felix/configuration.mdx b/calico_versioned_docs/version-3.26/reference/felix/configuration.mdx
index 915bf77ef2..5739b1f536 100644
--- a/calico_versioned_docs/version-3.26/reference/felix/configuration.mdx
+++ b/calico_versioned_docs/version-3.26/reference/felix/configuration.mdx
@@ -53,8 +53,8 @@ The full list of parameters which can be set is as follows.
| `EndpointReportingDelaySecs` | `FELIX_ENDPOINTREPORTINGDELAYSECS` | Set the endpoint reporting delay between status check intervals, in seconds. Only used if endpoint reporting is enabled. [Default: `1`] | int |
| `EndpointReportingEnabled` | `FELIX_ENDPOINTREPORTINGENABLED` | Enable the endpoint status reporter. [Default: `false`] | boolean |
| `ExternalNodesCIDRList` | `FELIX_EXTERNALNODESCIDRLIST` | Comma-delimited list of IPv4 or CIDR of external-non-calico-nodes from which IPIP traffic is accepted by calico-nodes. [Default: ""] | string |
-| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `none`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
-| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `none`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
+| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `[]`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `[{"port":22,"protocol":"tcp"},{"port":68,"protocol":"udp"},{"port":179,"protocol":"tcp"},{"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port":6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list |
+| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `[]`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `[{"port":53,"protocol":"udp"},{"port":67,"protocol":"udp"}, {"port":179,"protocol":"tcp"}, {"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port": 6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list | |
| `FelixHostname` | `FELIX_FELIXHOSTNAME` | The hostname Felix reports to the plugin. Should be used if the hostname Felix autodetects is incorrect or does not match what the plugin will expect. [Default: `socket.gethostname()`] | string |
| `HealthEnabled` | `FELIX_HEALTHENABLED` | When enabled, exposes felix health information via an http endpoint. | boolean |
| `HealthHost` | `FELIX_HEALTHHOST` | The address on which Felix will respond to health requests. [Default: `localhost`] | string |
diff --git a/calico_versioned_docs/version-3.26/reference/host-endpoints/failsafe.mdx b/calico_versioned_docs/version-3.26/reference/host-endpoints/failsafe.mdx
index 14e4425796..e3bd9ec4cd 100644
--- a/calico_versioned_docs/version-3.26/reference/host-endpoints/failsafe.mdx
+++ b/calico_versioned_docs/version-3.26/reference/host-endpoints/failsafe.mdx
@@ -28,7 +28,7 @@ The lists of failsafe ports can be configured via the configuration parameters
`FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts`
described in [Configuring Felix](../felix/configuration.mdx)
. They
-can be disabled by setting each configuration value to "none".
+can be disabled by setting each configuration value to "[]".
:::note
diff --git a/calico_versioned_docs/version-3.26/reference/resources/felixconfig.mdx b/calico_versioned_docs/version-3.26/reference/resources/felixconfig.mdx
index 2604b86005..675463bd75 100644
--- a/calico_versioned_docs/version-3.26/reference/resources/felixconfig.mdx
+++ b/calico_versioned_docs/version-3.26/reference/resources/felixconfig.mdx
@@ -190,6 +190,25 @@ A timeout value of 0 disables the timeout.
| protocol | The protocol match | tcp, udp, sctp | string |
| net | The CIDR match | any valid CIDR (e.g. 192.168.0.0/16) | string |
+Keep in mind that in the following example, `net: ""` and `net: "0.0.0.0/0"` are processed as the same in the policy enforcement.
+
+```yaml noValidation
+ ...
+spec:
+ failsafeInboundHostPorts:
+ - net: "192.168.1.1/32"
+ port: 22
+ protocol: tcp
+ - net: ""
+ port: 67
+ protocol: udp
+failsafeOutboundHostPorts:
+ - net: "0.0.0.0/0"
+ port: 67
+ protocol: udp
+ ...
