Add Inline value to DNSPolicyMode table and mark default#2561
Add Inline value to DNSPolicyMode table and mark default#2561ctauchen merged 1 commit intotigera:mainfrom
Conversation
Add the new Inline DNSPolicyMode option to the hand-written felixconfig reference tables for CE 3.22+, CE 3.23+, CE latest, CC 22+, and CC latest. Also mark DelayDeniedPacket as the default. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
✅ Deploy Preview for calico-docs-preview-next ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview succeeded!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
Pull request overview
Updates FelixConfiguration reference docs to reflect the new Inline DNSPolicyMode option and to explicitly mark the default DNSPolicyMode value in the enum table for the affected Calico Enterprise and Calico Cloud doc versions.
Changes:
- Add
Inlineas a documentedDNSPolicyModeenum value (positioned betweenDelayDNSResponseandNoDelay). - Mark
DelayDeniedPacketas the default value in theDNSPolicyModetable. - Apply the updates across targeted CE and CC versioned/unversioned doc sets.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| calico-enterprise_versioned_docs/version-3.23-1/reference/resources/felixconfig.mdx | Updates DNSPolicyMode enum table to include Inline and mark the default. |
| calico-enterprise_versioned_docs/version-3.22-2/reference/resources/felixconfig.mdx | Same DNSPolicyMode table updates for CE v3.22-2 docs. |
| calico-enterprise/reference/resources/felixconfig.mdx | Same DNSPolicyMode table updates for CE “latest/next” docs. |
| calico-cloud_versioned_docs/version-22-2/reference/resources/felixconfig.mdx | Same DNSPolicyMode table updates for CC v22-2 docs. |
| calico-cloud/reference/resources/felixconfig.mdx | Same DNSPolicyMode table updates for CC “latest/next” docs. |
| | Value | Description | | ||
| | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | ||
| | DelayDeniedPacket | Felix delays any denied packet that traversed a policy that included egress domain matches, but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. | | ||
| | DelayDeniedPacket (default) | Felix delays any denied packet that traversed a policy that included egress domain matches, but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. | |
There was a problem hiding this comment.
The Value cell includes the annotation “(default)”, which makes it no longer match the actual config value (DelayDeniedPacket). This can lead to invalid copy/paste into dnsPolicyMode. Consider keeping the Value column as the literal enum value and indicating the default separately (for example via a note below the table or a dedicated default indicator column).
| | Inline | Parses DNS response inline with DNS response packet processing within iptables. This guarantees the DNS rules reflect any change immediately. This mode works for iptables only and matches the same mode for `BPFDNSPolicyMode`. This setting is ignored on Windows and `NoDelay` is always used. | | ||
| | NoDelay | Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial connection attempts fail. This may be problematic for some applications or for very low DNS TTLs. | | ||
|
|
||
| On Windows, or when using the eBPF dataplane, this setting is ignored. Windows always uses `NoDelay` while eBPF has its own [BPFDNSPolicyMode](#bpfdnspolicymode) option. |
There was a problem hiding this comment.
This section notes DNSPolicyMode is ignored on Windows/eBPF, but it doesn’t mention nftables. The generated Felix config param description in this repo states DNSPolicyMode has no effect in nftables mode and NFTablesDNSPolicyMode should be used instead. Please update the note here (or the table text) to reflect nftables behavior so users don’t assume this setting applies to nftables.
| On Windows, or when using the eBPF dataplane, this setting is ignored. Windows always uses `NoDelay` while eBPF has its own [BPFDNSPolicyMode](#bpfdnspolicymode) option. | |
| On Windows, when using the eBPF dataplane, or when using the nftables dataplane, this setting is ignored. Windows always uses `NoDelay`, while eBPF has its own [BPFDNSPolicyMode](#bpfdnspolicymode) option and nftables has its own `NFTablesDNSPolicyMode` option. |
| | Value | Description | | ||
| | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | ||
| | DelayDeniedPacket | Felix delays any denied packet that traversed a policy that included egress domain matches, but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. | | ||
| | DelayDeniedPacket (default) | Felix delays any denied packet that traversed a policy that included egress domain matches, but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. | |
There was a problem hiding this comment.
The Value cell includes the annotation “(default)”, which makes it no longer match the actual config value (DelayDeniedPacket). This can lead to invalid copy/paste into dnsPolicyMode. Consider keeping the Value column as the literal enum value and indicating the default separately (for example via a note below the table or a dedicated default indicator column).
| | Inline | Parses DNS response inline with DNS response packet processing within iptables. This guarantees the DNS rules reflect any change immediately. This mode works for iptables only and matches the same mode for `BPFDNSPolicyMode`. This setting is ignored on Windows and `NoDelay` is always used. | | ||
| | NoDelay | Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial connection attempts fail. This may be problematic for some applications or for very low DNS TTLs. | | ||
|
|
||
| On Windows, or when using the eBPF dataplane, this setting is ignored. Windows always uses `NoDelay` while eBPF has its own [BPFDNSPolicyMode](#bpfdnspolicymode) option. |
There was a problem hiding this comment.
This section notes DNSPolicyMode is ignored on Windows/eBPF, but it doesn’t mention nftables. The generated Felix config param description in this repo states DNSPolicyMode has no effect in nftables mode and NFTablesDNSPolicyMode should be used instead. Please update the note here (or the table text) to reflect nftables behavior so users don’t assume this setting applies to nftables.
| On Windows, or when using the eBPF dataplane, this setting is ignored. Windows always uses `NoDelay` while eBPF has its own [BPFDNSPolicyMode](#bpfdnspolicymode) option. | |
| On Windows, when using the eBPF dataplane, or when using the nftables dataplane, this setting is ignored. Windows always uses `NoDelay`, eBPF has its own [BPFDNSPolicyMode](#bpfdnspolicymode) option, and nftables uses [NFTablesDNSPolicyMode](#nftablesdnspolicymode). |
| | Value | Description | | ||
| | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | ||
| | DelayDeniedPacket | Felix delays any denied packet that traversed a policy that included egress domain matches, but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. | | ||
| | DelayDeniedPacket (default) | Felix delays any denied packet that traversed a policy that included egress domain matches, but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. | |
There was a problem hiding this comment.
