New features:

• (#832). tap: allow for a tap device to be created as a bridge port
• (#914). [tuning] add ability to set tx queue len

Improvements:

• (#969). Add CNI_NETNS_OVERRIDE
• (#979). Add ndisc_notify in ipvlan for ipv6 ndp
• (#974). macvlan: enable ipv6 ndisc_notify
• (#950). Create IPAM files with 0600 permissions
• (#924). More efficient iptables usage.
• (#902). spoofcheck: Make use of go-nft's ApplyConfigEcho(). This is much faster
• (#874). Add routes propagation for VRF plugin

Build:

• (#982). Bump to golang:1.21-alpine
• (#948). build: Use POSIX sh for shell scripts

Bug fixes:

• (#954). macvlan cmdDel: handle deletion when master has been deleted
• (#927). vrf: fix route filter to use output iface

This release introduces a new plugin: tap. Thanks to @mmirecki for contributing this

New features:

• (#784). tap: This PR adds a plugin to create tap devices.
• (#829). bridge: add vlan trunk support
• (#875). bridge: Add parameter to disable default vlan
• (#814). macvlan: Add support for in-container master
• (#813). ipvlan: Add support for in-container master
• (#781). vlan: Add support for in-container master

Improvements:

• (#880). bridge: read only required chain on cni del instead of the entire ruleset
• (#873). bridge, spoof check: remove drop rule index

Bug fixes:

• (#892). sbr: Ignore LinkNotFoundError during cmdDel null
• (#887). ptp: Fix ValidateExpectedRoute with non default routes and nil GW
• (#885). tuning: fix cmdCheck when using IFNAME
• (#831). Fix overwritten error var in getMTUByName
• (#821). Only check or del ipv6 when an IPv6 is configured

Changelog:

New plugins & features

• (#743). dummy: Create a Dummy CNI plugin that creates a virtual interface
• (#725). V2 API support for win-overlay CNI
• (#693). tuning Add sysctl allowList

Bug fixes

• (#809). bridge: refresh host-veth mac after port add
• (#802). Add IPv6 support for AddDefaultRoute
• (#779). Fix path substitution to enable setting sysctls on vlan interfaces
• (#782). host-local: fix bug on getting NextIP of addresses with first byte
• (#709). dhcp: Fix client id in renew/release

Improvements & Cleanups:

• (#772). portmap support masquerade all
• (#733). bridge: support IPAM DNS settings
• (#702). bridge: call ipam.ExecDel after clean up device in netns #702
• (#768). dhcp: Cleanup Socket and Pidfile on exit
• (#792). dhcp: Update Allocate method to reuse lease if present
• (#755). dhcp: Use the same options for acquiring, renewing lease
• (#730). tuning Check for duplicated sysctl keys
• (#739). build: support riscv64
• (#712). bug: return errors when iptables and ip6tables are unusable
• (#719). Make description for static plugin more exact

As always, many thanks to our contributors.

Plugins release v1.1.1

This is a patch release that fixes the following bugs in v1.1.0:

• #702 bridge: call ipam.ExecDel after clean up device in netns
• #709 ipam/dhcp: Fix client id in renew/release

v1.1.0 Changelog:

One minor-but-major change is that we no longer wait for IPv6 Duplicate
Address Detection to complete. This reduces execution time by 2 seconds.

New features:

• firewall: support ingressPolicy=(open|same-bridge) for isolating bridges as in Docker (#584)
• dhcp ipam: support customizing dhcp options from CNI args (#670)
• Allow setting sysctls on a particular interface (#669)
• bridge: Add macspoofchk support (#639).

Bug fixes:

• portmap: fix bug that new udp connection deletes all existing conntrack entries (#705)
• portmap: fix checkPorts result when chain does not exist (#707)
• dhcp: fixed DHCP problem that broke when fast retry was added (#681)
• ipvlan: Send Gratuitous ARP after IPs are set (#675)

Improvements

• host-device: Bring interfaces up after moving into container (#679)
• Explicitly Disable Duplicate Address Detection For Container Side Veth (#695)
• Replace arping package with arp_notify (#687)
• host-device: add ipam support for dpdk device (#642)

Other changes

• Ignore NetNS path errors on delete (#686)
• Fix confusing error msg invalid cidr (#638)

This release brings a number of new features, along with the usual
smattering of bug fixes and cleanups.

One minor-but-major change is that we no longer wait for IPv6 Duplicate
Address Detection to complete. This reduces execution time by 2 seconds.

