Add L2 announcement IPv6 support by msune · Pull Request #39648 · cilium/cilium

msune · 2025-05-20T23:30:36Z

This patchset adds L2 announcement IPv6 support.

Patchset:

23c6929a58 docs/l2_announcements: remove IPv6 limitation
08019f3ef8 pkg: add support for L2 IPv6 announcements
db22a4c2d4 pkg/datapath: garp->gneigh and implement ND adv.
234e1b4a76 pkg: add v6 L2 responder maps
98ee4c6ff3 Add mdlayher/ndp go package
71721fa802 bpf/test: add L2 announce IPv6 unit test
749f591e3f bpf: Add support for IPv6 L2 announcements
aa2dc65eec bpf/test/pktgen: add IPv6 {svc,ext}_one addresses
623417f1c4 bpf: rescope IPv6 MC helpers (sol. addr)

Depends on #39574 and #39579. Related/implements #34983.

Add L2 announcement IPv6 support

github-actions · 2025-06-20T02:11:07Z

This pull request has been automatically marked as stale because it
has not had recent activity. It will be closed if no further activity
occurs. Thank you for your contributions.

maintainer-s-little-helper · 2025-06-20T06:55:00Z

Commit 0cc17e9 does not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

msune · 2025-06-26T17:15:24Z

OK, ready for review. I finally could spent some more time on it.

A couple of notes:

Besides the BPF unit tests, I've manually tested it using kind, both for targeted and non-targeted NDP NS.
Reviewers let me know if there is some more test coverage you think it's necessary, given the state of coverage for the v4.
So, with the current implementation (in main for v4), if for whatever reason the GARP can't be sent, the map is not populated with that entry, so it will never make it into the map unless there are changes. See this. Should we warn and continue? I didn't change this behaviour as part of the PR just yet.

@dylandreimerink I would appreciate if you could give it a run too.

muhlba91 · 2025-07-29T07:57:17Z

qq: will this be in the 1.18 release already?

msune · 2025-07-29T07:59:29Z

qq: will this be in the 1.18 release already?

Nope, 1.19.

RonaldPhilipsen · 2025-08-03T08:19:01Z

qq: will this be in the 1.18 release already?

Nope, 1.19.

Sad, I was really looking forward to enabling matter without relying on metallb

Either way, thanks for all the effort!

As part of cilium#39648 review, a bug was disovered in which l2_responder counters were 0ed during reconciliation. Fix it by making sure desiredMap contains old entries with satisfied=true so that counters are not 0ed, as per suggested by Dylan. Reported-by: Joe Stringer <[email protected]> Signed-off-by: Dylan Reimerink <[email protected]> Signed-off-by: Marc Suñé <[email protected]>

Infinoid · 2025-09-13T13:26:08Z

I tried this in the 1.19.0-pre.0 pre-release, and found that neighbor solications didn't get through to the cilium agent until I set the IFF_PROMISC flag on the ethernet interface. It seems the MAC filter doesn't know about advertised addresses, and won't let them through by default.

Was this expected? Once I ran ip link set <device> promisc on, everything seems to work great, but that's not on by default, and for good reason.

I don't know what's different between my test environment and all the other testing you guys have done.

msune · 2025-09-13T14:00:19Z

Was this expected? Once I ran ip link set promisc on, everything seems to work great, but that's not on by default, and for good reason.

No

It seems the MAC filter doesn't know about advertised addresses, and won't let them through by default.

The advertised MAC address for all the VIPs should be the node MAC address (on the NDP NA).

I don't know what's different between my test environment and all the other testing you guys have done.

Since you can repro, could you attach a sysdump + pcap with the NS/NA on the failure case?

It would be great if you could also attach a pwru trace. Something along the lines of:

sudo pwru 'host <VIP> and icmp6'

If you that doesn't catch the mcast NS, you can remove the host part and just attach here the relevant content of the VIP.

Infinoid · 2025-09-13T14:36:26Z

Since you can repro, could you attach a sysdump + pcap with the NS/NA on the failure case?

Sure. Here it is:
39648-nsna.pcap.gz

This is from running tshark -pni enp0s2 -w icmp6.pcap icmp6 on the cilium-agent's host node. I have filtered it to only include packets which involve the client machine's MAC address. (I don't see any broadcasts/multicasts, but let me know what else I should include/look for.)

As tshark was running, I tried and failed 3 times to run ndisc6 on the client side. Then I set IFF_PROMISC on the agent side, and the fourth time worked.

client logs running `ndisc6`

client logs:

% ndisc6 ingress.infinoid.oi tengig
Soliciting ingress.infinoid.oi (fd01:f00f:c7c8:2102:b8df:4123:ffff:0) on tengig...
Timed out.
Timed out.
Timed out.
No response.
% ndisc6 ingress.infinoid.oi tengig
Soliciting ingress.infinoid.oi (fd01:f00f:c7c8:2102:b8df:4123:ffff:0) on tengig...
Timed out.
Timed out.
Timed out.
No response.
% ndisc6 ingress.infinoid.oi tengig
Soliciting ingress.infinoid.oi (fd01:f00f:c7c8:2102:b8df:4123:ffff:0) on tengig...
Timed out.
Timed out.
Timed out.
No response.
% ndisc6 ingress.infinoid.oi tengig
Soliciting ingress.infinoid.oi (fd01:f00f:c7c8:2102:b8df:4123:ffff:0) on tengig...
Target link-layer address: 52:54:00:AC:16:13
 from fd01:f00f:c7c8:2102:b8df:4123:ffff:0
%

client/server network interfaces (`ip addr` output)

Client machine addresses:

6: tengig: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc noqueue state UP group default qlen 1000
    link/ether 5e:30:79:ad:4c:34 brd ff:ff:ff:ff:ff:ff
    inet6 fd01:f00f:c7c8:2102::3/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fec0:0:80::3/64 scope site 
       valid_lft forever preferred_lft forever
    inet6 fe80::5c30:79ff:fead:4c34/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever

Agent machine addresses:

2: enp0s2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 9000 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:ac:16:13 brd ff:ff:ff:ff:ff:ff
    altname enx525400ac1613
    inet 172.22.0.13/24 brd 172.22.0.255 scope global enp0s2
       valid_lft forever preferred_lft forever
    inet 10.33.2.103/24 brd 10.33.2.255 scope global enp0s2
       valid_lft forever preferred_lft forever
    inet6 fd01:f00f:c7c8:2102::1003/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fec0:0:80::13/64 scope site 
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:feac:1613/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever

It would be great if you could also attach a pwru trace.