+```
+
### RouteTableRange
The `RouteTableRange` option is now deprecated in favor of [RouteTableRanges](#routetableranges).
diff --git a/calico_versioned_docs/version-3.27/reference/felix/configuration.mdx b/calico_versioned_docs/version-3.27/reference/felix/configuration.mdx
index 93118dd77d..7a2fca1462 100644
--- a/calico_versioned_docs/version-3.27/reference/felix/configuration.mdx
+++ b/calico_versioned_docs/version-3.27/reference/felix/configuration.mdx
@@ -53,8 +53,8 @@ The full list of parameters which can be set is as follows.
| `EndpointReportingDelaySecs` | `FELIX_ENDPOINTREPORTINGDELAYSECS` | Set the endpoint reporting delay between status check intervals, in seconds. Only used if endpoint reporting is enabled. [Default: `1`] | int |
| `EndpointReportingEnabled` | `FELIX_ENDPOINTREPORTINGENABLED` | Enable the endpoint status reporter. [Default: `false`] | boolean |
| `ExternalNodesCIDRList` | `FELIX_EXTERNALNODESCIDRLIST` | Comma-delimited list of IPv4 or CIDR of external-non-calico-nodes from which IPIP traffic is accepted by calico-nodes. [Default: ""] | string |
-| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `none`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
-| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `none`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
+| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `[]`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `[{"port":22,"protocol":"tcp"},{"port":68,"protocol":"udp"},{"port":179,"protocol":"tcp"},{"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port":6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list |
+| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `[]`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `[{"port":53,"protocol":"udp"},{"port":67,"protocol":"udp"}, {"port":179,"protocol":"tcp"}, {"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port": 6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list | |
| `FelixHostname` | `FELIX_FELIXHOSTNAME` | The hostname Felix reports to the plugin. Should be used if the hostname Felix autodetects is incorrect or does not match what the plugin will expect. [Default: `socket.gethostname()`] | string |
| `HealthEnabled` | `FELIX_HEALTHENABLED` | When enabled, exposes felix health information via an http endpoint. | boolean |
| `HealthHost` | `FELIX_HEALTHHOST` | The address on which Felix will respond to health requests. [Default: `localhost`] | string |
diff --git a/calico_versioned_docs/version-3.27/reference/host-endpoints/failsafe.mdx b/calico_versioned_docs/version-3.27/reference/host-endpoints/failsafe.mdx
index 14e4425796..e3bd9ec4cd 100644
--- a/calico_versioned_docs/version-3.27/reference/host-endpoints/failsafe.mdx
+++ b/calico_versioned_docs/version-3.27/reference/host-endpoints/failsafe.mdx
@@ -28,7 +28,7 @@ The lists of failsafe ports can be configured via the configuration parameters
`FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts`
described in [Configuring Felix](../felix/configuration.mdx)
. They
-can be disabled by setting each configuration value to "none".
+can be disabled by setting each configuration value to "[]".