New features:

• firewall: support ingressPolicy=(open|same-bridge) for isolating bridges as in Docker (#584)
• dhcp ipam: support customizing dhcp options from CNI args (#670)
• Allow setting sysctls on a particular interface (#669)
• bridge: Add macspoofchk support (#639).

Bug fixes:

• portmap: fix bug that new udp connection deletes all existing conntrack entries (#705)
• portmap: fix checkPorts result when chain does not exist (#707)
• dhcp: fixed DHCP problem that broke when fast retry was added (#681)
• ipvlan: Send Gratuitous ARP after IPs are set (#675)

Improvements

• host-device: Bring interfaces up after moving into container (#679)
• Explicitly Disable Duplicate Address Detection For Container Side Veth (#695)
• Replace arping package with arp_notify (#687)
• host-device: add ipam support for dpdk device (#642)

Other changes

• Ignore NetNS path errors on delete (#686)
• Fix confusing error msg invalid cidr (#638)

CNI Plugins v1.0.1 is here

This release adds support for CNI Spec v1.0. Additionally, it officially declares CNI as a stable project.

The Flannel CNI plugin has been moved to a separate project, and is no longer included here.

Changes since v1.0.0 🤦‍♂️

• plugins: fix bug where support for CNI version 0.4.0 or 1.0.0 was dropped

Changes since v0.9.1

⚠️ Breaking Changes

• plugins: remove flannel (#633). Flannel's CNI plugin now has its own repository

📈 New Features

• bridge: Add mac field to specify container iface mac (#636).
• (generic) Allow multiple routes to be added for the same prefix (#615). Enables ECMP.
• (sbr): Add multi IP support (#623).

✨ Other improvements

• (generic): place veth peer in host namspace directly (#645).
• (windows): refactor win-bridge, support HNSv2 (#617).
• (host-local): support ip/prefix in env args and CNI args (#630).
• (host-local): support custom IPs allocation through runtime configuraton (#599).
• (tuning): always update MAC in CNI result (#626).
• (tuning): Add support of altering the allmulticast flag (#624).

🐛 Bug Fixes

• host-local: remove redundant startRange in RangeIterator to avoid mismatching with startIP (#583). Fixes possible infinite loop.
• portmap: use slashes in sysctl template to support interface names which separated by dots (#589).
• pkg/ipam: convert dots to slashes in interface names for sysctl (#585).
• win-bridge: fix panic while calling HNS api (#590). fix a nil pointer panic while calling HNS API (V1) on win-bridge.
• [macvlan] Stop setting proxy-arp on macvlan interface (#586).

As always, thanks to our dedicated maintainers and contributors!

CNI Plugins v1.0.0 is here

This release adds support for CNI Spec v1.0. Additionally, it officially declares CNI as a stable project.

Changes since v0.9.1

⚠️ Breaking Changes

• plugins: remove flannel (#633). Flannel's CNI plugin now has its own repository

📈 New Features

• bridge: Add mac field to specify container iface mac (#636).
• (generic) Allow multiple routes to be added for the same prefix (#615). Enables ECMP.
• (sbr): Add multi IP support (#623).

✨ Other improvements

• (generic): place veth peer in host namspace directly (#645).
• (windows): refactor win-bridge, support HNSv2 (#617).
• (host-local): support ip/prefix in env args and CNI args (#630).
• (host-local): support custom IPs allocation through runtime configuraton (#599).
• (tuning): always update MAC in CNI result (#626).
• (tuning): Add support of altering the allmulticast flag (#624).

🐛 Bug Fixes

• host-local: remove redundant startRange in RangeIterator to avoid mismatching with startIP (#583). Fixes possible infinite loop.
• portmap: use slashes in sysctl template to support interface names which separated by dots (#589).
• pkg/ipam: convert dots to slashes in interface names for sysctl (#585).
• win-bridge: fix panic while calling HNS api (#590). fix a nil pointer panic while calling HNS API (V1) on win-bridge.
• [macvlan] Stop setting proxy-arp on macvlan interface (#586).

As always, thanks to our dedicated maintainers and contributors!

This is a minor update to the CNI plugins that bumps a few dependencies and includes some small behavior tweaks.

New behavior:

• DHCP timeout is configurable (#565).
• host-device: Add support for DPDK device (#490). Host-device plugin is a noop for DPDK devices

Fixes:

• vlan: fix error message text by removing ptp references (#566). Fixing a few error messages that the vlan plugin returns. These appear to be mistaken references to the ptp plugin.
• vlan: Fix error handling for delegate IPAM plugin (#568).
• deps: bump coreos/go-iptables (#563). Closes #544

Welcome to v0.9.0 of the CNI community plugins.

