bpf:nat: avoid SNAT from tracking wireguard #35900
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit refactors into a separate function `ctx_mark_is_wireguard` the check whether the packet mark contains the`MARK_MAGIC_WG_ENCRYPTED` or not. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
This commit adds a check to skip SNAT in case of WireGuard traffic. For certain configs, such as when the node-to-node IPv4 address is equal to IPV4_MASQUERADE or IPV4_DIRECT_ROUTING, our engine detects that it potentially conflicts with, for instance, masqueraded traffic. Creating SNAT entries for WireGuard makes little sense, especially considering that replies will be addressed by the WG_PORT. Avoiding such SNAT tracking slightly reduces the pressure on the CT and NAT maps. Here there's and example of the content of the `nat` map before applying this patch (note the two WireGuard-related entries): ```bash UDP OUT 172.18.0.4:51871 -> 172.18.0.3:51871 XLATE_SRC 172.18.0.4:51871 Created=13606sec ago NeedsCT=1 UDP IN 172.18.0.3:51871 -> 172.18.0.4:51871 XLATE_DST 172.18.0.4:51871 Created=13606sec ago NeedsCT=1 ``` Part of: cilium#34089 Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
3020dea to
6227d32
Compare
|
/test |
|
Make sense. For wg traffic, handle_nat_fwd() should have done for plain-text skbs at to-wireguard. This also reduces bpf complexity. |
aspsk
approved these changes
Nov 27, 2024
|
Adding to my queue. All looks as expected, just want to make sure that we captured the full thought process :) |
julianwiedmann
approved these changes
Nov 27, 2024
There was a problem hiding this comment.
Looks great, thank you!
While looking at the code change, I was thinking that maybe in the future we even want to skip over most/all of the subsequent conditions (eg. EgressGW) if the packet is our own Wireguard traffic. Have a goto straight to the exit epilogue.
Probably also skipping the HostFirewall on our already-encrypted WireGuard packet (a potential policy would have matched against the plain packet first, right?) |
yep that's a bit of open discussion still - should we skip the HostFW for Cilium-originated host traffic (overlay, wireguard, ...). And how would that look like on Ingress (where we can only match the traffic by protocol/port, not by actual |
This was referenced Apr 3, 2025
9 tasks
chris-sanders
added a commit
to chris-sanders/argocd
that referenced
this pull request
Jun 23, 2025
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cilium](https://cilium.io/) ([source](https://github.com/cilium/cilium)) | patch | `1.15.10` -> `1.15.18` | --- ### Release Notes <details> <summary>cilium/cilium (cilium)</summary> ### [`v1.15.18`](https://github.com/cilium/cilium/releases/tag/v1.15.18): 1.15.18 [Compare Source](https://github.com/cilium/cilium/compare/1.15.17...1.15.18) ## Summary of Changes **Bugfixes:** - Policy updates to Envoy no longer consider a single selector as an L3 wildcard. Cilium bpf datapath policy enforcement is not done for Cilium Ingress policy enforcement so the L3 identity needs to be enforced in all cases. (Backport PR [#​39562](https://github.com/cilium/cilium/issues/39562), Upstream PR [#​39511](https://github.com/cilium/cilium/issues/39511), [@​jrajahalme](https://github.com/jrajahalme)) **CI Changes:** - bpf: test: fix up mis-spelled HAVE_NETNS_COOKIE (Backport PR [#​39562](https://github.com/cilium/cilium/issues/39562), Upstream PR [#​39420](https://github.com/cilium/cilium/issues/39420), [@​julianwiedmann](https://github.com/julianwiedmann)) - call for metrics in smoke tests from runner instead of installing apt/curl on cilium pod (Backport PR [#​39864](https://github.com/cilium/cilium/issues/39864), Upstream PR [#​37362](https://github.com/cilium/cilium/issues/37362), [@​Artyop](https://github.com/Artyop)) - Re-optimize CI build process (Backport PR [#​39864](https://github.com/cilium/cilium/issues/39864), Upstream PR [#​39802](https://github.com/cilium/cilium/issues/39802), [@​aanm](https://github.com/aanm)) **Misc Changes:** - \[v1.15] deps: bump github.com/osrg/gobgp/v3 to v3.35.0 ([#​39224](https://github.com/cilium/cilium/issues/39224), [@​ferozsalam](https://github.com/ferozsalam)) - Add a section to talk about the native routing masquerading in the cloud environment. (Backport PR [#​39562](https://github.com/cilium/cilium/issues/39562), Upstream PR [#​39343](https://github.com/cilium/cilium/issues/39343), [@​liyihuang](https://github.com/liyihuang)) - bpf: Skip lxc src IP check for proxy traffic (Backport PR [#​39562](https://github.com/cilium/cilium/issues/39562), Upstream PR [#​39530](https://github.com/cilium/cilium/issues/39530), [@​sayboras](https://github.com/sayboras)) - chore(deps): update all github action dependencies (v1.15) ([#​39479](https://github.com/cilium/cilium/issues/39479), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​39572](https://github.com/cilium/cilium/issues/39572), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​39710](https://github.com/cilium/cilium/issues/39710), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​39881](https://github.com/cilium/cilium/issues/39881), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency protocolbuffers/protobuf to v31 (v1.15) ([#​39612](https://github.com/cilium/cilium/issues/39612), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.24.3 docker digest to [`4c0a181`](https://github.com/cilium/cilium/commit/4c0a181) (v1.15) ([#​39708](https://github.com/cilium/cilium/issues/39708), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.24.3 docker digest to [`86b4cff`](https://github.com/cilium/cilium/commit/86b4cff) (v1.15) ([#​39611](https://github.com/cilium/cilium/issues/39611), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.24.4 (v1.15) ([#​39953](https://github.com/cilium/cilium/issues/39953), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.6-1749031919-98c55b1d0c1154fb6c9e760583c2dcd7778686e2 (v1.15) ([#​39888](https://github.com/cilium/cilium/issues/39888), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.6-1749271279-0864395884b263913eac200ee2048fd985f8e626 (v1.15) ([#​39937](https://github.com/cilium/cilium/issues/39937), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.15) (patch) ([#​39709](https://github.com/cilium/cilium/issues/39709), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) **Other Changes:** - \[v1.15] proxy: Bump cilium/proxy version ([#​39592](https://github.com/cilium/cilium/issues/39592), [@​sayboras](https://github.com/sayboras)) - install: Update image digests for v1.15.17 ([#​39546](https://github.com/cilium/cilium/issues/39546), [@​cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.15.18@​sha256:106bb45c89e1e0abca82c798b16ccc1f5b1c6cfa1205d811b69989fd1507fc5b` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.15.18@​sha256:66cb9687dd45c4d014f5d31186cb5609c13183d5a04352d2d9008e88329c59f0` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.15.18@​sha256:9e205b34ffab2c7b7f9c8b0a7d4f97f2ebb61dd33f4fec061cf146835bcd3b18` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.15.18@​sha256:a8a4337d518fafdd410dfc1d5cd2c1992f0406127d12ed8fcd683ed55e1e9db0` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.15.18@​sha256:cefdfcda5a99703024a9d718e69d206844b5f745e4752eeb29797fdb5f19d905` ##### operator-aws `quay.io/cilium/operator-aws:v1.15.18@​sha256:126148f28186ab1704d8dd92d93aa06746f3a1f7c06e650735a32875415c5378` ##### operator-azure `quay.io/cilium/operator-azure:v1.15.18@​sha256:b705c0090b34611f75dc93caef52c7a52aa53a4f72a5fa39885fc08463197d93` ##### operator-generic `quay.io/cilium/operator-generic:v1.15.18@​sha256:ebc7a075ac4c3d95e98f11512853feb700e48f87b5beeff466128bdafb5e0cb9` ##### operator `quay.io/cilium/operator:v1.15.18@​sha256:e0c95bf661245a233b8ad5f0426f1e4ebc69192fc232c9a810577e35a3e43a51` ### [`v1.15.17`](https://github.com/cilium/cilium/releases/tag/v1.15.17): 1.15.17 [Compare Source](https://github.com/cilium/cilium/compare/1.15.16...1.15.17) ## Summary of Changes **Minor Changes:** - Update kafka apiKey helm chart value to true (Backport PR [#​39216](https://github.com/cilium/cilium/issues/39216), Upstream PR [#​38963](https://github.com/cilium/cilium/issues/38963), [@​kyle-c-simmons](https://github.com/kyle-c-simmons)) **Bugfixes:** - Fix a deadlock when a host has no IPv4 address. (Backport PR [#​39078](https://github.com/cilium/cilium/issues/39078), Upstream PR [#​38938](https://github.com/cilium/cilium/issues/38938), [@​EmilyShepherd](https://github.com/EmilyShepherd)) - Fix bug that would cause the `cilium-dbg encrypt status` command to not list any decryption interfaces when KPR is enabled. (Backport PR [#​39216](https://github.com/cilium/cilium/issues/39216), Upstream PR [#​39170](https://github.com/cilium/cilium/issues/39170), [@​pchaigno](https://github.com/pchaigno)) - k8s: Fixed a case when delete event for service endpointslices might have been missed if connectivity to k8s apiserver was broken causing stale service cache for service. (Backport PR [#​38952](https://github.com/cilium/cilium/issues/38952), Upstream PR [#​38779](https://github.com/cilium/cilium/issues/38779), [@​marseel](https://github.com/marseel)) **CI Changes:** - \[v1.15] .github: provide correct env variables to api/v1 Makefile ([#​39286](https://github.com/cilium/cilium/issues/39286), [@​ferozsalam](https://github.com/ferozsalam)) - \[v1.15] go.mod, vendor: update github.com/cilium/linters to v0.20.0 ([#​39394](https://github.com/cilium/cilium/issues/39394), [@​tklauser](https://github.com/tklauser)) - \[v1.15] l4lb: Support environments with existing veth ([#​39410](https://github.com/cilium/cilium/issues/39410), [@​joestringer](https://github.com/joestringer)) **Misc Changes:** - Add the doc for multi-pool ipam about how to update the existing ip pool (Backport PR [#​38952](https://github.com/cilium/cilium/issues/38952), Upstream PR [#​38539](https://github.com/cilium/cilium/issues/38539), [@​liyihuang](https://github.com/liyihuang)) - chore(deps): update all github action dependencies (v1.15) ([#​39055](https://github.com/cilium/cilium/issues/39055), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#​39189](https://github.com/cilium/cilium/issues/39189), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​39277](https://github.com/cilium/cilium/issues/39277), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/hubble to v1.17.3 (v1.15) ([#​39321](https://github.com/cilium/cilium/issues/39321), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.23.8 docker digest to [`87bb940`](https://github.com/cilium/cilium/commit/87bb940) (v1.15) ([#​38915](https://github.com/cilium/cilium/issues/38915), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.23.8 docker digest to [`e54daaa`](https://github.com/cilium/cilium/commit/e54daaa) (v1.15) ([#​39052](https://github.com/cilium/cilium/issues/39052), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.24.3 (v1.15) ([#​39188](https://github.com/cilium/cilium/issues/39188), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1744679528-43b5c0ea620b5fa8c2e32ed79f113aef89f30e6b (v1.15) ([#​38941](https://github.com/cilium/cilium/issues/38941), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1744798797-f7456c0c30336bbd437eff7743374370e415fc44 (v1.15) ([#​39053](https://github.com/cilium/cilium/issues/39053), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1745916268-e485bbc0c95e30aa233cb06a753789375b12ad18 (v1.15) ([#​39228](https://github.com/cilium/cilium/issues/39228), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.6-1746661844-0f602c28cb2aa57b29078195049fb257d5b5246c (v1.15) ([#​39415](https://github.com/cilium/cilium/issues/39415), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.15) (patch) ([#​38972](https://github.com/cilium/cilium/issues/38972), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.15) (patch) ([#​39186](https://github.com/cilium/cilium/issues/39186), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.15) (patch) ([#​39478](https://github.com/cilium/cilium/issues/39478), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore: remove `retention-days` param in `build-images-releases.yaml` (Backport PR [#​39437](https://github.com/cilium/cilium/issues/39437), Upstream PR [#​39431](https://github.com/cilium/cilium/issues/39431), [@​sekhar-isovalent](https://github.com/sekhar-isovalent)) - contrib: Remove kind.sh dependency on git (Backport PR [#​39406](https://github.com/cilium/cilium/issues/39406), Upstream PR [#​39154](https://github.com/cilium/cilium/issues/39154), [@​joestringer](https://github.com/joestringer)) - docs: Add good kernel versions for the L7 policy IPv6 bug (Backport PR [#​39406](https://github.com/cilium/cilium/issues/39406), Upstream PR [#​39212](https://github.com/cilium/cilium/issues/39212), [@​gentoo-root](https://github.com/gentoo-root)) - docs: Document L7 policy IPv6 bug (Backport PR [#​38952](https://github.com/cilium/cilium/issues/38952), Upstream PR [#​38591](https://github.com/cilium/cilium/issues/38591), [@​gentoo-root](https://github.com/gentoo-root)) - docs: Fix casing and formatting in L3 examples section (Backport PR [#​39406](https://github.com/cilium/cilium/issues/39406), Upstream PR [#​39065](https://github.com/cilium/cilium/issues/39065), [@​mikejoh](https://github.com/mikejoh)) - docs: The Installation on OpenShift OKD document has been updated to link to maintained operators for Cilium (Isovalent Enterprise for Cilium). This operator is validated on all current versions of OpenShift. (Backport PR [#​39406](https://github.com/cilium/cilium/issues/39406), Upstream PR [#​38886](https://github.com/cilium/cilium/issues/38886), [@​auriaave](https://github.com/auriaave)) - Documentation : Modification of eks-clustermesh-prep.rst (Backport PR [#​39406](https://github.com/cilium/cilium/issues/39406), Upstream PR [#​39025](https://github.com/cilium/cilium/issues/39025), [@​rwinieski](https://github.com/rwinieski)) - documentation: fix get deployment cmd (Backport PR [#​39216](https://github.com/cilium/cilium/issues/39216), Upstream PR [#​39155](https://github.com/cilium/cilium/issues/39155), [@​g0gn](https://github.com/g0gn)) - k8s/resource: Don't Add to WaitGroup asynchronously (Backport PR [#​38952](https://github.com/cilium/cilium/issues/38952), Upstream PR [#​38692](https://github.com/cilium/cilium/issues/38692), [@​joamaki](https://github.com/joamaki)) - make: fix golangci-lint version detection (Backport PR [#​39078](https://github.com/cilium/cilium/issues/39078), Upstream PR [#​38996](https://github.com/cilium/cilium/issues/38996), [@​mhofstetter](https://github.com/mhofstetter)) - workflows: fix lint-workflows (Backport PR [#​39401](https://github.com/cilium/cilium/issues/39401), Upstream PR [#​39398](https://github.com/cilium/cilium/issues/39398), [@​aanm](https://github.com/aanm)) **Other