:::note
diff --git a/calico_versioned_docs/version-3.27/reference/resources/felixconfig.mdx b/calico_versioned_docs/version-3.27/reference/resources/felixconfig.mdx
index 78a02bd1b4..74218c6b20 100644
--- a/calico_versioned_docs/version-3.27/reference/resources/felixconfig.mdx
+++ b/calico_versioned_docs/version-3.27/reference/resources/felixconfig.mdx
@@ -45,8 +45,8 @@ spec:
| deviceRouteSourceAddressIPv6 | IPv6 address to set as the source hint for routes programmed by Felix. When not set the source address for local traffic from host to workload will be determined by the kernel. | IPv6 | string | `""` |
| deviceRouteProtocol | This defines the route protocol added to programmed device routes. | Protocol | int | RTPROT_BOOT |
| externalNodesCIDRList | A comma-delimited list of CIDRs of external non-calico nodes that can source tunnel traffic for acceptance by calico-nodes. | IPv4 | string | `""` |
-| failsafeInboundHostPorts | UDP/TCP/SCTP protocol/cidr/port groupings that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. The default value allows SSH access, etcd, BGP, DHCP and the Kubernetes API. | | List of [ProtoPort](#protoport) | - protocol: tcp
port: 22
- protocol: udp
port: 68
- protocol: tcp
port: 179
- protocol: tcp
port: 2379
- protocol: tcp
port: 2380
- protocol: tcp
port: 5473
- protocol: tcp
port: 6443
- protocol: tcp
port: 6666
- protocol: tcp
port: 6667
|
-| failsafeOutboundHostPorts | UDP/TCP/SCTP protocol/port groupings that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. | | List of [ProtoPort](#protoport) | - protocol: udp
port: 53
- protocol: udp
port: 67
- protocol: tcp
port: 179
- protocol: tcp
port: 2379
- protocol: tcp
port: 2380
- protocol: tcp
port: 5473
- protocol: tcp
port: 6443
- protocol: tcp
port: 6666
- protocol: tcp
port: 6667
|
+| failsafeInboundHostPorts | UDP/TCP/SCTP protocol/cidr/port groupings that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. The default value allows SSH access, etcd, BGP, DHCP and the Kubernetes API. | | List of [ProtoPort](#protoport) | - net: ""
protocol: tcp
port: 22
- net: ""
protocol: udp
port: 68
- net: ""
protocol: tcp
port: 179
- net: ""
protocol: tcp
port: 2379
- net: ""
protocol: tcp
port: 2380
- net: ""
protocol: tcp
port: 5473
- net: ""
protocol: tcp
port: 6443
- net: ""
protocol: tcp
port: 6666
- net: ""
protocol: tcp
port: 6667
|
+| failsafeOutboundHostPorts | UDP/TCP/SCTP protocol/port groupings that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. | | List of [ProtoPort](#protoport) | - net: ""
protocol: udp
port: 53
- net: ""
protocol: udp
port: 67
- net: ""
protocol: tcp
port: 179
- net: ""
protocol: tcp
port: 2379
- net: ""
protocol: tcp
port: 2380
- net: ""
protocol: tcp
port: 5473
- net: ""
protocol: tcp
port: 6443
- net: ""
protocol: tcp
port: 6666
- net: ""
protocol: tcp
port: 6667
|
| featureDetectOverride | Is used to override the feature detection. Values are specified in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true" or "false" will force the feature, empty or omitted values are auto-detected. | string | string | `""` |
| genericXDPEnabled | When enabled, Felix can fallback to the non-optimized `generic` XDP mode. This should only be used for testing since it doesn't improve performance over the non-XDP mode. | true,false | boolean | `false` |
| interfaceExclude | A comma-separated list of interface names that should be excluded when Felix is resolving host endpoints. The default value ensures that Felix ignores Kubernetes' internal `kube-ipvs0` device. If you want to exclude multiple interface names using a single value, the list supports regular expressions. For regular expressions you must wrap the value with `/`. For example having values `/^kube/,veth1` will exclude all interfaces that begin with `kube` and also the interface `veth1`. | string | string | `kube-ipvs0` |
@@ -195,6 +195,25 @@ A timeout value of 0 disables the timeout.
| protocol | The protocol match | tcp, udp, sctp | string |
| net | The CIDR match | any valid CIDR (e.g. 192.168.0.0/16) | string |
+Keep in mind that in the following example, `net: ""` and `net: "0.0.0.0/0"` are processed as the same in the policy enforcement.
+
+```yaml noValidation
+ ...
+spec:
+ failsafeInboundHostPorts:
+ - net: "192.168.1.1/32"
+ port: 22
+ protocol: tcp
+ - net: ""
+ port: 67
+ protocol: udp
+failsafeOutboundHostPorts:
+ - net: "0.0.0.0/0"
+ port: 67
+ protocol: udp
+ ...
+```
+
### RouteTableRange
The `RouteTableRange` option is now deprecated in favor of [RouteTableRanges](#routetableranges).