netobserv · jotak · Nov 3, 2025 · Oct 30, 2025
diff --git a/pkg/agent/agent.go b/pkg/agent/agent.go
@@ -161,6 +161,8 @@ func FlowsAgent(cfg *config.Agent) (*Flows, error) {
 	ebpfConfig := &tracer.FlowFetcherConfig{
 		EnableIngress:                  ingress,
 		EnableEgress:                   egress,
+		IngressTCXAnchor:               cfg.TCXAttachAnchorIngress,
+		EgressTCXAnchor:                cfg.TCXAttachAnchorEgress,
 		Debug:                          debug,
 		Sampling:                       cfg.Sampling,
 		CacheMaxSize:                   cfg.CacheMaxFlows,

diff --git a/pkg/agent/packets_agent.go b/pkg/agent/packets_agent.go
@@ -90,14 +90,16 @@ func PacketsAgent(cfg *config.Agent) (*Packets, error) {
 		})
 	}
 	ebpfConfig := &tracer.FlowFetcherConfig{
-		EnableIngress:  ingress,
-		EnableEgress:   egress,
-		Debug:          debug,
-		Sampling:       cfg.Sampling,
-		CacheMaxSize:   cfg.CacheMaxFlows,
-		EnablePCA:      cfg.EnablePCA,
-		UseEbpfManager: cfg.EbpfProgramManagerMode,
-		FilterConfig:   filterRules,
+		EnableIngress:    ingress,
+		EnableEgress:     egress,
+		IngressTCXAnchor: cfg.TCXAttachAnchorIngress,
+		EgressTCXAnchor:  cfg.TCXAttachAnchorEgress,
+		Debug:            debug,
+		Sampling:         cfg.Sampling,
+		CacheMaxSize:     cfg.CacheMaxFlows,
+		EnablePCA:        cfg.EnablePCA,
+		UseEbpfManager:   cfg.EbpfProgramManagerMode,
+		FilterConfig:     filterRules,
 	}
 
 	fetcher, err := tracer.NewPacketFetcher(ebpfConfig)

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -147,6 +147,18 @@ type Agent struct {
 	// TCAttachRetries defines the number of retries in case of attach/detach failures.
 	// Valid only for 'tc' and 'tcx' attach modes.
 	TCAttachRetries int `env:"TC_ATTACH_RETRIES" envDefault:"4"`
+	// TCXAttachAnchorIngress defines the anchor to use when attaching eBPF programs to interfaces using tcx mode for
+	// ingress.
+	// none (default): no specific anchor is used and the eBPF program is generally inserted at the end.
+	// head: eBPF program is inserted at the head.
+	// tail: eBPF program is inserted at the tail.
+	TCXAttachAnchorIngress string `env:"TCX_ATTACH_ANCHOR_INGRESS" envDefault:"none"`
+	// TCXAttachAnchorEgress defines the anchor to use when attaching eBPF programs to interfaces using tcx mode for
+	// egress.
+	// none (default): no specific anchor is used and the eBPF program is generally inserted at the end.
+	// head: eBPF program is inserted at the head.
+	// tail: eBPF program is inserted at the tail.
+	TCXAttachAnchorEgress string `env:"TCX_ATTACH_ANCHOR_EGRESS" envDefault:"none"`
 	// ListenInterfaces specifies the mechanism used by the agent to listen for added or removed
 	// network interfaces. Accepted values are "watch" (default) or "poll".
 	// If the value is "watch", interfaces are traced immediately after they are created. This is

diff --git a/pkg/tracer/tracer.go b/pkg/tracer/tracer.go
@@ -65,6 +65,12 @@ const (
 	constEnableIPsec                    = "enable_ipsec"
 )
 
+const (
+	tcxAnchorNone = "none"
+	tcxAnchorHead = "head"
+	tcxAnchorTail = "tail"
+)
+
 var log = logrus.WithField("component", "ebpf.FlowFetcher")
 var plog = logrus.WithField("component", "ebpf.PacketFetcher")
 
