[ upstream commit d70929b ]

The BPF_HAVE_NETNS_COOKIE macro doesn't exist in-tree, use the correct
spelling.

Looks like the PR that introduced this test conflicted with the renaming in
17a652b ("probes: remove 'BPF_' prefix from features macros").

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>

[ upstream commit 1276096 ]

Add a section to talk about the native routing masquerading in the cloud
environment based on discussion
#39156 (comment)

Signed-off-by: Liyi Huang <liyi.huang@isovalent.com>
Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>

[ upstream commit 6fbc035 ]

Signed-off-by: Camillo Rossi <camrossi@cisco.com>
Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>

[ upstream commit 3a59bed ]

Setting both IDs and a maxresult parameter in a describe call input is
not possible, see [AWS documentation](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Query-Requests.html#api-pagination):

> If you call a describe API action with both a list of IDs and MaxResults, the request fails with the error InvalidParameterCombination.

Signed-off-by: Hadrien Patte <hadrien.patte@datadoghq.com>
Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>

[ upstream commit 3fb8618 ]

We can no longer treat single-selector policies as wildcarding L3, as we
no longer have bpf datapath always performing policy enforcement before
cilium-envoy.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>

[ upstream commit d9c3afc ]

It's not required to validate traffic that is re-injected by the proxy
i.e. the original traffic was originally redirected to proxy, and then
came back.

With this change, there is more flexibility on setting the upstream
connection src IP from proxy.

Signed-off-by: Tam Mach <tam.mach@cilium.io>
Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>

[ upstream commit 9394900 ]

During some other work I discovered that the whole active connection
tracking feature does not compile when enabled. Adding to the complexity
tests to add some compile coverage as regression test. Will fix the
actual issue in a subsequent commit.

Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com>
Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>

[ upstream commit 7c27078 ]

When both IPv6 and active connection tracking are enabled, we are unable
to compile, resulting in the following error:

```
./lib/lb.h:1071:21: error: use of undeclared identifier 'ct_state'
```

This is because in `lb6_local` the name of the variable is `state` not
`ct_state`. This issue seems to have been here since the introduction
of the feature and was never caught due to a lack of testing.

Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com>
Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>

[ upstream commit 9938f52 ]

The Cilium Operator logs are filled with attempts to retry updating
taints/conditions on nodes even if we can't get the node from the local
store due to node deletion. Skip retry in this case.

Signed-off-by: jshr-w <shjayaraman@microsoft.com>
Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>