I'm not familiar with pwru, but I will try it next.

Infinoid · 2025-09-13T14:43:17Z

I'm not familiar with pwru, but I will try it next.

This will take a little while, need to recompile kernel for CONFIG_KPROBES and CONFIG_PERF_EVENTS.

msune · 2025-09-13T15:46:33Z

Looking at the pcap capture, everything looks ok. The NDP Neighbour Solicitation is a Multicast one (untargeted), and both the node solicited MC v6 and MAC addresses are correct:

Target addr: fd01:f00f:c7c8:2102:b8df:4123:ffff:0
Node solicited MC MAC address: 33:33:ff:ff:00:00
Node solicited MC v6 address: ff02::1:ffff:0

These are also the MC addresses Cilium expects.

So the first thing that comes to mind is that since the kernel doesn't consider service VIPs as "theirs" (their are not assigned to any interface), it configures physical NICs to filter all Node Solicited MAC addresses that don't belong to an IP address assigned ~~to that interface~~ in the host NS. This is consistent with:

and found that neighbor solications didn't get through to the cilium agent until I set the IFF_PROMISC flag on the ethernet interface

At the end of the day this is the reason for the NS MAC addresses to exist. This is not the behaviour I've seen on virtual interfaces, though. Can I ask which NIC do you use on the server side?

Can you try flipping to 1 the flag net.ipv6.conf.enp0s2.proxy_ndp without IFF_PROMISC, and see if it makes a difference? Also make sure to wipe out the NDP cache on the client side to make sure the NDP NS is untargeted:

sudo ip -6 neigh flush dev <dev>

or if you traffic flowing a more targeted flush:

sudo ip -6 neigh del <ip6> dev <dev>

Infinoid · 2025-09-13T16:20:44Z

At the end of the day this is the reason for the NS MAC addresses to exist. This is not the behaviour I've seen on virtual interfaces, though. Can I ask which NIC do you use on the server side?

It's virtio_net. It's a qemu VM, with the host bridging the VM's tap device with an r8169 NIC. (There is no filtering done at that level; if there were, the VM's promisc flag wouldn't affect it.)

Can you try flipping to 1 the flag net.ipv6.conf.enp0s2.proxy_ndp without IFF_PROMISC, and see if it makes a difference? Also make sure to wipe out the NDP cache on the client side to make sure the NDP NS is untargeted:

I tried it; it had no effect. IFF_PROMISC is still required.

Still working on pwru. I think it doesn't have the right BTF debugging data. I'll post an update if I get it working.

Until now I've been using metallb with a similar configuration, and that worked. I am looking forward to replacing it with cilium! 😄

Infinoid · 2025-09-13T17:05:05Z

I'll post an update if I get it working.

Ok, got it working. Here's what I did:

booted the node
ran sudo ./pwru --output-file pwru-out.txt 'host fd01:f00f:c7c8:2102:b8df:4123:ffff:0 and icmp6'
waited for the cilium pods to start up properly
repeatedly deleted the l2 announcements lease until it went to the right node
reran the same ndisc6 test I did above
it failed 3 times, as before
ran sudo ip link set enp0s2 promisc on
ndisc6 worked the 4th time
and pwru generated some output

Unfortunately, it looks like pwru didn't see anything at all until IFF_PROMISC was enabled. Here's what it did see:

pwru-out.txt

msune · 2025-09-13T17:07:22Z

Unfortunately, it looks like pwru didn't see anything at all until IFF_PROMISC was enabled. Here's what it did see:

And you say that with the very same exact setup (the QEMU VM), this works with MetalLB?

Infinoid · 2025-09-13T17:08:14Z

And you say that with the very same exact setup (the QEMU VM), this works with MetalLB?

Yes. MetalLB works without IFF_PROMISC when configured in the equivalent way.

msune · 2025-09-13T17:09:39Z

OK, I will have a closer look on Monday. Thx

Infinoid · 2025-09-13T20:00:10Z

I noticed that the mcast addresses 33:33:ff:ff:00:00 and ff02::1:ffff:0 are not in the ip maddr ls list.

multicast addresses

% ip maddr ls dev enp0s2
2:	enp0s2
	link  33:33:00:00:00:01
	link  33:33:00:00:00:02 users 2
	link  01:00:5e:00:00:01
	link  33:33:ff:ac:16:13
	link  01:80:c2:00:00:00
	link  01:80:c2:00:00:03
	link  01:80:c2:00:00:0e
	link  33:33:ff:00:00:13
	link  33:33:ff:00:10:03
	link  33:33:ff:00:00:00
	inet  224.0.0.1
	inet6 ff02::1:ff00:0 users 3
	inet6 ff02::1:ff00:1003
	inet6 ff02::1:ff00:13
	inet6 ff02::1:ffac:1613
	inet6 ff05::2
	inet6 ff01::2
	inet6 ff02::2
	inet6 ff02::1 users 2
	inet6 ff01::1

Adding the mcast MAC as a static address gets it working for me: ip maddr add 33:33:ff:ff:00:00 dev enp0s2. With that, IFF_PROMISC is no longer needed, and L2 announcements for ipv6 are working great! 🎆

msune · 2025-09-13T20:13:34Z

Adding the mcast MAC as a static address gets it working for me: ip maddr add 33:33:ff:ff:00:00 dev enp0s2. With that, IFF_PROMISC is no longer needed, and L2 announcements for ipv6 are working great! 🎆

This was my suspicion. Others had similar issues in the past, from glancing to issues in K8s and MetalLB projects.

