Skip to content

[BPF] Remove support for kernels without BPF CO-RE#12128

Open
tomastigera wants to merge 5 commits intoprojectcalico:masterfrom
tomastigera:worktree-remove-legacy-bpf
Open

[BPF] Remove support for kernels without BPF CO-RE#12128
tomastigera wants to merge 5 commits intoprojectcalico:masterfrom
tomastigera:worktree-remove-legacy-bpf

Conversation

@tomastigera
Copy link
Contributor

@tomastigera tomastigera commented Mar 14, 2026
edited
Loading

Summary

With minimum kernel support moving to 5.10+, all supported kernels have BTF/CO-RE. This PR removes the legacy/CO-RE distinction entirely.

Legacy BPF removal:

  • Stop compiling non-CO-RE BPF object files (172 → 90 objects, ~50% reduction)
  • Remove runtime CO-RE/BTF detection (SupportsBTF(), BTFEnabled)
  • Remove legacy cgroup attach fallback (AttachCGroupLegacy, DetachCTLBProgramsLegacy)
  • Simplify config.BPFEnabled && bpfutils.BTFEnabledconfig.BPFEnabled
  • Remove all #ifdef BPF_CORE_SUPPORTED conditionals from BPF C code
  • Delete fib_legacy.h and remove -DBPF_CORE_SUPPORTED from build scripts
  • Remove _co-re suffix from all BPF object filenames
  • Clean up dead CO-RE fallback logic and unused parameters

Permanent load failure handling:

  • When a BPF program is rejected by the kernel verifier, cache the error and stop retrying
  • Report not-ready health with actionable message: "program rejected by kernel BPF verifier. Calico eBPF dataplane requires kernel 5.10+."
  • Classify load errors: only ENOMEM/EAGAIN/EBUSY are transient; everything else is permanent
ebpf: Require kernel 5.10+ with BTF/CO-RE support. Remove legacy BPF object files, runtime fallback paths, and conditional compilation. Report a clear health message when the kernel is too old.

Test plan

  • BPF unit tests pass (2027 tests)
  • Unit tests for permanent load failure handling
  • Felix FV tests (iptables mode)
  • Felix FV tests (BPF mode)
  • Felix FV tests (nftables mode)

🤖 Generated with Claude Code

@marvin-tigera marvin-tigera added this to the Calico v3.32.0 milestone Mar 14, 2026
@marvin-tigera marvin-tigera added release-note-required Change has user-facing impact (no matter how small) docs-pr-required Change is not yet documented labels Mar 14, 2026
@tomastigera tomastigera changed the title Remove legacy (non-CO-RE) BPF object files Remove support for kernels without BPF CO-RE Mar 14, 2026
@tomastigera @claude
Remove legacy (non-CO-RE) BPF object files and fallback paths
9b8d3d1 
With minimum kernel support moving to 5.10+, all supported kernels have
BTF/CO-RE support. This removes legacy BPF compilation, runtime CO-RE
detection, and legacy cgroup attach fallback. Halves compiled BPF objects
from 172 to 90.

Stage 1 of legacy BPF removal - stage 2 will remove #ifdef
BPF_CORE_SUPPORTED conditionals from C code.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@tomastigera tomastigera force-pushed the worktree-remove-legacy-bpf branch from fe00415 to 9b8d3d1 Compare March 15, 2026 23:30
@tomastigera tomastigera changed the title Remove support for kernels without BPF CO-RE [BPF] Remove support for kernels without BPF CO-RE Mar 15, 2026
@tomastigera tomastigera mentioned this pull request Mar 15, 2026
Closed
3 tasks
tomastigera and others added 2 commits March 16, 2026 13:59
@tomastigera @claude
Remove BPF_CORE_SUPPORTED conditional compilation from C code
4507d56 
Stage 2: with CO-RE always available, remove all #ifdef
BPF_CORE_SUPPORTED conditionals from BPF C code, keeping only the
CO-RE paths. Delete fib_legacy.h entirely. Remove -DBPF_CORE_SUPPORTED
from build scripts since it's no longer checked.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@tomastigera @claude
Remove _co-re suffix from BPF object filenames
f7c5cf8 
Now that legacy (non-CO-RE) objects no longer exist, the _co-re
filename distinction is unnecessary. Remove it from all object names,
build rules, and Go filename generation. Also remove the dead CO-RE
fallback logic in hook/map.go.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@tomastigera tomastigera marked this pull request as ready for review March 16, 2026 23:07
@tomastigera tomastigera requested a review from a team as a code owner March 16, 2026 23:07
Copilot AI review requested due to automatic review settings March 16, 2026 23:07
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR removes Felix’s legacy (non-CO-RE) eBPF build/runtime paths, assuming a minimum kernel baseline where BTF/CO-RE is always available, and correspondingly simplifies object selection, attachment logic, and related tests/build scripts.

Changes:

  • Drop runtime CO-RE/BTF detection and remove legacy fallback logic for object loading and cgroup attachment/detachment.
  • Rename/simplify BPF object naming (removing _co-re variants) and update loaders/tests/scripts accordingly.
  • Remove legacy BPF C code paths and headers (e.g., fib_legacy.h) and simplify compile flags/build rules.