Changes:** - \[v1.15] deps: bump golang-jwt to 4.5.2 ([#​39496](https://github.com/cilium/cilium/issues/39496), [@​ferozsalam](https://github.com/ferozsalam)) - \[v1.15] integration: Regenerate consul certs ([#​39350](https://github.com/cilium/cilium/issues/39350), [@​sayboras](https://github.com/sayboras)) - install: Update image digests for v1.15.16 ([#​38935](https://github.com/cilium/cilium/issues/38935), [@​cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.15.17@​sha256:8824313a6f17d934b4e63902fee71e6ca36be6f69d68ae174df28f1b0705e587` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.15.17@​sha256:b5ed33d4a9b006ee3ef367a1b3b23468aa6b32c028557e2c1a47dd2659f100a4` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.15.17@​sha256:9910861a1d7d82a81f416d6d2f776d4195e1c3671999be14d44b12316fd22724` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.15.17@​sha256:f46adc030903f2804e7c29d8da7cc9e9c4ef846de5eb84ba76cf74f2c483872e` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.15.17@​sha256:74b07708a934fcf335a743d11296e98b32d32d7a79d0940eaba3652ca248960f` ##### operator-aws `quay.io/cilium/operator-aws:v1.15.17@​sha256:7a0fee345e04e99768269ec63511070a8cf0202a5c5ca723d1b2ab4fe4118276` ##### operator-azure `quay.io/cilium/operator-azure:v1.15.17@​sha256:d710a965d783c4294ac07f86ad3044ab1321cdafdec681b5d26b9ca3cfffabd7` ##### operator-generic `quay.io/cilium/operator-generic:v1.15.17@​sha256:a0f5b5dc8cecd4e5ead7d3bddb3756e4b34beba8e7aa089e7e2fb761725defe1` ##### operator `quay.io/cilium/operator:v1.15.17@​sha256:182e44c2533c6b18af64d914c3f7587940c091bb9fb360dacea6430b071b22de` ### [`v1.15.16`](https://github.com/cilium/cilium/releases/tag/v1.15.16): 1.15.16 [Compare Source](https://github.com/cilium/cilium/compare/1.15.15...1.15.16) ## Summary of Changes **Minor Changes:** - datapath: Move WG skb mark check to to-netdev (Backport PR [#​38776](https://github.com/cilium/cilium/issues/38776), Upstream PR [#​31751](https://github.com/cilium/cilium/issues/31751), [@​brb](https://github.com/brb)) - Reject IPSec key rotation with mismatching key lengths to prevent IPv6 disruptions. (Backport PR [#​38401](https://github.com/cilium/cilium/issues/38401), Upstream PR [#​37936](https://github.com/cilium/cilium/issues/37936), [@​smagnani96](https://github.com/smagnani96)) - Skip WireGuard traffic in the BPF SNAT processing, slightly reducing pressure on the BPF Connection tracking and NAT maps. (Backport PR [#​38776](https://github.com/cilium/cilium/issues/38776), Upstream PR [#​35900](https://github.com/cilium/cilium/issues/35900), [@​smagnani96](https://github.com/smagnani96)) **Bugfixes:** - bpf: wireguard: avoid ipcache lookup for source's security identity (Backport PR [#​38776](https://github.com/cilium/cilium/issues/38776), Upstream PR [#​38592](https://github.com/cilium/cilium/issues/38592), [@​julianwiedmann](https://github.com/julianwiedmann)) - Fixed a bug where replies for pod-originating connections came into scope of HostFW Ingress Network policy. Applicable to configurations that use iptables for Masquerading. (Backport PR [#​38776](https://github.com/cilium/cilium/issues/38776), Upstream PR [#​35694](https://github.com/cilium/cilium/issues/35694), [@​julianwiedmann](https://github.com/julianwiedmann)) - For configurations with --enable-identity-mark=false, don't attempt to retrieve the source identity from skb->mark. (Backport PR [#​38776](https://github.com/cilium/cilium/issues/38776), Upstream PR [#​38737](https://github.com/cilium/cilium/issues/38737), [@​julianwiedmann](https://github.com/julianwiedmann)) **CI Changes:** - build: update golangci-lint to v2.0.0 (Backport PR [#​38633](https://github.com/cilium/cilium/issues/38633), Upstream PR [#​38473](https://github.com/cilium/cilium/issues/38473), [@​mhofstetter](https://github.com/mhofstetter)) - ci: build CI images within merge group (Backport PR [#​38524](https://github.com/cilium/cilium/issues/38524), Upstream PR [#​38065](https://github.com/cilium/cilium/issues/38065), [@​marseel](https://github.com/marseel)) - ci: prepare CI Image build for being required (Backport PR [#​38524](https://github.com/cilium/cilium/issues/38524), Upstream PR [#​38320](https://github.com/cilium/cilium/issues/38320), [@​marseel](https://github.com/marseel)) - Clear traced UDP v4/v6 connections on check-encryption-leak script. (Backport PR [#​38522](https://github.com/cilium/cilium/issues/38522), Upstream PR [#​38264](https://github.com/cilium/cilium/issues/38264), [@​smagnani96](https://github.com/smagnani96)) - Ensure packet protocol before using L4 ports in the check-encryption-leak script. (Backport PR [#​38522](https://github.com/cilium/cilium/issues/38522), Upstream PR [#​38290](https://github.com/cilium/cilium/issues/38290), [@​smagnani96](https://github.com/smagnani96)) - Extend tracing with IP length and whether src/dst pod are CiliumInternalIP in the check-encryption-leak script. (Backport PR [#​38742](https://github.com/cilium/cilium/issues/38742), Upstream PR [#​38281](https://github.com/cilium/cilium/issues/38281), [@​smagnani96](https://github.com/smagnani96)) - Fix checked L4 port for UDP IPv6 packets in check-encryption-leak script. (Backport PR [#​38522](https://github.com/cilium/cilium/issues/38522), Upstream PR [#​38265](https://github.com/cilium/cilium/issues/38265), [@​smagnani96](https://github.com/smagnani96)) - Fix endianness for WireGuard UDP traffic in the check-encryption-leak script. (Backport PR [#​38522](https://github.com/cilium/cilium/issues/38522), Upstream PR [#​38292](https://github.com/cilium/cilium/issues/38292), [@​smagnani96](https://github.com/smagnani96)) - Fix erroneous TCP RST condition when no TCP packets in the check-encryption-leak script. (Backport PR [#​38522](https://github.com/cilium/cilium/issues/38522), Upstream PR [#​38291](https://github.com/cilium/cilium/issues/38291), [@​smagnani96](https://github.com/smagnani96)) - gh: aws-cni: set --enable-identity-mark=false option (Backport PR [#​38776](https://github.com/cilium/cilium/issues/38776), Upstream PR [#​38738](https://github.com/cilium/cilium/issues/38738), [@​julianwiedmann](https://github.com/julianwiedmann)) - gh: ci-e2e-upgrade: Add encryption leak checks for wireguard (Backport PR [#​38522](https://github.com/cilium/cilium/issues/38522), Upstream PR [#​37551](https://github.com/cilium/cilium/issues/37551), [@​jschwinger233](https://github.com/jschwinger233)) - gh: update naming for bpftrace leak detection script (Backport PR [#​38522](https://github.com/cilium/cilium/issues/38522), Upstream PR [#​37865](https://github.com/cilium/cilium/issues/37865), [@​julianwiedmann](https://github.com/julianwiedmann)) - Introduce tracing log info for ICMP v4/v6 packets in the check-encryption-leak script. (Backport PR [#​38742](https://github.com/cilium/cilium/issues/38742), Upstream PR [#​38278](https://github.com/cilium/cilium/issues/38278), [@​smagnani96](https://github.com/smagnani96)) - Manual encap checks for when $skb->encapsulation is unset in the check-encryption-leak script. (Backport PR [#​38522](https://github.com/cilium/cilium/issues/38522), Upstream PR [#​38293](https://github.com/cilium/cilium/issues/38293), [@​smagnani96](https://github.com/smagnani96)) - Print skb pointer and correlate timestamp for subsequent trace logs in the check-encryption-leak script. (Backport PR [#​38742](https://github.com/cilium/cilium/issues/38742), Upstream PR [#​38266](https://github.com/cilium/cilium/issues/38266), [@​smagnani96](https://github.com/smagnani96)) - Refactoring and code comments for the check-encryption-leak script. (Backport PR [#​38742](https://github.com/cilium/cilium/issues/38742), Upstream PR [#​38263](https://github.com/cilium/cilium/issues/38263), [@​smagnani96](https://github.com/smagnani96)) - Report masqueraded flow through proxy in the check-encryption-leak script. (Backport PR [#​38742](https://github.com/cilium/cilium/issues/38742), Upstream PR [#​38297](https://github.com/cilium/cilium/issues/38297), [@​smagnani96](https://github.com/smagnani96)) - Shift header references when encap and move leak check on CiliumInternalIP in the check-encryption-leak script. (Backport PR [#​38522](https://github.com/cilium/cilium/issues/38522), Upstream PR [#​38280](https://github.com/cilium/cilium/issues/38280), [@​smagnani96](https://github.com/smagnani96)) - Skip tracking DNS proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR [#​38522](https://github.com/cilium/cilium/issues/38522), Upstream PR [#​38289](https://github.com/cilium/cilium/issues/38289), [@​smagnani96](https://github.com/smagnani96)) - Skip tracking TCP proxy connection with CiliumInternalIPs for IPSec in the check-encryption-leak script. (Backport PR [#​38522](https://github.com/cilium/cilium/issues/38522), Upstream PR [#​38287](https://github.com/cilium/cilium/issues/38287), [@​smagnani96](https://github.com/smagnani96)) - Split TCP-related leak report into a separate log line with also seq/ack n. in the check-encryption-leak script. (Backport PR [#​38742](https://github.com/cilium/cilium/issues/38742), Upstream PR [#​38268](https://github.com/cilium/cilium/issues/38268), [@​smagnani96](https://github.com/smagnani96)) - test: Update FQDN related domain and IP (Backport PR [#​38771](https://github.com/cilium/cilium/issues/38771), Upstream PR [#​38754](https://github.com/cilium/cilium/issues/38754), [@​sayboras](https://github.com/sayboras)) **Misc Changes:** - \[v1.15] deps: bump package x/net ([#​38360](https://github.com/cilium/cilium/issues/38360), [@​ferozsalam](https://github.com/ferozsalam)) - \[v1.15] Manually fix builder image ([#​38748](https://github.com/cilium/cilium/issues/38748), [@​smagnani96](https://github.com/smagnani96)) - \[v1.15] Update oauth to 0.27.0. ([#​38457](https://github.com/cilium/cilium/issues/38457), [@​kyle-c-simmons](https://github.com/kyle-c-simmons)) - bpf: host: identify Cilium's Wireguard traffic as from HOST (Backport PR [#​38776](https://github.com/cilium/cilium/issues/38776), Upstream PR [#​37956](https://github.com/cilium/cilium/issues/37956), [@​julianwiedmann](https://github.com/julianwiedmann)) - bpf: propagate src sec id from ingress bpf_overlay to egress bpf_host (Backport PR [#​38776](https://github.com/cilium/cilium/issues/38776), Upstream PR [#​32871](https://github.com/cilium/cilium/issues/32871), [@​jibi](https://github.com/jibi)) - chore(deps): update all github action dependencies (v1.15) ([#​38332](https://github.com/cilium/cilium/issues/38332), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#​38428](https://github.com/cilium/cilium/issues/38428), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#​38719](https://github.com/cilium/cilium/issues/38719), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​38305](https://github.com/cilium/cilium/issues/38305), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​38443](https://github.com/cilium/cilium/issues/38443), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​38697](https://github.com/cilium/cilium/issues/38697), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.18.3 (v1.15) ([#​38732](https://github.com/cilium/cilium/issues/38732), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/hubble to v1.17.2 (v1.15) ([#​38715](https://github.com/cilium/cilium/issues/38715), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency protocolbuffers/protobuf to v30 (v1.15) ([#​38333](https://github.com/cilium/cilium/issues/38333), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency protocolbuffers/protobuf to v30.2 (v1.15) ([#​38718](https://github.com/cilium/cilium/issues/38718), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/busybox:1.36.1 docker digest to [`e246aa2`](https://github.com/cilium/cilium/commit/e246aa2) (v1.15) ([#​38329](https://github.com/cilium/cilium/issues/38329), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.23.7 docker digest to [`cb45cf7`](https://github.com/cilium/cilium/commit/cb45cf7) (v1.15) ([#​38330](https://github.com/cilium/cilium/issues/38330), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.23.8 (v1.15) ([#​38716](https://github.com/cilium/cilium/issues/38716), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update kindest/node docker tag to v1.29.14 (v1.15) ([#​38331](https://github.com/cilium/cilium/issues/38331), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update module github.com/containerd/containerd to v1.7.27 \[security] (v1.15) ([#​38248](https://github.com/cilium/cilium/issues/38248), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1742184290-6036296930bb05a4870ef40867ca33baec4489e6 (v1.15) ([#​38259](https://github.com/cilium/cilium/issues/38259), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.6-1742515223-dd05ea7be73de22390a6542e87f1834ef0d61ec9 (v1.15) ([#​38386](https://github.com/cilium/cilium/issues/38386), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.32.5-1743993953-6f87ef30cb1aca19e233099304bd08d689f380dd (v1.15) ([#​38775](https://github.com/cilium/cilium/issues/38775), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.15) (patch) ([#​38318](https://github.com/cilium/cilium/issues/38318), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.15) (patch) ([#​38717](https://github.com/cilium/cilium/issues/38717), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - docs: Add missing kernel options to system requirements documentation to help users with custom kernels. (Backport PR [#​38524](https://github.com/cilium/cilium/issues/38524), Upstream PR [#​38173](https://github.com/cilium/cilium/issues/38173), [@​yrsuthari](https://github.com/yrsuthari)) - docs: clarify hubble flow filter match semantics (Backport PR [#​38702](https://github.com/cilium/cilium/issues/38702), Upstream PR [#​38657](https://github.com/cilium/cilium/issues/38657), [@​devodev](https://github.com/devodev)) - Documentation: "cilium config set" restarts by default (Backport PR [#​38301](https://github.com/cilium/cilium/issues/38301), Upstream PR [#​38114](https://github.com/cilium/cilium/issues/38114), [@​joamaki](https://github.com/joamaki)) - Documentation: fix mentions of per-node `cilium-dbg` tool (Backport PR [#​38301](https://github.com/cilium/cilium/issues/38301), Upstream PR [#​38276](https://github.com/cilium/cilium/issues/38276), [@​tklauser](https://github.com/tklauser)) - images: bump distroless to static (Backport PR [#​38696](https://github.com/cilium/cilium/issues/38696), Upstream PR [#​38647](https://github.com/cilium/cilium/issues/38647), [@​kaworu](https://github.com/kaworu)) - pkg/endpoint: fix race in unit test (Backport PR [#​38301](https://github.com/cilium/cilium/issues/38301), Upstream PR [#​38129](https://github.com/cilium/cilium/issues/38129), [@​squeed](https://github.com/squeed)) - remove the endpointRoutes for aws cni in the doc (Backport PR [#​38702](https://github.com/cilium/cilium/issues/38702), Upstream