I think it's because the bridge (on the host) does L2 MC snooping by default. You might not need to add that entry if you set multicast_snooping to 0 on the host:

echo 0 > /sys/class/net/br0/bridge/multicast_snooping

Anyway, we need to add these mcast addresses in the list from the Agent side. HW switches are likely doing L2 MC snooping in the context where L2 ANNOUNCEMENTS would be enabled. I will open a separate issue for this.

Thank you

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cilium](https://cilium.io/) ([source](https://github.com/cilium/cilium)) | minor | `1.18.6` → `1.19.0` | --- ### Release Notes <details> <summary>cilium/cilium (cilium)</summary> ### [`v1.19.0`](https://github.com/cilium/cilium/releases/tag/v1.19.0): 1.19.0 [Compare Source](cilium/cilium@1.18.6...1.19.0) 🎉 **Release Announcement** 🎉: We are excited to announce the [Cilium 1.19.0](https://github.com/cilium/cilium/releases/tag/v1.19.0) release! A total of **2934 new commits** have been contributed to this release by a growing community of over **1010 developers** and over **23,600 GitHub stars**! 🤩 ⚠️ You may need to take action during upgrade to Cilium v1.19 if you use Network Policies, Cluster Mesh, LoadBalancer IPAM or BGP. See the [Upgrade Guide](https://docs.cilium.io/en/v1.19/operations/upgrade/#upgrade-notes) for more details. The full changelog can be found [here](https://github.com/cilium/cilium/blob/v1.19/CHANGELOG.md). Here are some of the highlights: - 🛡️ **Network Policy** - 🃏 **Multi-Level DNS Matches**: DNS Policies match pattern now support a wildcard prefix(*`**.`*) to match multilevel subdomain as pattern prefix. ([cilium/cilium#43420](cilium/cilium#43420), [@fristonio](https://github.com/fristonio)) - 📡 **Match New Protocols**: You can now match VRRP and IGMP protocols in host firewall rules. ([cilium/cilium#39872](cilium/cilium#39872), [@aditighag](https://github.com/aditighag); [cilium/cilium#41949](cilium/cilium#41949), [@kyounghunJang](https://github.com/kyounghunJang)) - ⛔ **Actively Deny Connections**: When Network Policies deny a connection, Cilium can return ICMPv4 "Destination unreachable" messages for a friendlier deny. ([cilium/cilium#41406](cilium/cilium#41406), [@antonipp](https://github.com/antonipp)) - 🌐 **Select Clusters Explicitly**: When network policy selectors don't explicitly define a cluster for communication to be allowed, they will now default to only allowing the local cluster. ([cilium/cilium#40609](cilium/cilium#40609), [@MrFreezeex](https://github.com/MrFreezeex)) - 🔧 **Unlock Future Work**: This release brings several internal improvements to the network policy engine in preparation for features planned in the next Cilium minor release ([cilium/cilium#39906](cilium/cilium#39906), [@vipul-21](https://github.com/vipul-21); [cilium/cilium#42784](cilium/cilium#42784), [cilium/cilium#42896](cilium/cilium#42896), [@jrajahalme](https://github.com/jrajahalme)) - ⚠️ **Deprecate underutilized features**: To focus on solving common problems Cilium users face, this release deprecates the Kafka protocol match fields (beta), as well as the `ToRequires` and `FromRequires` policy fields. ([cilium/cilium#43167](cilium/cilium#43167), [@sayboras](https://github.com/sayboras); [cilium/cilium#40967](cilium/cilium#40967), [@TheBeeZee](https://github.com/TheBeeZee)) - 🔒 **Encryption & Authentication** - 🔐 **Encryption Strict Modes**: Both IPsec and WireGuard transparent encryption modes now support a "strict mode" to require traffic to be encrypted between nodes. Unencrypted traffic will be dropped in this mode. ([cilium/cilium#39239](cilium/cilium#39239), [cilium/cilium#42115](cilium/cilium#42115), [@rgo3](https://github.com/rgo3), [@julianwiedmann](https://github.com/julianwiedmann)) - 🚇 **Ztunnel Beta**: You can enroll namespaces into Ztunnel, which enables TCP connections between workloads to be transparently encrypted and authenticated. ([cilium/cilium#42766](cilium/cilium#42766), [cilium/cilium#42819](cilium/cilium#42819), [cilium/cilium#43227](cilium/cilium#43227) and others, [@ldelossa](https://github.com/ldelossa), [@rgo3](https://github.com/rgo3), [@nddq](https://github.com/nddq)) - 👥 **Mutual Authentication**: The out-of-band [Mutual Authentication](https://docs.cilium.io/en/v1.19.0/network/servicemesh/mutual-authentication/mutual-authentication/) feature is now disabled by default, pending community feedback. If you have a requirement for mTLS, consider trying the new Ztunnel integration. ([cilium/cilium#42665](cilium/cilium#42665), [@christarazi](https://github.com/christarazi)) - ↪️ **Accelerate IPsec**: The IPsec encryption mode now supports BPF Host Routing for faster route lookups ([cilium/cilium#41997](cilium/cilium#41997), [@pchaigno](https://github.com/pchaigno)) - 🚠 **Networking** - 🚀 **BIG TCP in Tunnels**: Leverage upcoming Linux support for BIG TCP when communicating over UDP-based tunnels such as VXLAN and Geneve. ([cilium/cilium#43416](cilium/cilium#43416), [@gentoo-root](https://github.com/gentoo-root)) - 🥌 **Packetization-Layer Path MTU Discovery**: Detect maximum transmission unit (MTU) sizes for network paths using TCP. ([cilium/cilium#42012](cilium/cilium#42012), [cilium/cilium#43710](cilium/cilium#43710), [@tommyp1ckles](https://github.com/tommyp1ckles)) - 🚆 **IPv6 Underlay**: You can now choose IPv6 for the tunnel underlay address family on dual-stack clusters. ([cilium/cilium#40324](cilium/cilium#40324), [@pchaigno](https://github.com/pchaigno)) - 🏷️ **Multi-Pool IPAM is ready for wider use**: Update the Multi-Pool IPAM feature to work with IPsec and direct routing modes, and promote it from Beta to Stable. ([cilium/cilium#40460](cilium/cilium#40460), [cilium/cilium#42191](cilium/cilium#42191), [@pippolo84](https://github.com/pippolo84)) - 🎭 **More Configurable Masquerade**: IP Masquerade configuration can now be customized for traffic sent to nodes in other IP subnets, and addresses in IPAM pools can be excluded from masquerade ([cilium/cilium#37568](cilium/cilium#37568), [@behzad-mir](https://github.com/behzad-mir); [cilium/cilium#43380](cilium/cilium#43380), [@alimehrabikoshki](https://github.com/alimehrabikoshki)) - 🕸️ **Services and Service Mesh** - 📣 **Layer-2 Announcements**: Add support for Neighbor Discovery Advertisements for IPv6 Layer-2 Announcements. ([cilium/cilium#39648](cilium/cilium#39648), [@msune](https://github.com/msune)) - 🔁 **IPv6 Service Loopback**: Pods can now connect to themselves via a Kubernetes "loopback service" using IPv6. ([cilium/cilium#39594](cilium/cilium#39594), [@saiaunghlyanhtet](https://github.com/saiaunghlyanhtet)) - ⛩️ **Gateway API Enhancements**: Cilium's GAMMA support now includes support for using GRPCRoute as well as HTTPRoute. ([cilium/cilium#41936](cilium/cilium#41936), [@youngnick](https://github.com/youngnick)) - 🛣️ **Border Gateway Protocol (BGP)** - 🔌 **Advertise Addresses from Interfaces**: There's a new Interface BGP advertisement type that allows advertisement of IPs assigned on local interfaces. This can be useful for example in multi-homing setups, where a common node's loopback address can be advertised via multiple BGP sessions over different network interfaces. ([cilium/cilium#42469](cilium/cilium#42469), [@rastislavs](https://github.com/rastislavs)) - ✉️ **Override Source IP addresses**: You can override the auto-generated BGP session source IP with the IP address applied on the configured `sourceInterface` to allow binding the BGP connection to the loopback address which is not tied to the specific physical interface's lifecycle ([cilium/cilium#42583](cilium/cilium#42583), [@rastislavs](https://github.com/rastislavs)) - 🔁 **Withdraw Empty Routes**: Optionally withdraw BGP routes when a service has 0 endpoints, to allow balancing to a different DC/cluster with `externalTrafficPolicy=Cluster` ([cilium/cilium#40717](cilium/cilium#40717), [@oblazek](https://github.com/oblazek)) - ⚠️ **Move to `cilium.io/v2` API**: The support for the older `CiliumBGPPeeringPolicy` v1 API is now removed and should be replaced with v2 APIs. ([cilium/cilium#42278](cilium/cilium#42278), [@rastislavs](https://github.com/rastislavs)) - 🛰️ **Observability** - 🔬 **Trace IP Options**: Configure Cilium and Hubble to trace specific packets through the cluster using IP Options. ([cilium/cilium#41306](cilium/cilium#41306), [@Bigdelle](https://github.com/Bigdelle)) - 🚩 **Filter Encrypted Flows**: Filter flows when using the `hubble` command line to understand the encryption status of the traffic, either `--encrypted` or `--unencrypted`. ([cilium/cilium#43096](cilium/cilium#43096), [@SRodi](https://github.com/SRodi)) - 🔖 **Tag Drops with Policy Names**: Hubble v1.Events drop messages now include which Network Policy caused the drop. ([cilium/cilium#41693](cilium/cilium#41693), [@41ks](https://github.com/41ks)) - 🌅 **Performance and Scale** - ⚡ **Faster Network Policy Computation**: Improve Cilium resource usage for handling selectors in network policies. ([cilium/cilium#42008](cilium/cilium#42008), [@jrajahalme](https://github.com/jrajahalme); [cilium/cilium#42580](cilium/cilium#42580), [@odinuge](https://github.com/odinuge)) - 🔌 **More Efficient Connection Tracking**: Several improvements have been made to reduce the number of connections being tracked by Cilium, particularly when using Geneve, VXLAN or WireGuard. ([cilium/cilium#38782](cilium/cilium#38782), [@BenoitKnecht](https://github.com/BenoitKnecht); [cilium/cilium#41990](cilium/cilium#41990), [@bersoare](https://github.com/bersoare)) - 💾 **Better Scale in AWS**: Reduce memory usage for cilium-operator in large AWS environments with many resources. ([cilium/cilium#42529](cilium/cilium#42529), [@liyihuang](https://github.com/liyihuang)) - ⚙️ **Operations** - 📦 **Access Helm charts via Registry**: Helm charts are also available under `quay.io/cilium/charts/cilium` ([cilium/cilium#43624](cilium/cilium#43624), [@aanm](https://github.com/aanm)) - 📊 **Metrics Encryption**: Add TLS/mTLS support for Prometheus metrics exposed by the Cilium Operator. ([cilium/cilium#42077](cilium/cilium#42077), [@phuhung273](https://github.com/phuhung273)) - 🤖 **Easier Multi-Cluster install**: There's now support for auto-installing the Custom Resource Definitions (CRDs) for Multi-Cluster Services (MCS). ([cilium/cilium#40729](cilium/cilium#40729), [@MrFreezeex](https://github.com/MrFreezeex)) - 📜 **Simpler Certificate Management**: Streamline Cluster Mesh and Hubble certificate generation when using GitOps approaches. ([cilium/cilium#42298](cilium/cilium#42298), [@MrFreezeex](https://github.com/MrFreezeex)) - 🛠️ **Cilium dependencies** were updated to Kubernetes v1.35, Envoy v1.35, Gateway API v1.4, and GoBGP v3.37. ([cilium/cilium#43422](cilium/cilium#43422), [@aanm](https://github.com/aanm); [cilium/cilium#40569](cilium/cilium#40569), [@sayboras](https://github.com/sayboras); [cilium/cilium#41936](cilium/cilium#41936), [@youngnick](https://github.com/youngnick); [cilium/cilium#42824](cilium/cilium#42824), [@rastislavs](https://github.com/rastislavs)). - 🏠 **Community** - ❤️ **Production Case Studies**: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback! - 📰 See studies with [Airbnb](https://youtu.be/7KHenRXNGAw?si=ldTS-X_W0svxo429\&t=546), [Cloudera](https://aws.amazon.com/blogs/migration-and-modernization/scaling-clouderas-development-environment-leveraging-amazon-eks-karpenter-bottlerocket-and-cilium-for-hybrid-cloud/),[ Cybozu](https://www.cncf.io/case-studies/cybozu/), [ESnet](https://www.cncf.io/case-studies/esnet/),[ Nutanix](https://www.cncf.io/case-studies/nutanix/), [OVHcloud](https://corporate.ovhcloud.com/en-gb/newsroom/news/ovhcloud-managed-kubernetes-service-standard-3az/), [TikTok](https://www.youtube.com/watch?v=y0qlhiKtDGo), [University of Wisconsin–Madison](https://www.cncf.io/case-studies/university-of-wisconsin-madison/). - 🇺🇸 **Atlanta Events**: The community gathered at [CiliumCon](https://www.youtube.com/playlist?list=PLDg_GiBbAx-mOnWuzd_NXoRfuW9HZAxeZ) and the [Cilium Developer Summit](https://github.com/cilium/dev-summits/blob/main/2025-NA/README.md) in Atlanta. - 🇳🇱 **Amsterdam Events**: Meet us at the upcoming [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/) and [Cilium Developer Summit](https://github.com/cilium/dev-summits/tree/main/2026-EU) in Amsterdam, March 23-27. [Read more](https://cilium.io/blog/2026/01/23/cilium-at-kubecon-eu-2026/) about where to find Cilium during the show. - 🔟 **Cilium is 10**: Read the [2025 Cilium Annual Report](https://www.cncf.io/wp-content/uploads/2025/12/cilium-annual-report-2025-final.pdf) to see the latest project milestones, a decade on from its first commit. To keep up to date with all the latest Cilium releases, join #release 🎉 :birthday::heart::heart::heart::birthday: This is a very special release for Cilium, as it celebrates **10 years** since the first commit. We couldn’t be more proud of what this project has accomplished. All the GitHub issues, pull requests, reviews, stars, forks, Docker pulls, Helm installs, Kubernetes applies, CI runs, bug reports, design docs, discussions, meetings, Slack messages, YouTube streams, eCHO episodes, conference talks, blog posts, demos, and presentations have made the project the success it is today. :birthday::heart::heart::heart::birthday: ##### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.19.0@sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.19.0@sha256:0e3b89fdb116eb0f5579fe8ee3fabb1a7c4d97987a1ae927491d9185785d4a49` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.19.0@sha256:35727047384f3d7a2684885003b266bf7a7add8fc66ca564b222f71c16057f50` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.19.0@sha256:7f17e5bb51a9f35bbc8e7a9ad5e347f03ff8003c2e5cc81171e8727a10bf03b4` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.19.0@sha256:5cb3d6981c233616037f3e13b5bc0020d114ad8db1b7360618b224e4c0b02ef0` ##### operator-aws `quay.io/cilium/operator-aws:v1.19.0@sha256:7a236ae256a4fbd3f72d516921131eba5b43f401ba37cdee5cd0e8c26f9263e6` ##### operator-azure `quay.io/cilium/operator-azure:v1.19.0@sha256:6ae7e0d75c74836af3600b775201c89ea7fcc13d6e08fdb0c52927309f31cd2a` ##### operator-generic `quay.io/cilium/operator-generic:v1.19.0@sha256:5b04006015e5800307dc6314676edc4c0bb7ac2fc7848be2b94b43bb030ab648` ##### operator `quay.io/cilium/operator:v1.19.0@sha256:deca84f442752dca0745dd09b13e8004569414839019ad79ac58f9fcaa3b9d65` </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/3699 Co-authored-by: Renovate Bot <[email protected]> Co-committed-by: Renovate Bot <[email protected]>