The Value cell includes the annotation “(default)”, which makes it no longer match the actual config value (DelayDeniedPacket). This can lead to invalid copy/paste into dnsPolicyMode. Consider keeping the Value column as the literal enum value and indicating the default separately (for example via a note below the table or a dedicated default indicator column).
| | DelayDeniedPacket (default) | Felix delays any denied packet that traversed a policy that included egress domain matches, but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. | | |
| | DelayDeniedPacket | Felix delays any denied packet that traversed a policy that included egress domain matches, but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. This is the default mode. | |
| | Inline | Parses DNS response inline with DNS response packet processing within iptables. This guarantees the DNS rules reflect any change immediately. This mode works for iptables only and matches the same mode for `BPFDNSPolicyMode`. This setting is ignored on Windows and `NoDelay` is always used. | | ||
| | NoDelay | Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial connection attempts fail. This may be problematic for some applications or for very low DNS TTLs. | | ||
|
|
||
| On Windows, or when using the eBPF dataplane, this setting is ignored. Windows always uses `NoDelay` while eBPF has its own [BPFDNSPolicyMode](#bpfdnspolicymode) option. |
There was a problem hiding this comment.
This section notes DNSPolicyMode is ignored on Windows/eBPF, but it doesn’t mention nftables. The generated Felix config param description in this repo states DNSPolicyMode has no effect in nftables mode and NFTablesDNSPolicyMode should be used instead. Please update the note here (or the table text) to reflect nftables behavior so users don’t assume this setting applies to nftables.
| | Value | Description | | ||
| | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | ||
| | DelayDeniedPacket | Felix delays any denied packet that traversed a policy that included egress domain matches, but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. | | ||
| | DelayDeniedPacket (default) | Felix delays any denied packet that traversed a policy that included egress domain matches, but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. | |
There was a problem hiding this comment.
The Value cell includes the annotation “(default)”, which makes it no longer match the actual config value (DelayDeniedPacket). This can lead to invalid copy/paste into dnsPolicyMode. Consider keeping the Value column as the literal enum value and indicating the default separately (for example via a note below the table or a dedicated default indicator column).
| | Inline | Parses DNS response inline with DNS response packet processing within iptables. This guarantees the DNS rules reflect any change immediately. This mode works for iptables only and matches the same mode for `BPFDNSPolicyMode`. This setting is ignored on Windows and `NoDelay` is always used. | | ||
| | NoDelay | Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial connection attempts fail. This may be problematic for some applications or for very low DNS TTLs. | | ||
|
|
||
| On Windows, or when using the eBPF dataplane, this setting is ignored. Windows always uses `NoDelay` while eBPF has its own [BPFDNSPolicyMode](#bpfdnspolicymode) option. |
There was a problem hiding this comment.
This section notes DNSPolicyMode is ignored on Windows/eBPF, but it doesn’t mention nftables. The generated Felix config param description in this repo states DNSPolicyMode has no effect in nftables mode and NFTablesDNSPolicyMode should be used instead. Please update the note here (or the table text) to reflect nftables behavior so users don’t assume this setting applies to nftables.
| | Value | Description | | ||
| | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | ||
| | DelayDeniedPacket | Felix delays any denied packet that traversed a policy that included egress domain matches, but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. | | ||
| | DelayDeniedPacket (default) | Felix delays any denied packet that traversed a policy that included egress domain matches, but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. | |
There was a problem hiding this comment.
The Value cell includes the annotation “(default)”, which makes it no longer match the actual config value (DelayDeniedPacket). This can lead to invalid copy/paste into dnsPolicyMode. Consider keeping the Value column as the literal enum value and indicating the default separately (for example via a note below the table or a dedicated default indicator column).
| | Inline | Parses DNS response inline with DNS response packet processing within iptables. This guarantees the DNS rules reflect any change immediately. This mode works for iptables only and matches the same mode for `BPFDNSPolicyMode`. This setting is ignored on Windows and `NoDelay` is always used. | | ||
| | NoDelay | Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial connection attempts fail. This may be problematic for some applications or for very low DNS TTLs. | | ||
|
|
||
| On Windows, or when using the eBPF dataplane, this setting is ignored. Windows always uses `NoDelay` while eBPF has its own [BPFDNSPolicyMode](#bpfdnspolicymode) option. |
There was a problem hiding this comment.
This section notes DNSPolicyMode is ignored on Windows/eBPF, but it doesn’t mention nftables. The generated Felix config param description in this repo states DNSPolicyMode has no effect in nftables mode and NFTablesDNSPolicyMode should be used instead. Please update the note here (or the table text) to reflect nftables behavior so users don’t assume this setting applies to nftables.
Summary
InlineDNSPolicyMode value to the hand-written felixconfig reference tablesDelayDeniedPacketas the default value in the tableDescription
The
Inlinemode parses DNS responses inline with DNS response packet processing within iptables, guaranteeing DNS rules reflect changes immediately. This mode works for iptables only and matches the same mode forBPFDNSPolicyMode. It is ignored on Windows whereNoDelayis always used.Test plan
🤖 Generated with Claude Code