New Stuff

Thanks to @fedepaol, we have the VRF chained plugin, which will create a linux VRF device and move any interfaces in to it.

Behavior changes

• tuning: revert values on delete (#540). Useful when using the host-device plugin.

Bug fixes

• Delete stale UDP conntrack entries when adding new Portmaps to containers (#553).

Other improvements

• flannel: allow input ipam parameters as basis for delegate (#532).
• move off of Travis 😢
• we have a shiny new website: https://www.cni.dev
• ipvlan: make master config as optional (#534).

This is a minor release with some bugfixes and minor improvements:

New Features

• macvlan: set mac address from args and capabilities (#480).

Bugfixes & Cleanups

• flannel: remove net conf file after DEL succeed (#449).
• portmap should not perform deletions if not portMapping config received (#509).
• portmap: don't use unspecified address as iptables rule destination (#487).
• Fix race condition in GetCurrentNS (#523).
• firewall: fix generate of admin chain comment (#506).
• Fix handling of delay in acquiring lease with stp turned on (#501).
• host-device: Bring interfaces down before moving (#486).

This is a minor release with some bugfixes and small improvements

New features

• Support device id in host device plugin (#471).
• win-bridge: add support for portMappings capability (#475).
• Make host-device to work with virtio net device (#453).

Small improvements

• ptp, bridge: disable accept_ra on the host-side interface (#484).
• modify the error url of windowscontainer (#460).
• portmap: Apply the DNAT hairpin to the whole subnet (#469). The DNAT hairpin rule only allow the container itself to access the ports it is exposing thru the host IP. Other containers in the same subnet might also want to access this service via the host IP, so apply this rule to the whole subnet instead of just for the container.
• Unlock OS thread after netns is restored (#455).

Bugfixes

• plugins/meta/sbr: Adjusted ipv6 address mask to /128 (#479). A /64 mask was used which routed an entire cidr based on source, not only the bound address.
• check bridge's port state (#468). fix #463
• Reset the route flag before moving the rule (#472).
• replace juju/errors because of CNCF license scan (#458). ref to #457
• loopback: Fix ipv6 address checks (#442). Fixes a minor bug in loopback plugin. The IPv6 address check loops over IPv4 addresses.

As always, thanks to all the contributors.

This is a minor release prepared around a fix for #370

Bugfixes

• bridge: Fix for the case where kernel doesn't have CONFIG_BRIDGE_VLAN_FILTERING (#434) fixes #370.
• vlan: Fix vlan plugin returning error when device is already removed (#438).

Improvements

• sysctl: Improve support of sysctl name separators (#437).

This is a minor release in hurry for resolving flakiness in k8s CI through #421, and this release also includes some other enhancements and bugfixes.

Thanks to our contributors!

Enhancements:

• Support ips capability in static and mac capability in tuning (#343)

Bugfixes:

• ensure iptables chain creation is idempotent (#408)
• Portmap doesn't fail if chain doesn't exist (#421)

Docs:

• bridge: add missing cniVersion in README example (#428)

Tests and release:

• add support for mips64le (#433)

Organization:

• Add Bruce Ma and Piotr Skarmuk as owners (#412)

This is v0.8.3 of the CNI community plugins. This release has a number of enhancements and bugfxies.

Many thanks to our contributors who make CNI possible.

Enhancements:

• static: prioritize the input sources for IPs (#400).
• tuning: send gratuitous ARP in case of MAC address update (#403).
• bandwidth: use uint64 for Bandwidth value (#389).
• ptp: only override DNS conf if DNS settings provided (#388).
• loopback: When prevResults are not supplied to loopback plugin, create results to return (#383).
• loopback support CNI CHECK and result cache (#374).

Better input validation:

• vlan: add MTU validation to loadNetConf (#405).
• macvlan: add MTU validation to loadNetConf (#404).
• bridge: check vlan id when loading net conf (#394).

Bugfixes:

• bugfix: defer after err check, or it may panic (#391).
• portmap: Fix dual-stack support (#379).
• firewall: don't return error in DEL if prevResult is not found (#390).
• bump up libcni back to v0.7.1 (#377).

Tests:

• integration: fix ip address collision in integration tests (#409).
• testutils: newNS() works in a rootless user namespace (#401).
• Bump Go version (#386).
• Cleanup netns after test suite (#375).