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cilium/cilium](https://github.com/cilium/cilium) | minor | `1.18.6` → `1.19.0` | --- ### Release Notes <details> <summary>cilium/cilium (cilium/cilium)</summary> ### [`v1.19.0`](https://github.com/cilium/cilium/releases/tag/v1.19.0): 1.19.0 [Compare Source](cilium/cilium@1.18.6...1.19.0) 🎉 **Release Announcement** 🎉: We are excited to announce the [Cilium 1.19.0](https://github.com/cilium/cilium/releases/tag/v1.19.0) release! A total of **2934 new commits** have been contributed to this release by a growing community of over **1010 developers** and over **23,600 GitHub stars**! 🤩 ⚠️ You may need to take action during upgrade to Cilium v1.19 if you use Network Policies, Cluster Mesh, LoadBalancer IPAM or BGP. See the [Upgrade Guide](https://docs.cilium.io/en/v1.19/operations/upgrade/#upgrade-notes) for more details. The full changelog can be found [here](https://github.com/cilium/cilium/blob/v1.19/CHANGELOG.md). Here are some of the highlights: - 🛡️ **Network Policy** - 🃏 **Multi-Level DNS Matches**: DNS Policies match pattern now support a wildcard prefix(*`**.`*) to match multilevel subdomain as pattern prefix. ([cilium/cilium#43420](cilium/cilium#43420), [@fristonio](https://github.com/fristonio)) - 📡 **Match New Protocols**: You can now match VRRP and IGMP protocols in host firewall rules. ([cilium/cilium#39872](cilium/cilium#39872), [@aditighag](https://github.com/aditighag); [cilium/cilium#41949](cilium/cilium#41949), [@kyounghunJang](https://github.com/kyounghunJang)) - ⛔ **Actively Deny Connections**: When Network Policies deny a connection, Cilium can return ICMPv4 "Destination unreachable" messages for a friendlier deny. ([cilium/cilium#41406](cilium/cilium#41406), [@antonipp](https://github.com/antonipp)) - 🌐 **Select Clusters Explicitly**: When network policy selectors don't explicitly define a cluster for communication to be allowed, they will now default to only allowing the local cluster. ([cilium/cilium#40609](cilium/cilium#40609), [@MrFreezeex](https://github.com/MrFreezeex)) - 🔧 **Unlock Future Work**: This release brings several internal improvements to the network policy engine in preparation for features planned in the next Cilium minor release ([cilium/cilium#39906](cilium/cilium#39906), [@vipul-21](https://github.com/vipul-21); [cilium/cilium#42784](cilium/cilium#42784), [cilium/cilium#42896](cilium/cilium#42896), [@jrajahalme](https://github.com/jrajahalme)) - ⚠️ **Deprecate underutilized features**: To focus on solving common problems Cilium users face, this release deprecates the Kafka protocol match fields (beta), as well as the `ToRequires` and `FromRequires` policy fields. ([cilium/cilium#43167](cilium/cilium#43167), [@sayboras](https://github.com/sayboras); [cilium/cilium#40967](cilium/cilium#40967), [@TheBeeZee](https://github.com/TheBeeZee)) - 🔒 **Encryption & Authentication** - 🔐 **Encryption Strict Modes**: Both IPsec and WireGuard transparent encryption modes now support a "strict mode" to require traffic to be encrypted between nodes. Unencrypted traffic will be dropped in this mode. ([cilium/cilium#39239](cilium/cilium#39239), [cilium/cilium#42115](cilium/cilium#42115), [@rgo3](https://github.com/rgo3), [@julianwiedmann](https://github.com/julianwiedmann)) - 🚇 **Ztunnel Beta**: You can enroll namespaces into Ztunnel, which enables TCP connections between workloads to be transparently encrypted and authenticated. ([cilium/cilium#42766](cilium/cilium#42766), [cilium/cilium#42819](cilium/cilium#42819), [cilium/cilium#43227](cilium/cilium#43227) and others, [@ldelossa](https://github.com/ldelossa), [@rgo3](https://github.com/rgo3), [@nddq](https://github.com/nddq)) - 👥 **Mutual Authentication**: The out-of-band [Mutual Authentication](https://docs.cilium.io/en/v1.19.0/network/servicemesh/mutual-authentication/mutual-authentication/) feature is now disabled by default, pending community feedback. If you have a requirement for mTLS, consider trying the new Ztunnel integration. ([cilium/cilium#42665](cilium/cilium#42665), [@christarazi](https://github.com/christarazi)) - ↪️ **Accelerate IPsec**: The IPsec encryption mode now supports BPF Host Routing for faster route lookups ([cilium/cilium#41997](cilium/cilium#41997), [@pchaigno](https://github.com/pchaigno)) - 🚠 **Networking** - 🚀 **BIG TCP in Tunnels**: Leverage upcoming Linux support for BIG TCP when communicating over UDP-based tunnels such as VXLAN and Geneve. ([cilium/cilium#43416](cilium/cilium#43416), [@gentoo-root](https://github.com/gentoo-root)) - 🥌 **Packetization-Layer Path MTU Discovery**: Detect maximum transmission unit (MTU) sizes for network paths using TCP. ([cilium/cilium#42012](cilium/cilium#42012), [cilium/cilium#43710](cilium/cilium#43710), [@tommyp1ckles](https://github.com/tommyp1ckles)) - 