Martynas Pumputis

@asm76 Can you upload the sysdump?

From the tcpdump looks like a stale CT issue (TCP SYN ACK has the wrong src IP addr): ``` 08:56:35.441515 IP 10.2.5.68.54088 > 10.2.5.140.80: Flags [S], seq 4187745149, win 64240,...

I would keep it here to serve as a warning that no ci-e2e workflow runs on a VM with nftables.

@ArsenyBelorukov Thanks for the report. @christarazi @ldelossa We should start the BGP announcer after the datapath has been regenerated. Yet another use case for a proper init system in the...

@ldelossa It depends whether the datapath init is async. If so, then we should signal the daemon once all bpf_host instances have been reloaded. Otherwise, yes, placing the BGP init...

Requiring socket-LB for BPF masq hides two problems: 1. Unexpected SNAT of a reply packet to a pod in host netns when running in the tunneling mode. The culprit of...

> One question, if all pod->node traffic goes through tunnel, how can a pod talk to nodeport? Grep for `nodeport_lb` in `bpf_overlay.c` (NodePort BPF should be enabled on a tunnel...

> For host->clusterIP, I think it should go through tunnels in both ways so I don't think (1) matters here. Yes, just you will need to remove the following `ifndef`:...

> Is bpf-lb-sock-hostns-only: true also required, or will kata+kube-proxy free not work currently? It's required for Kata containers to access K8s services. Please keep in mind that since opening this...

> Specifically [here](https://docs.cilium.io/en/latest/network/kubernetes/kata/) the docs indicate that kube-proxy-replacement must be disabled Thanks for pointing this out. We will update the docs. UPDATE - https://github.com/cilium/cilium/pull/33725. > I also don't really understand...