PR [#​38381](https://github.com/cilium/cilium/issues/38381), [@​liyihuang](https://github.com/liyihuang)) - wireguard: attach Ingress program for native routing mode configurations (Backport PR [#​38301](https://github.com/cilium/cilium/issues/38301), Upstream PR [#​37108](https://github.com/cilium/cilium/issues/37108), [@​julianwiedmann](https://github.com/julianwiedmann)) **Other Changes:** - \[v1.15] images: Update runtime and builder image ([#​38382](https://github.com/cilium/cilium/issues/38382), [@​sayboras](https://github.com/sayboras)) - install: Update image digests for v1.15.15 ([#​38206](https://github.com/cilium/cilium/issues/38206), [@​cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) - proxy: Bump envoy version to 1.32.x ([#​38449](https://github.com/cilium/cilium/issues/38449), [@​sayboras](https://github.com/sayboras)) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.15.16@​sha256:17dc69791a5d28a1ea88c149c6798cc9608ebb66c5e8b79a88453207f0cb55a1` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.15.16@​sha256:6198f79a3f286ac2050349e78474e00ac1e28100b550e075cc724aa8283143af` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.15.16@​sha256:e50b3c41b472d28a1cbc359b2365a6f657daf57eb38f67cff43b42c16602f870` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.15.16@​sha256:e1e2c6740fc093dc6cf9c486ba66eb68e5ab1a58fe90a9669868cd24b5dc2a0e` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.15.16@​sha256:1f314bba1c3e7d95a011fc0f0f3945fefc1cbbd3adae7e63e7fac3f923b2163e` ##### operator-aws `quay.io/cilium/operator-aws:v1.15.16@​sha256:5cc6fd7202470c53b06a155748cf3ebe169bac01199bc49e86040dad71d29f69` ##### operator-azure `quay.io/cilium/operator-azure:v1.15.16@​sha256:0d33a1564a0d30c10963c28e9ee1355371c62a2b4af6320b7bf80eb36210fb06` ##### operator-generic `quay.io/cilium/operator-generic:v1.15.16@​sha256:0467e7bc9929a4ed49d9d8a4dee8e0844ee5e711bb41cde63dc6ea0d0eb8f20a` ##### operator `quay.io/cilium/operator:v1.15.16@​sha256:059214812db468cc7b2dc04cde012f95c2e311a5acb5e2391d2656d7af0c8cfe` ### [`v1.15.15`](https://github.com/cilium/cilium/releases/tag/v1.15.15): 1.15.15 [Compare Source](https://github.com/cilium/cilium/compare/1.15.14...1.15.15) ## Summary of Changes **Minor Changes:** - docs: clarify wording of remote-nodes in context of a clustermesh (Backport PR [#​38107](https://github.com/cilium/cilium/issues/38107), Upstream PR [#​37989](https://github.com/cilium/cilium/issues/37989), [@​oblazek](https://github.com/oblazek)) **Bugfixes:** - Egress route reconciliation (Backport PR [#​38124](https://github.com/cilium/cilium/issues/38124), Upstream PR [#​37962](https://github.com/cilium/cilium/issues/37962), [@​dylandreimerink](https://github.com/dylandreimerink)) - Fix creation and deletion of host port maps that would occasionally leave pods without them (Backport PR [#​37899](https://github.com/cilium/cilium/issues/37899), Upstream PR [#​37419](https://github.com/cilium/cilium/issues/37419), [@​javanthropus](https://github.com/javanthropus)) - Fix envoy metrics could not be obtained on IPv6-only clusters (Backport PR [#​37899](https://github.com/cilium/cilium/issues/37899), Upstream PR [#​37818](https://github.com/cilium/cilium/issues/37818), [@​haozhangami](https://github.com/haozhangami)) - Fix: cilium-operator no longer patches services on shutdown (Backport PR [#​38107](https://github.com/cilium/cilium/issues/38107), Upstream PR [#​37967](https://github.com/cilium/cilium/issues/37967), [@​rsafonseca](https://github.com/rsafonseca)) **CI Changes:** - .github: Remove misleading step from ipsec workflow (Backport PR [#​37744](https://github.com/cilium/cilium/issues/37744), Upstream PR [#​37681](https://github.com/cilium/cilium/issues/37681), [@​joestringer](https://github.com/joestringer)) - ci: add leak detection to conformance-ipsec-upgrade (Backport PR [#​36576](https://github.com/cilium/cilium/issues/36576), Upstream PR [#​36377](https://github.com/cilium/cilium/issues/36377), [@​smagnani96](https://github.com/smagnani96)) - CI: GKE backslash missing disable insecure kubelet (Backport PR [#​37899](https://github.com/cilium/cilium/issues/37899), Upstream PR [#​37850](https://github.com/cilium/cilium/issues/37850), [@​auriaave](https://github.com/auriaave)) - CI: GKE, disable insecure kubelet readonly port (Backport PR [#​37899](https://github.com/cilium/cilium/issues/37899), Upstream PR [#​37844](https://github.com/cilium/cilium/issues/37844), [@​auriaave](https://github.com/auriaave)) - ci: switch to monitor aggregation medium (Backport PR [#​38107](https://github.com/cilium/cilium/issues/38107), Upstream PR [#​38036](https://github.com/cilium/cilium/issues/38036), [@​marseel](https://github.com/marseel)) - Cleanups after LLVM upgrade. (Backport PR [#​37800](https://github.com/cilium/cilium/issues/37800), Upstream PR [#​32067](https://github.com/cilium/cilium/issues/32067), [@​gentoo-root](https://github.com/gentoo-root)) **Misc Changes:** - .github: add missing files to build-image base images ([#​38066](https://github.com/cilium/cilium/issues/38066), [@​aanm](https://github.com/aanm)) - chore(deps): update all github action dependencies (v1.15) ([#​37954](https://github.com/cilium/cilium/issues/37954), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​37999](https://github.com/cilium/cilium/issues/37999), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​38050](https://github.com/cilium/cilium/issues/38050), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.18.0 (v1.15) ([#​37953](https://github.com/cilium/cilium/issues/37953), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.18.2 (v1.15) ([#​38078](https://github.com/cilium/cilium/issues/38078), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.23.7 (v1.15) ([#​38000](https://github.com/cilium/cilium/issues/38000), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 \[security] (v1.15) ([#​37835](https://github.com/cilium/cilium/issues/37835), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1741765102-efed3defcc70ab5b263a0fc44c93d316b846a211 (v1.15) ([#​38150](https://github.com/cilium/cilium/issues/38150), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - docs: fix broken links (Backport PR [#​38107](https://github.com/cilium/cilium/issues/38107), Upstream PR [#​37995](https://github.com/cilium/cilium/issues/37995), [@​nueavv](https://github.com/nueavv)) - Fix helm value for IPAM Multi-Pool (Backport PR [#​38013](https://github.com/cilium/cilium/issues/38013), Upstream PR [#​37963](https://github.com/cilium/cilium/issues/37963), [@​saintdle](https://github.com/saintdle)) - images: update cilium-runtime/builder images ([#​38186](https://github.com/cilium/cilium/issues/38186), [@​jrajahalme](https://github.com/jrajahalme)) - Remove grpc-health-probe binary from the Hubble Relay image as it is no longer used (Backport PR [#​37899](https://github.com/cilium/cilium/issues/37899), Upstream PR [#​37806](https://github.com/cilium/cilium/issues/37806), [@​rolinh](https://github.com/rolinh)) **Other Changes:** - \[v1.15] Revert "chore(deps): update dependency cilium/cilium-cli to v0.18.0" ([#​38004](https://github.com/cilium/cilium/issues/38004), [@​julianwiedmann](https://github.com/julianwiedmann)) - install: Update image digests for v1.15.14 ([#​37710](https://github.com/cilium/cilium/issues/37710), [@​cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) - v1.15: gh/workflows: Remove conformance-externalworkloads ([#​37740](https://github.com/cilium/cilium/issues/37740), [@​brb](https://github.com/brb)) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.15.15@​sha256:d389a21c8ceefbb86e7f1a15b18a5a6a5b372431b2528314fa456133a7617e7a` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.15.15@​sha256:cec3446d019af240d99ae14f8550fb7f59c02066535130f4b609fadb5b63f79b` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.15.15@​sha256:abe0e3fb8f3826e21b93cba3b5b8bc153b8bc50f7b7a1defd8dee01ae3a87898` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.15.15@​sha256:2dd532b06f802303634515172c40592d79e06cfad579c98411ad976879a0c099` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.15.15@​sha256:023a341d0b873321a952dc3526be791db212a261e3de8e5c38064cc4a17da096` ##### operator-aws `quay.io/cilium/operator-aws:v1.15.15@​sha256:fdffd54ba7d2ded8d893b14d37c4afdf29bf2c6404f2da3d1eba0bab788972fc` ##### operator-azure `quay.io/cilium/operator-azure:v1.15.15@​sha256:e34a52ca2503ef9168a2710431c341b780c55303aabea7d4183bc619d4ce0ed9` ##### operator-generic `quay.io/cilium/operator-generic:v1.15.15@​sha256:6f107958d9028a5a43efa7aaef941b3ae7f7e8f479ff9e4408b116a5eda56abe` ##### operator `quay.io/cilium/operator:v1.15.15@​sha256:99d7fceaf5814dfe5aae37e6dcd55ed75ac937dd5ce8e347c0dc8ad169cd7559` ### [`v1.15.14`](https://github.com/cilium/cilium/releases/tag/v1.15.14): 1.15.14 [Compare Source](https://github.com/cilium/cilium/compare/1.15.13...1.15.14) ## Summary of Changes **Bugfixes:** - Fix bug potentially causing newly added endpoints to remain stuck in waiting-to-regenerate state forever, causing traffic from/to that endpoint to be incorrectly dropped. (Backport PR [#​37281](https://github.com/cilium/cilium/issues/37281), Upstream PR [#​37086](https://github.com/cilium/cilium/issues/37086), [@​giorio94](https://github.com/giorio94)) - Fix specifying multiple interfaces for egress masquerade with enable-masquerade-to-route-source=false (Backport PR [#​37281](https://github.com/cilium/cilium/issues/37281), Upstream PR [#​36103](https://github.com/cilium/cilium/issues/36103), [@​viktor-kurchenko](https://github.com/viktor-kurchenko)) - Restore the original flag semantics for --egress-masquerade-interfaces to the same as v1.17.0-pre.2 or earlier (Backport PR [#​37281](https://github.com/cilium/cilium/issues/37281), Upstream PR [#​36504](https://github.com/cilium/cilium/issues/36504), [@​viktor-kurchenko](https://github.com/viktor-kurchenko)) **CI Changes:** - \[v1.16] ctmap/gc: don't clamp conntrack scan timeout in CI (Backport PR [#​37646](https://github.com/cilium/cilium/issues/37646), Upstream PR [#​37380](https://github.com/cilium/cilium/issues/37380), [@​giorio94](https://github.com/giorio94)) - gh: harmonize lvh kernel naming scheme (Backport PR [#​37376](https://github.com/cilium/cilium/issues/37376), Upstream PR [#​37322](https://github.com/cilium/cilium/issues/37322), [@​julianwiedmann](https://github.com/julianwiedmann)) - gh: update removed --loglevel option for kind (Backport PR [#​37173](https://github.com/cilium/cilium/issues/37173), Upstream PR [#​36935](https://github.com/cilium/cilium/issues/36935), [@​julianwiedmann](https://github.com/julianwiedmann)) - gha: fix retrieval of DNS server in conformance external workloads (Backport PR [#​37376](https://github.com/cilium/cilium/issues/37376), Upstream PR [#​37361](https://github.com/cilium/cilium/issues/37361), [@​giorio94](https://github.com/giorio94)) - gha: Retrieve eks supported version via aws cli (Backport PR [#​37224](https://github.com/cilium/cilium/issues/37224), Upstream PR [#​37210](https://github.com/cilium/cilium/issues/37210), [@​sayboras](https://github.com/sayboras)) - Modify bpftrace script in CI to ignore proxy traffic if destination is outside pod CIDRs. (Backport PR [#​37173](https://github.com/cilium/cilium/issues/37173), Upstream PR [#​36364](https://github.com/cilium/cilium/issues/36364), [@​smagnani96](https://github.com/smagnani96)) - Skip tracking unmarked plain-text TCP RST packets generated from proxy timeouts in the CI bpftrace script. (Backport PR [#​37173](https://github.com/cilium/cilium/issues/37173), Upstream PR [#​36962](https://github.com/cilium/cilium/issues/36962), [@​smagnani96](https://github.com/smagnani96)) - test: Move demo-httpd from Docker to Quay (Backport PR [#​37173](https://github.com/cilium/cilium/issues/37173), Upstream PR [#​37149](https://github.com/cilium/cilium/issues/37149), [@​joestringer](https://github.com/joestringer)) - test: Move the dind image to Quay to avoid rate-limiting (Backport PR [#​37442](https://github.com/cilium/cilium/issues/37442), Upstream PR [#​37388](https://github.com/cilium/cilium/issues/37388), [@​pchaigno](https://github.com/pchaigno)) **Misc Changes:** - \[v1.15] deps: bump grpc-go to v1.64.1 ([#​37628](https://github.com/cilium/cilium/issues/37628), [@​ferozsalam](https://github.com/ferozsalam)) - \[v1.15] docs: Update requirements.txt dependencies ([#​37619](https://github.com/cilium/cilium/issues/37619), [@​joestringer](https://github.com/joestringer)) - chore(deps): update actions/setup-go action to v5.3.0 (v1.15) ([#​37118](https://github.com/cilium/cilium/issues/37118), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#​37101](https://github.com/cilium/cilium/issues/37101), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#​37245](https://github.com/cilium/cilium/issues/37245), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#​37508](https://github.com/cilium/cilium/issues/37508), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​37034](https://github.com/cilium/cilium/issues/37034), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​37344](https://github.com/cilium/cilium/issues/37344), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​37665](https://github.com/cilium/cilium/issues/37665), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.24 (v1.15) ([#​37339](https://github.com/cilium/cilium/issues/37339), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/hubble to v1.16.6 (v1.15) ([#​37216](https://github.com/cilium/cilium/issues/37216), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/hubble to v1.17.0 (v1.15) ([#​37507](https://github.com/cilium/cilium/issues/37507), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/hubble to v1.17.1 (v1.15) ([#​37590](https://github.com/cilium/cilium/issues/37590), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/little-vm-helper to v0.0.20 (v1.15) ([#​37217](https://github.com/cilium/cilium/issues/37217), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/little-vm-helper to v0.0.23 (v1.15) ([#​37506](https://github.com/cilium/cilium/issues/37506), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency protocolbuffers/protobuf to v29 (v1.15) ([#​37509](https://github.com/cilium/cilium/issues/37509), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.22.11 (v1.15) ([#​37046](https://github.com/cilium/cilium/issues/37046), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.23.6 (v1.15) ([#​37498](https://github.com/cilium/cilium/issues/37498), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/certgen docker tag to v0.1.17 (v1.15) ([#​37100](https://github.com/cilium/cilium/issues/37100), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.31.5-1737535524-fe8efeb16a7d233bffd05af9ea53599340d3f18e (v1.15) ([#​37202](https://github.com/cilium/cilium/issues/37202), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - doc(glossary): Geneve as final RFC (Backport PR [#​37376](https://github.com/cilium/cilium/issues/37376), Upstream PR [#​37316](https://github.com/cilium/cilium/issues/37316), [@​alagoutte](https://github.com/alagoutte)) - doc: eks cluster restriction removed (Backport PR [#​37281](https://github.com/cilium/cilium/issues/37281), Upstream PR [#​37043](https://github.com/cilium/cilium/issues/37043), [@​viktor-kurchenko](https://github.com/viktor-kurchenko)) - doc: Removed nodeinit from aks byocni install (Backport PR [#​37173](https://github.com/cilium/cilium/issues/37173), Upstream PR [#​37048](https://github.com/cilium/cilium/issues/37048), [@​PhilipSchmid](https://github.com/PhilipSchmid)) - docs: Add SNI policy example (Backport PR [#​37281](https://github.com/cilium/cilium/issues/37281), Upstream PR [#​37234](https://github.com/cilium/cilium/issues/37234), [@​sayboras](https://github.com/sayboras)) - docs: pass current_version to html_context (Backport PR [#​37173](https://github.com/cilium/cilium/issues/37173), Upstream PR [#​37008](https://github.com/cilium/cilium/issues/37008), [@​ayuspin](https://github.com/ayuspin)) - Fix API generation and add trusted dependencies to renovate config (Backport PR [#​37646](https://github.com/cilium/cilium/issues/37646), Upstream PR [#​36957](https://github.com/cilium/cilium/issues/36957), [@​aanm](https://github.com/aanm)) - images/builder: let renovate update protoc and proto plugins (Backport PR [#​37281](https://github.com/cilium/cilium/issues/37281), Upstream PR [#​32739](https://github.com/cilium/cilium/issues/32739), [@​rolinh](https://github.com/rolinh)) - images: don't assume Dockerfile directory in builder/runtime update scripts (Backport PR [#​37376](https://github.com/cilium/cilium/issues/37376), Upstream PR [#​34488](https://github.com/cilium/cilium/issues/34488), [@​tklauser](https://github.com/tklauser)) - Remove outdated roadmap matrix and links to it (Backport PR [#​37281](https://github.com/cilium/cilium/issues/37281), Upstream PR [#​37170](https://github.com/cilium/cilium/issues/37170), [@​xmulligan](https://github.com/xmulligan)) - renovate: add fix grpc-go autodetection (Backport PR [#​37281](https://github.com/cilium/cilium/issues/37281), Upstream PR [#​33570](https://github.com/cilium/cilium/issues/33570), [@​aanm](https://github.com/aanm)) **Other Changes:** - \[v1.15] envoy: Bump envoy version to v1.31.x ([#​37161](https://github.com/cilium/cilium/issues/37161), [@​sayboras](https://github.com/sayboras)) - \[v1.15] gha: Retrieve eks supported version via aws cli ([#​37230](https://github.com/cilium/cilium/issues/37230), [@​sayboras](https://github.com/sayboras)) - chore(deps): update go to v1.23.5 (v1.15) ([#​37197](https://github.com/cilium/cilium/issues/37197), [@​sayboras](https://github.com/sayboras)) - Cilium avoids running out of space in policy maps by cleaning up entries in specific cases previously missed. ([#​36884](https://github.com/cilium/cilium/issues/36884), [@​bimmlerd](https://github.com/bimmlerd)) - gha: Fix feature test artifact upload ([#​37205](https://github.com/cilium/cilium/issues/37205), [@​sayboras](https://github.com/sayboras)) - install: Update image digests for v1.15.13 ([#​37153](https://github.com/cilium/cilium/issues/37153), [@​cilium-release-bot](https://github.com/cilium-release-bot)\[bot]) #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.15.14@​sha256:f9599990748b0065990154dce0fc0ebec6baef55fd2125c9b710e03f61c7f4e6` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.15.14@​sha256:1821eaa3597c3ec24fbc5b50e3dfb48358bc15e9104c3e3422da474052821f5b` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.15.14@​sha256:ba840a1c16a0989b74f1bc4057c5630be9a290c64d6cfc00664ef39142da88b4` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.15.14@​sha256:e0445a89ca8e9089637c0914aa85f6f3305a80be3ddc68ad8bf4262e284654e7` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.15.14@​sha256:4434a0b36f558f5bb30b997b1c73e8cd9bce8dcc3fb27b86f43860cbab4aa12d` ##### operator-aws `quay.io/cilium/operator-aws:v1.15.14@​sha256:642dd93c60dd8e161ab5c523a13b872cbfee80b092029ae62b55979ac5639231` ##### operator-azure `quay.io/cilium/operator-azure:v1.15.14@​sha256:f6537984cce9df702ea6bc7acc37ccdc19e7c50d88eb716fb217dc2ab65a7081` ##### operator-generic `quay.io/cilium/operator-generic:v1.15.14@​sha256:f4a23024a6eb3cba7f1f4b65c79bc9e1e675787d04a12253df22dbf623b76825` ##### operator `quay.io/cilium/operator:v1.15.14@​sha256:ccdeb2b56005e565fd4bff895b80803a28029077bd27e1c4bbc05143dbc82925` ### [`v1.15.13`](https://github.com/cilium/cilium/releases/tag/v1.15.13): 1.15.13 [Compare Source](https://github.com/cilium/cilium/compare/1.15.12...1.15.13) ## Summary of Changes **Major Changes:** - Add feature tracking in Cilium agent as prometheus metrics (Backport PR [#​36483](https://github.com/cilium/cilium/issues/36483), Upstream PR [#​35852](https://github.com/cilium/cilium/issues/35852), [@​aanm](https://github.com/aanm)) - Add feature tracking in Cilium Operator as prometheus metrics (Backport PR [#​36483](https://github.com/cilium/cilium/issues/36483), Upstream PR [#​36077](https://github.com/cilium/cilium/issues/36077), [@​aanm](https://github.com/aanm)) **Minor Changes:** - envoy: Use yaml format for bootstrap config (Backport PR [#​36864](https://github.com/cilium/cilium/issues/36864), Upstream PR [#​36820](https://github.com/cilium/cilium/issues/36820), [@​sayboras](https://github.com/sayboras)) - Reject CNP/CCNP with CIDR rules where CIDRGroupRef is used in combination with ExceptCIDRs ([#​36560](https://github.com/cilium/cilium/issues/36560), [@​pippolo84](https://github.com/pippolo84)) **Bugfixes:** - envoy: Configure internal address config based on IP family (Backport PR [#​36864](https://github.com/cilium/cilium/issues/36864), Upstream PR [#​36733](https://github.com/cilium/cilium/issues/36733), [@​sayboras](https://github.com/sayboras)) - metrics/features: remove reporting metrics' defaults by default (Backport PR [#​36483](https://github.com/cilium/cilium/issues/36483), Upstream PR [#​36298](https://github.com/cilium/cilium/issues/36298), [@​aanm](https://github.com/aanm)) - ui: drop CORS headers from api response (Backport PR [#​36871](https://github.com/cilium/cilium/issues/36871), Upstream PR [#​35762](https://github.com/cilium/cilium/issues/35762), [@​geakstr](https://github.com/geakstr)) **CI Changes:** - \[v1.15] .github: Remove CI Fuzz workflow ([#​36642](https://github.com/cilium/cilium/issues/36642), [@​joestringer](https://github.com/joestringer)) - \[v1.15] gha: bump ubuntu version in conformance-externalworkloads ([#​36857](https://github.com/cilium/cilium/issues/36857), [@​giorio94](https://github.com/giorio94)) - \[v1.15] gha: use /test to trigger tests in stable branches ([#​36674](https://github.com/cilium/cilium/issues/36674), [@​giorio94](https://github.com/giorio94)) - \[v1.15] Unblock verifier test LVH image updates ([#​36689](https://github.com/cilium/cilium/issues/36689), [@​tklauser](https://github.com/tklauser)) - ci: fix job names for various ci workflows (Backport PR [#​36483](https://github.com/cilium/cilium/issues/36483), Upstream PR [#​36397](https://github.com/cilium/cilium/issues/36397), [@​marseel](https://github.com/marseel)) - Extend the check-ipsec-leak bpftrace script to capture additional details of leaked packets (Backport PR [#​36783](https://github.com/cilium/cilium/issues/36783), Upstream PR [#​33398](https://github.com/cilium/cilium/issues/33398), [@​giorio94](https://github.com/giorio94)) - gh: e2e-upgrade: de-renovate the config example (Backport PR [#​36638](https://github.com/cilium/cilium/issues/36638), Upstream PR [#​36463](https://github.com/cilium/cilium/issues/36463), [@​julianwiedmann](https://github.com/julianwiedmann)) - gha: correctly downgrade to patch release in ipsec workflows (Backport PR [#​36985](https://github.com/cilium/cilium/issues/36985), Upstream PR [#​36858](https://github.com/cilium/cilium/issues/36858), [@​giorio94](https://github.com/giorio94)) - gha: merge artifacts in net-perf-gke workflow (Backport PR [#​36483](https://github.com/cilium/cilium/issues/36483), Upstream PR [#​36236](https://github.com/cilium/cilium/issues/36236), [@​giorio94](https://github.com/giorio94)) - gha: Use ubuntu-24.04 for integration-test (Backport PR [#​36660](https://github.com/cilium/cilium/issues/36660), Upstream PR [#​36628](https://github.com/cilium/cilium/issues/36628), [@​sayboras](https://github.com/sayboras)) - Use Clang from cilium-builder image to build BPF code in CI (Backport PR [#​36871](https://github.com/cilium/cilium/issues/36871), Upstream PR [#​31754](https://github.com/cilium/cilium/issues/31754), [@​gentoo-root](https://github.com/gentoo-root)) **Misc Changes:** - .github/workflows: always install cilium-cli (Backport PR [#​36483](https://github.com/cilium/cilium/issues/36483), Upstream PR [#​36234](https://github.com/cilium/cilium/issues/36234), [@​aanm](https://github.com/aanm)) - .github/workflows: do not fail ginkgo if unable to fetch features (Backport PR [#​36483](https://github.com/cilium/cilium/issues/36483), Upstream PR [#​36461](https://github.com/cilium/cilium/issues/36461), [@​aanm](https://github.com/aanm)) - .github: fix conformance-k8s NP test (Backport PR [#​36483](https://github.com/cilium/cilium/issues/36483), Upstream PR [#​36355](https://github.com/cilium/cilium/issues/36355), [@​aanm](https://github.com/aanm)) - \[v1.15] Use bash syntax to consume env variable ([#​36634](https://github.com/cilium/cilium/issues/36634), [@​ferozsalam](https://github.com/ferozsalam)) - Add more features tracking in Cilium agent as prometheus metrics (Backport PR [#​36483](https://github.com/cilium/cilium/issues/36483), Upstream PR [#​36078](https://github.com/cilium/cilium/issues/36078), [@​aanm](https://github.com/aanm)) - Add policy-related features tracking in Cilium agent as prometheus metrics (Backport PR [#​36483](https://github.com/cilium/cilium/issues/36483), Upstream PR [#​36203](https://github.com/cilium/cilium/issues/36203), [@​aanm](https://github.com/aanm)) - build: Remove debug leftover from Makefile (Backport PR [#​36985](https://github.com/cilium/cilium/issues/36985), Upstream PR [#​36917](https://github.com/cilium/cilium/issues/36917), [@​gentoo-root](https://github.com/gentoo-root)) - chore(deps): update all github action dependencies (v1.15) ([#​36616](https://github.com/cilium/cilium/issues/36616), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) ([#​36951](https://github.com/cilium/cilium/issues/36951), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.15) (patch) ([#​36445](https://github.com/cilium/cilium/issues/36445), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​36613](https://github.com/cilium/cilium/issues/36613), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.15) ([#​36903](https://github.com/cilium/cilium/issues/36903), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.23 (v1.15) ([#​36891](https://github.com/cilium/cilium/issues/36891), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/hubble to v1.16.5 (v1.15) ([#​36764](https://github.com/cilium/cilium/issues/36764), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.22.10 docker digest to [`1a6e657`](https://github.com/cilium/cilium/commit/1a6e657) (v1.15) ([#​36614](https://github.com/cilium/cilium/issues/36614), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - chore(deps): update stable lvh-images (v1.15) (patch) ([#​36765](https://github.com/cilium/cilium/issues/36765), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - docs: Clarify Identity-Relevant Labels description (Backport PR [#​36985](https://github.com/cilium/cilium/issues/36985), Upstream PR [#​36924](https://github.com/cilium/cilium/issues/36924), [@​joestringer](https://github.com/joestringer)) - docs: Clarify the behavior of CiliumNetworkPolicies toCIDRSet (Backport PR [#​36638](https://github.com/cilium/cilium/issues/36638), Upstream PR [#​36549](https://github.com/cilium/cilium/issues/36549), [@​verysonglaa](https://github.com/verysonglaa)) - Fix `make -C Documentation update-cmdref` when make uses `--jobserver-style=fifo`. (Backport PR [#​36871](https://github.com/cilium/cilium/issues/36871), Upstream PR [#​36788](https://github.com/cilium/cilium/issues/36788), [@​gentoo-root](https://github.com/gentoo-root)) - fix(deps): update module golang.org/x/net to v0.33.0 \[security] (v1.15) ([#​36712](https://github.com/cilium/cilium/issues/36712), [@​cilium-renovate](https://github.com/cilium-renovate)\[bot]) - ingress, gateway-api: Convert test fixtures to file based (Backport PR [#​36783](https://github.com/cilium/cilium/issues/36783), Upstream PR [#​36732](https://github.com/cilium/cilium/issues/36732), [@​sayboras](https://github.com/sayboras)) - metrics/features: enable ClusterMesh (Backport PR [#​36483](https://github.com/cilium/cilium/issues/36483), Upstream PR [#​36402](https://github.com/cilium/cilium/issues/36402), [@​aanm](https://github.com/aanm)) - metrics/features: refactor metric names (Backport PR [#​36483](https://github.com/cilium/cilium/issues/36483), Upstream PR [#​36209](https://github.com/cilium/cilium/issues/36209), [@​aanm](https://github.com/aanm)) - Remove reference to DNS polling (Backport PR [#​36783](https://github.com/cilium/cilium/issues/36783), Upstream PR [#​36679](https://github.com/cilium/cilium/issues/36679), [@​JacobHenner](https://github.com/JacobHenner)) **Other Changes:** - \[v1.15] envoy: Demote expected initial fetch timeout warning to info level ([#​37014](https://github.com/cilium/cilium/issues/37014), [@​sayboras](https://github.com/sayboras)) - install: Update image digests for v1.15.12 ([#​36655](https://github.com/cilium/cilium/issues/36655), [@​cilium-release-bot](https…
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Commits:
moving MARK_MAGIC_WG_ENCRYPTED check into a separate function: simple refactors of the check to reuse the function later;bpf:nat: skip SNAT in to-netdev for WireGuard traffic: similarly as we did in bpf: avoid SNAT tracking for overlay traffic #31082 for Overlay traffic, here we don't want our SNAT engine to track our wireguard-related traffic. This can happen when the node-to-node IPv4 address is equal to IPV4_MASQUERADE (example below), or equal to IPV4_DIRECT_ROUTING. The advantage is that in this case wg-encrypted traffic has already been marked, so we don't need additional logic.This has minor impact on the nat map, as prior to the patch we just noticed the two additional entries for Wireguard:
Differently than for the overlay, right now we're using the same well-known 51871 source and destination port, thus only
2 * node-to-node-combinationcould potentially be inserted in the map. Still, this helps preventing this.Part of: #34089