🚆 **IPv6 Underlay**: You can now choose IPv6 for the tunnel underlay address family on dual-stack clusters. ([cilium/cilium#40324](cilium/cilium#40324), [@pchaigno](https://github.com/pchaigno)) - 🏷️ **Multi-Pool IPAM is ready for wider use**: Update the Multi-Pool IPAM feature to work with IPsec and direct routing modes, and promote it from Beta to Stable. ([cilium/cilium#40460](cilium/cilium#40460), [cilium/cilium#42191](cilium/cilium#42191), [@pippolo84](https://github.com/pippolo84)) - 🎭 **More Configurable Masquerade**: IP Masquerade configuration can now be customized for traffic sent to nodes in other IP subnets, and addresses in IPAM pools can be excluded from masquerade ([cilium/cilium#37568](cilium/cilium#37568), [@behzad-mir](https://github.com/behzad-mir); [cilium/cilium#43380](cilium/cilium#43380), [@alimehrabikoshki](https://github.com/alimehrabikoshki)) - 🕸️ **Services and Service Mesh** - 📣 **Layer-2 Announcements**: Add support for Neighbor Discovery Advertisements for IPv6 Layer-2 Announcements. ([cilium/cilium#39648](cilium/cilium#39648), [@msune](https://github.com/msune)) - 🔁 **IPv6 Service Loopback**: Pods can now connect to themselves via a Kubernetes "loopback service" using IPv6. ([cilium/cilium#39594](cilium/cilium#39594), [@saiaunghlyanhtet](https://github.com/saiaunghlyanhtet)) - ⛩️ **Gateway API Enhancements**: Cilium's GAMMA support now includes support for using GRPCRoute as well as HTTPRoute. ([cilium/cilium#41936](cilium/cilium#41936), [@youngnick](https://github.com/youngnick)) - 🛣️ **Border Gateway Protocol (BGP)** - 🔌 **Advertise Addresses from Interfaces**: There's a new Interface BGP advertisement type that allows advertisement of IPs assigned on local interfaces. This can be useful for example in multi-homing setups, where a common node's loopback address can be advertised via multiple BGP sessions over different network interfaces. ([cilium/cilium#42469](cilium/cilium#42469), [@rastislavs](https://github.com/rastislavs)) - ✉️ **Override Source IP addresses**: You can override the auto-generated BGP session source IP with the IP address applied on the configured `sourceInterface` to allow binding the BGP connection to the loopback address which is not tied to the specific physical interface's lifecycle ([cilium/cilium#42583](cilium/cilium#42583), [@rastislavs](https://github.com/rastislavs)) - 🔁 **Withdraw Empty Routes**: Optionally withdraw BGP routes when a service has 0 endpoints, to allow balancing to a different DC/cluster with `externalTrafficPolicy=Cluster` ([cilium/cilium#40717](cilium/cilium#40717), [@oblazek](https://github.com/oblazek)) - ⚠️ **Move to `cilium.io/v2` API**: The support for the older `CiliumBGPPeeringPolicy` v1 API is now removed and should be replaced with v2 APIs. ([cilium/cilium#42278](cilium/cilium#42278), [@rastislavs](https://github.com/rastislavs)) - 🛰️ **Observability** - 🔬 **Trace IP Options**: Configure Cilium and Hubble to trace specific packets through the cluster using IP Options. ([cilium/cilium#41306](cilium/cilium#41306), [@Bigdelle](https://github.com/Bigdelle)) - 🚩 **Filter Encrypted Flows**: Filter flows when using the `hubble` command line to understand the encryption status of the traffic, either `--encrypted` or `--unencrypted`. ([cilium/cilium#43096](cilium/cilium#43096), [@SRodi](https://github.com/SRodi)) - 🔖 **Tag Drops with Policy Names**: Hubble v1.Events drop messages now include which Network Policy caused the drop. ([cilium/cilium#41693](cilium/cilium#41693), [@41ks](https://github.com/41ks)) - 🌅 **Performance and Scale** - ⚡ **Faster Network Policy Computation**: Improve Cilium resource usage for handling selectors in network policies. ([cilium/cilium#42008](cilium/cilium#42008), [@jrajahalme](https://github.com/jrajahalme); [cilium/cilium#42580](cilium/cilium#42580), [@odinuge](https://github.com/odinuge)) - 🔌 **More Efficient Connection Tracking**: Several improvements have been made to reduce the number of connections being tracked by Cilium, particularly when using Geneve, VXLAN or WireGuard. ([cilium/cilium#38782](cilium/cilium#38782), [@BenoitKnecht](https://github.com/BenoitKnecht); [cilium/cilium#41990](cilium/cilium#41990), [@bersoare](https://github.com/bersoare)) - 💾 **Better Scale in AWS**: Reduce memory usage for cilium-operator in large AWS environments with many resources. ([cilium/cilium#42529](cilium/cilium#42529), [@liyihuang](https://github.com/liyihuang)) - ⚙️ **Operations** - 📦 **Access Helm charts via Registry**: Helm charts are also available under `quay.io/cilium/charts/cilium` ([cilium/cilium#43624](cilium/cilium#43624), [@aanm](https://github.com/aanm)) - 📊 **Metrics Encryption**: Add TLS/mTLS support for Prometheus metrics exposed