Docs:

• contributing doc: revise test script name to run (#396).
• contributing doc: describe cnitool installation (#397).

This is a minor release of the CNI plugins. It includes some important bug fixes, as well as new features:

New features:

• Support "args" in static and tuning (#281).
• Add Loopback DSR support, allow l2tunnel networks to be used with the l2bridge plugin (#331).
• host-local: return error if same ADD request is seen twice (#328).
• bandwidth: fix collisions (#353).
• Support ips capability in static and mac capability in tuning (#343).
• pkg/veth: Make host-side veth name configurable. (#344).

Bug fixes:

• Fix: failed to set bridge addr: could not add IP address to "cni0": file exists (#366).
• host-device: revert name setting to make retries idempotent (#357).
• Vendor update go-iptables (#358). Vendor update go-iptables to obtain commit f1d0510cabcb710d5c5dd284096f81444b9d8d10
  Update go.mod & go.sub
• Remove link Down/Up in MAC address change to prevent route flush (#364).
• pkg/ip unit test: be agnostic of Linux version (#349). on Linux 4.4 the syscall error message is "invalid argument" not "file exists"
• bump containernetworking/cni to v0.7.1 (#341).

This is a bugfix release of the v0.7 train for CNI. It includes one change:

#369 Don't fail when two plugins try to configure the same address at the same time

This is a minor release that fixes some critical bugs in v0.8.0

Bugs

• bridge: fix ipMasq setup to use correct source address (#325).
• fix compilation error on 386 (#324).
• bandwidth: get bandwidth interface in host ns through container interface (#321). fixes #260

Improvements

• Release: bump go to v1.12 (#326).
• host-device: add pciBusID property (#300).

CNI v0.8.0

This is a major release of the CNI plugins. It includes

• support for CNI spec v0.4.0, which adds CHECK support
• 6 new plugins!

CHECK support enables container runtimes to validate that a container's network is still up and functioning properly. All of the official CNI plugins support CHECK.

New plugins:

• bandwidth - limit incoming and outgoing bandwidth (#96), (#138).
• firewall - add containers to firewall rules (#290).
• sbr - convert container routes to source-based routes (#212).
• static - assign a fixed IP address (#136), (#165).
• win-bridge, win-overlay: Windows plugins (#193), (#215).

Plugin features / changelog:

• CHECK Support (#264)

macvlan:

• Allow to configure empty ipam for macvlan (#307).
• Make master config optional (#298).

bridge:

• Add vlan tag to the bridge cni plugin (#231). Allow the user to assign VLAN tag.
• L2 bridge Implementation (#195).

dhcp:

• Include Subnet Mask option parameter in DHCPREQUEST (#284).
• Add systemd unit file to activate socket with systemd (#276).
• Add container ifName to the dhcp clientID, making the clientID value (#217).

flannel:

• Pass through runtimeConfig to delegate (#309).

host-local:

• host-local: add ifname to file tracking IP address used (#203).

host-device:

• Support the IPAM in the host-device (#220).
• Handle empty netns in DEL for loopback and host-device (#213).

tuning:

• adds 'ip link' command related feature into tuning (#177).

Bug fixes & minor changes

• Correctly DEL on ipam failure for all plugins (#314).
• Fix bug on ip revert if cmdAdd fails on macvlan and host-device (#301)
• host-device: Ensure device is down before rename (#147).
• Fix -hostprefix option (#268).
• some DHCP servers expect to request for explicit router options (#255).
• bridge: release IP in case of error (#129).
• change source of ipmasq rule from ipn to ip (#279)

Build fixes:

• test: add coveralls support (#288).
• plugins: correctly output build version, cosmetic cleanups (#295).
• Move Windows tests to Travis (#246).

Contributors

Many, many thanks to our contributors:
angelachin, astrieanna, bboreham, benmoss, BSWANG, daschott, databus23, dcbw, DennisDenuto, dongjun666, francares, hustcat, huynq0911, hwchiu, jellonek, jingax10, JoeWrightss, jzwlqx, liucimin, lsm5, lucab, m1093782566, mars1024, mauriciovasquezbernal, mccv1r0, mrostecki, nagiesek, ncdc, NeilW, plwhite, Random-Liu, rosenhouse, s1061123, sak0, saravanakumar-periyasamy, SchSeba, squeed, sufuf3, thxCode

This release takes a minor change to the portmap plugin:

• #269 Portmap: append, rather than prepend, entry rules

This fixes a potential issue where firewall rules may be bypassed by port mapping.