Reviewed changes

Copilot reviewed 29 out of 29 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
felix/dataplane/linux/vxlan_mgr.go Simplifies VXLAN flow-based enablement condition to depend only on BPF enablement.
felix/dataplane/linux/int_dataplane.go Removes BTFEnabled gating for VXLAN-related BPF-mode behavior in dataplane setup.
felix/bpf/utils/utils.go Removes runtime BTF detection and replaces with a constant.
felix/bpf/ut/precompilation_test.go Updates expected precompiled object set to match new naming scheme (no _co-re).
felix/bpf/ut/bpf_prog_test.go Updates unit-test object naming logic to remove _co-re suffix handling.
felix/bpf/ut/attach_test.go Removes legacy CTLB attach unit test.
felix/bpf/tc/defs/defs.go Simplifies ProgFilename by removing the btf parameter and _co-re name component.
felix/bpf/nat/connecttime.go Removes CTLB legacy attach/detach fallback paths and _co-re filename selection.
felix/bpf/libbpf/libbpf_stub.go Removes legacy-attach related stubs.
felix/bpf/libbpf/libbpf_api.h Removes C helper functions used only for legacy CTLB detach/attach.
felix/bpf/libbpf/libbpf.go Removes Go legacy CTLB detach/attach implementations.
felix/bpf/hook/map.go Removes runtime fallback from CO-RE object load to non-CO-RE object load.
felix/bpf/hook/load.go Updates object filename initialization to match new naming and ProgFilename signature.
felix/bpf/conntrack/bpf_scanner.go Updates conntrack cleanup object filename to new naming (no _co-re).
felix/bpf-gpl/tc.c Removes #ifndef BPF_CORE_SUPPORTED fragmentation denial path.
felix/bpf-gpl/skb.h Removes BPF_CORE_SUPPORTED conditional compilation branches.
felix/bpf-gpl/parsing.h Removes BPF_CORE_SUPPORTED conditional compilation around XDP helper selection.
felix/bpf-gpl/log.h Removes legacy bpf_log formatting branch; keeps CO-RE style.
felix/bpf-gpl/list-ut-objs Updates UT object list generation to match new filenames (no _co-re).
felix/bpf-gpl/list-objs Updates object list generation to only emit new filenames (no _co-re variants).
felix/bpf-gpl/ip_v4_fragment.h Removes BPF_CORE_SUPPORTED guards around fragment handling helpers.
felix/bpf-gpl/fib_legacy.h Deletes legacy FIB implementation header.
felix/bpf-gpl/fib.h Removes conditional include; always includes CO-RE FIB implementation.
felix/bpf-gpl/connect_balancer_v6.c Removes BPF_CORE_SUPPORTED conditional debug formatting.
felix/bpf-gpl/connect_balancer_v46.c Removes BPF_CORE_SUPPORTED conditional debug formatting.
felix/bpf-gpl/calculate-flags Stops defining BPF_CORE_SUPPORTED based on filename/test builds.
felix/bpf-gpl/bpf.h Removes BPF_CORE_SUPPORTED conditional debug formatting macros.
felix/bpf-gpl/Makefile Removes _co-re build rules and stops defining BPF_CORE_SUPPORTED in dependency generation/UT flags.
felix/CLAUDE.md Updates documentation to remove references to removed legacy header(s).
Comments suppressed due to low confidence (1)

felix/bpf-gpl/ip_v4_fragment.h:196

  • The comment has a typo: "woul dnot" should be "would not".
	 * verifier would not verify the code correctly and woul dnot accept it.
	 */

tomastigera and others added 2 commits March 16, 2026 21:21
@tomastigera @claude
Clean up unused parameters left over from legacy removal
2eaffb3 
- Remove unused udpNotSeen/excludeUDP params from attachProgram()
- Remove unused ipv4Enabled/cgroupv2 params and numLinksDetached
  from detachCtlbPrograms()
- Remove dead BTFEnabled constant from bpf/utils

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@tomastigera @claude
Stop retrying BPF program loads on permanent failure
2517272 
When a BPF program is rejected by the kernel verifier (e.g. kernel too
old), cache the error and stop retrying. Report a clear health message:
"program rejected by kernel BPF verifier. Calico eBPF dataplane requires
kernel 5.10+."

- Add ErrPermanentLoadFailure sentinel and IsPermanentLoadFailure()
  classifier in hook/map.go (transient: ENOMEM/EAGAIN/EBUSY; all else
  permanent)
- Cache permanent errors in program struct; return immediately on
  subsequent LoadObj calls
- In bpf_ep_mgr: detect permanent failure, remove interface from dirty
  set, report not-ready health with actionable message
- Add unit tests for data interface and workload interface paths

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

docs-pr-required Change is not yet documented release-note-required Change has user-facing impact (no matter how small)

Projects

None yet

Milestone

Calico v3.32.0

Development

Successfully merging this pull request may close these issues.

3 participants

@tomastigera @marvin-tigera