by the Cilium Operator. ([cilium/cilium#42077](cilium/cilium#42077), [@phuhung273](https://github.com/phuhung273)) - 🤖 **Easier Multi-Cluster install**: There's now support for auto-installing the Custom Resource Definitions (CRDs) for Multi-Cluster Services (MCS). ([cilium/cilium#40729](cilium/cilium#40729), [@MrFreezeex](https://github.com/MrFreezeex)) - 📜 **Simpler Certificate Management**: Streamline Cluster Mesh and Hubble certificate generation when using GitOps approaches. ([cilium/cilium#42298](cilium/cilium#42298), [@MrFreezeex](https://github.com/MrFreezeex)) - 🛠️ **Cilium dependencies** were updated to Kubernetes v1.35, Envoy v1.35, Gateway API v1.4, and GoBGP v3.37. ([cilium/cilium#43422](cilium/cilium#43422), [@aanm](https://github.com/aanm); [cilium/cilium#40569](cilium/cilium#40569), [@sayboras](https://github.com/sayboras); [cilium/cilium#41936](cilium/cilium#41936), [@youngnick](https://github.com/youngnick); [cilium/cilium#42824](cilium/cilium#42824), [@rastislavs](https://github.com/rastislavs)). - 🏠 **Community** - ❤️ **Production Case Studies**: Many end-users have stepped forward to tell their stories running Cilium in production. If your company wants to submit their case studies let us know. We would love to hear your feedback! - 📰 See studies with [Airbnb](https://youtu.be/7KHenRXNGAw?si=ldTS-X_W0svxo429\&t=546), [Cloudera](https://aws.amazon.com/blogs/migration-and-modernization/scaling-clouderas-development-environment-leveraging-amazon-eks-karpenter-bottlerocket-and-cilium-for-hybrid-cloud/),[ Cybozu](https://www.cncf.io/case-studies/cybozu/), [ESnet](https://www.cncf.io/case-studies/esnet/),[ Nutanix](https://www.cncf.io/case-studies/nutanix/), [OVHcloud](https://corporate.ovhcloud.com/en-gb/newsroom/news/ovhcloud-managed-kubernetes-service-standard-3az/), [TikTok](https://www.youtube.com/watch?v=y0qlhiKtDGo), [University of Wisconsin–Madison](https://www.cncf.io/case-studies/university-of-wisconsin-madison/). - 🇺🇸 **Atlanta Events**: The community gathered at [CiliumCon](https://www.youtube.com/playlist?list=PLDg_GiBbAx-mOnWuzd_NXoRfuW9HZAxeZ) and the [Cilium Developer Summit](https://github.com/cilium/dev-summits/blob/main/2025-NA/README.md) in Atlanta. - 🇳🇱 **Amsterdam Events**: Meet us at the upcoming [CiliumCon](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/) and [Cilium Developer Summit](https://github.com/cilium/dev-summits/tree/main/2026-EU) in Amsterdam, March 23-27. [Read more](https://cilium.io/blog/2026/01/23/cilium-at-kubecon-eu-2026/) about where to find Cilium during the show. - 🔟 **Cilium is 10**: Read the [2025 Cilium Annual Report](https://www.cncf.io/wp-content/uploads/2025/12/cilium-annual-report-2025-final.pdf) to see the latest project milestones, a decade on from its first commit. To keep up to date with all the latest Cilium releases, join #release 🎉 :birthday::heart::heart::heart::birthday: This is a very special release for Cilium, as it celebrates **10 years** since the first commit. We couldn’t be more proud of what this project has accomplished. All the GitHub issues, pull requests, reviews, stars, forks, Docker pulls, Helm installs, Kubernetes applies, CI runs, bug reports, design docs, discussions, meetings, Slack messages, YouTube streams, eCHO episodes, conference talks, blog posts, demos, and presentations have made the project the success it is today. :birthday::heart::heart::heart::birthday: #### Docker Manifests ##### cilium `quay.io/cilium/cilium:v1.19.0@sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60` ##### clustermesh-apiserver `quay.io/cilium/clustermesh-apiserver:v1.19.0@sha256:0e3b89fdb116eb0f5579fe8ee3fabb1a7c4d97987a1ae927491d9185785d4a49` ##### docker-plugin `quay.io/cilium/docker-plugin:v1.19.0@sha256:35727047384f3d7a2684885003b266bf7a7add8fc66ca564b222f71c16057f50` ##### hubble-relay `quay.io/cilium/hubble-relay:v1.19.0@sha256:7f17e5bb51a9f35bbc8e7a9ad5e347f03ff8003c2e5cc81171e8727a10bf03b4` ##### operator-alibabacloud `quay.io/cilium/operator-alibabacloud:v1.19.0@sha256:5cb3d6981c233616037f3e13b5bc0020d114ad8db1b7360618b224e4c0b02ef0` ##### operator-aws `quay.io/cilium/operator-aws:v1.19.0@sha256:7a236ae256a4fbd3f72d516921131eba5b43f401ba37cdee5cd0e8c26f9263e6` ##### operator-azure `quay.io/cilium/operator-azure:v1.19.0@sha256:6ae7e0d75c74836af3600b775201c89ea7fcc13d6e08fdb0c52927309f31cd2a` ##### operator-generic `quay.io/cilium/operator-generic:v1.19.0@sha256:5b04006015e5800307dc6314676edc4c0bb7ac2fc7848be2b94b43bb030ab648` ##### operator `quay.io/cilium/operator:v1.19.0@sha256:deca84f442752dca0745dd09b13e8004569414839019ad79ac58f9fcaa3b9d65` </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/3715 Co-authored-by: Renovate Bot <[email protected]> Co-committed-by: Renovate Bot <[email protected]>

maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 20, 2025

github-actions bot added the kind/community-contribution This was a contribution made by a community member. label May 20, 2025

This was referenced May 22, 2025

L2-announcements lack ipv6-support #28985

Closed

bpf: add IPv6 mcast addr helpers and cleanup #39579

Merged

github-actions bot added the stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. label Jun 20, 2025

msune force-pushed the l2_announce_ipv6_final branch from d7ce7b8 to 0cc17e9 Compare June 20, 2025 06:54

maintainer-s-little-helper bot added the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label Jun 20, 2025

msune force-pushed the l2_announce_ipv6_final branch from 0cc17e9 to 0c4682f Compare June 20, 2025 07:04

maintainer-s-little-helper bot removed the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label Jun 20, 2025

msune force-pushed the l2_announce_ipv6_final branch 4 times, most recently from ed8bee9 to 636f517 Compare June 20, 2025 08:04

joestringer added release-note/major This PR introduces major new functionality to Cilium. dont-merge/wait-until-release Freeze window for current release is blocking non-bugfix PRs labels Jun 20, 2025

maintainer-s-little-helper bot removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Jun 20, 2025

github-actions bot removed the stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. label Jun 21, 2025

msune force-pushed the l2_announce_ipv6_final branch from 636f517 to 23c6929 Compare June 26, 2025 16:56

msune marked this pull request as ready for review June 26, 2025 17:15

msune requested review from a team as code owners June 26, 2025 17:15

msune requested review from HadrienPatte and tommyp1ckles June 26, 2025 17:15

This was referenced Sep 4, 2025

Verifier error: program cil_from_netdev: load program: permission denied: invalid access to packet #41522

Closed

bpf: fix ICMPv6 NS (no llopt) csum and move IPv6 NDP unit tests to scapy #41578

Merged

msune mentioned this pull request Sep 15, 2025

L2 announce: MCAST neigh solicitation pkts targetting VIPs are dropped by some NICs #41678

Closed

3 tasks

Infinoid mentioned this pull request Oct 4, 2025

[helm] hubble-relay CrashLoopBackoff when agent pod IPs are IPv6 #42017

Open

3 tasks

dylandreimerink mentioned this pull request Jan 8, 2026

docs: Add IPv6 limitation note to L2 announcements page #43567

Closed

cilium-release-bot bot added this to cilium v1.19.0 Feb 3, 2026

cilium-release-bot bot moved this to Released in cilium v1.19.0 Feb 3, 2026

rdrgmnzs mentioned this pull request Feb 12, 2026

L2 Announcement IPv6: Node doesn't join solicited-node multicast group for LoadBalancer IPs #44311

Open

3 tasks

renovate bot mentioned this pull request Feb 18, 2026

Update all minor dependencies blesswinsamuel/infra-base#73

Open

1 task

Conversation

msune commented May 20, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Jun 20, 2025

Uh oh!

maintainer-s-little-helper bot commented Jun 20, 2025

Uh oh!

msune commented Jun 26, 2025

Uh oh!

muhlba91 commented Jul 29, 2025

Uh oh!

msune commented Jul 29, 2025

Uh oh!

RonaldPhilipsen commented Aug 3, 2025

Uh oh!

Infinoid commented Sep 13, 2025

Uh oh!

msune commented Sep 13, 2025

Uh oh!

Infinoid commented Sep 13, 2025

Uh oh!

Infinoid commented Sep 13, 2025

Uh oh!

msune commented Sep 13, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Infinoid commented Sep 13, 2025

Uh oh!

Infinoid commented Sep 13, 2025

Uh oh!

msune commented Sep 13, 2025

Uh oh!

Infinoid commented Sep 13, 2025

Uh oh!

msune commented Sep 13, 2025

Uh oh!

Infinoid commented Sep 13, 2025

Uh oh!

msune commented Sep 13, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

10 participants

msune commented May 20, 2025 •

edited

Loading

msune commented Sep 13, 2025 •

edited

Loading