Skip to content

eBPF: fix that local workload with borrowed IPs lose connectivity #11640

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
fasaxc wants to merge 3 commits into
base: master
Choose a base branch
from
Open

eBPF: fix that local workload with borrowed IPs lose connectivity #11640

fasaxc wants to merge 3 commits into from
+78 −10

Conversation

@fasaxc
Copy link
Member

@fasaxc fasaxc commented Jan 9, 2026
edited
Loading

Description

The old condition checked that the "borrowed" flag was false before checking if the route was a workload. There's no reason that a local workload can't have a borrowed IP, so this was a bug.

We now have an explicit "really a local WEP" flag; use that explicitly to avoid confusion with the informational flags (where multiple flags can be set for borrowed IPs).

Related issues/PRs

CORE-12198

Todos

  • Tests
  • Documentation
  • Release note

Release Note

eBPF: fix that local workload with borrowed IPs lose connectivity

Reminder for the reviewer

Make sure that this PR has the correct labels and milestone set.

Every PR needs one docs-* label.

  • docs-pr-required: This change requires a change to the documentation that has not been completed yet.
  • docs-completed: This change has all necessary documentation completed.
  • docs-not-required: This change has no user-facing impact and requires no docs.

Every PR needs one release-note-* label.

  • release-note-required: This PR has user-facing changes. Most PRs should have this label.
  • release-note-not-required: This PR has no user-facing changes.

Other optional labels:

  • cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.
  • needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.

@fasaxc fasaxc added release-note-required Change has user-facing impact (no matter how small) docs-not-required Docs not required for this change kind/regression changed behaviour between versions cherry-pick-candidate labels Jan 9, 2026
@fasaxc fasaxc force-pushed the fix-borrowed-local-wl-route branch 2 times, most recently from ef1074c to 4365382 Compare January 12, 2026 10:19
@marvin-tigera marvin-tigera added this to the Calico v3.32.0 milestone Jan 12, 2026
@fasaxc fasaxc force-pushed the fix-borrowed-local-wl-route branch from 4365382 to 84f1a27 Compare January 12, 2026 10:20
fasaxc added 2 commits January 12, 2026 10:50
@fasaxc
Add FV test for local workload with borrowed IP.
d32015b 
Fails due to bug.
@fasaxc
eBPF: fix that local workload with borrowed IPs lose connectivity
6afa792 
The old condition checked that the "borrowed" flag was false before
checking if the route was a workload.  There's no reason that a local
workload can't have a borrowed IP, so this was a bug.

We now have an explicit "really a local WEP" flag; use that explicitly
to avoid confusion with the informational flags (where multiple flags
can be set for borrowed IPs).
@fasaxc fasaxc force-pushed the fix-borrowed-local-wl-route branch from 84f1a27 to 6afa792 Compare January 12, 2026 10:50
@fasaxc fasaxc marked this pull request as ready for review January 12, 2026 10:53
@fasaxc fasaxc requested a review from a team as a code owner January 12, 2026 10:53
Copilot AI review requested due to automatic review settings January 12, 2026 10:53
Copilot AI reviewed Jan 12, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a bug where local workloads with borrowed IPs would lose connectivity in eBPF mode. The issue was that the old code incorrectly excluded routes for local workloads if they had borrowed IPs. The fix introduces an explicit LocalWorkload flag to distinguish actual workload endpoints from IPAM blocks, avoiding confusion with the informational Borrowed flag.

Changes:

  • Refactored route classification logic to use explicit LocalWorkload flag instead of checking multiple conditions
  • Added comprehensive test coverage for borrowed workload IPs scenario
  • Improved code clarity with better comments explaining the borrowed IP handling

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
felix/calc/l3_route_resolver.go Sets LocalWorkload flag explicitly for local workload endpoints to disambiguate from IPAM blocks
felix/dataplane/linux/bpf_route_mgr.go Refactored route handling to check GetLocalWorkload() first, then handle IPAM blocks separately
felix/fv/routing_test.go Added new test case for borrowed workload IPs and refactored description strings; contains a bug on line 889
felix/routetable/routeclass_string.go Auto-generated code update from stringer tool

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@caseydavenport caseydavenport caseydavenport approved these changes

Assignees

No one assigned

Labels

cherry-pick-candidate docs-not-required Docs not required for this change kind/regression changed behaviour between versions release-note-required Change has user-facing impact (no matter how small)

Projects

None yet

Milestone

Calico v3.32.0

Development

Successfully merging this pull request may close these issues.

3 participants

@fasaxc @caseydavenport @marvin-tigera