@@ -86,6 +92,8 @@ type FlowFetcher struct {
 	rttKprobeLink               link.Link
 	egressTCXLink               map[ifaces.InterfaceKey]link.Link
 	ingressTCXLink              map[ifaces.InterfaceKey]link.Link
+	egressTCXAnchor             link.Anchor
+	ingressTCXAnchor            link.Anchor
 	networkEventsMonitoringLink link.Link
 	nfNatManIPLink              link.Link
 	xfrmInputKretProbeLink      link.Link
@@ -100,6 +108,8 @@ type FlowFetcher struct {
 type FlowFetcherConfig struct {
 	EnableIngress                  bool
 	EnableEgress                   bool
+	IngressTCXAnchor               string
+	EgressTCXAnchor                string
 	Debug                          bool
 	Sampling                       int
 	CacheMaxSize                   int
@@ -369,6 +379,8 @@ func NewFlowFetcher(cfg *FlowFetcherConfig, m *metrics.Metrics) (*FlowFetcher, e
 		xfrmOutputKProbeLink:        xfrmOutputKProbeLink,
 		egressTCXLink:               egressTCXLink,
 		ingressTCXLink:              ingressTCXLink,
+		egressTCXAnchor:             tcxAnchor(cfg.EgressTCXAnchor),
+		ingressTCXAnchor:            tcxAnchor(cfg.IngressTCXAnchor),
 		networkEventsMonitoringLink: networkEventsMonitoringLink,
 		lookupAndDeleteSupported:    true, // this will be turned off later if found to be not supported
 		useEbpfManager:              cfg.UseEbpfManager,
@@ -378,15 +390,15 @@ func NewFlowFetcher(cfg *FlowFetcherConfig, m *metrics.Metrics) (*FlowFetcher, e
 
 func (m *FlowFetcher) AttachTCX(iface *ifaces.Interface) error {
 	if m.enableEgress {
-		egrLink, err := m.attachTCXOnDirection(iface, "Egress", m.objects.BpfPrograms.TcxEgressFlowParse, cilium.AttachTCXEgress)
+		egrLink, err := m.attachTCXOnDirection(iface, "Egress", m.objects.BpfPrograms.TcxEgressFlowParse, cilium.AttachTCXEgress, m.egressTCXAnchor)
 		if err != nil {
 			return err
 		}
 		m.egressTCXLink[iface.InterfaceKey] = egrLink
 	}
 
 	if m.enableIngress {
-		ingLink, err := m.attachTCXOnDirection(iface, "Ingress", m.objects.BpfPrograms.TcxIngressFlowParse, cilium.AttachTCXIngress)
+		ingLink, err := m.attachTCXOnDirection(iface, "Ingress", m.objects.BpfPrograms.TcxIngressFlowParse, cilium.AttachTCXIngress, m.ingressTCXAnchor)
 		if err != nil {
 			return err
 		}
@@ -396,13 +408,14 @@ func (m *FlowFetcher) AttachTCX(iface *ifaces.Interface) error {
 	return nil
 }
 
-func (m *FlowFetcher) attachTCXOnDirection(iface *ifaces.Interface, dirName string, prg *cilium.Program, attach cilium.AttachType) (link.Link, error) {
+func (m *FlowFetcher) attachTCXOnDirection(iface *ifaces.Interface, dirName string, prg *cilium.Program, attach cilium.AttachType, anchor link.Anchor) (link.Link, error) {
 	ilog := log.WithField("iface", iface)
 
 	lnk, err := link.AttachTCX(link.TCXOptions{
 		Program:   prg,
 		Attach:    attach,
 		Interface: iface.Index,
+		Anchor:    anchor,
 	})
 	if err != nil {
 		errPrefix := "Attach" + dirName
@@ -1357,6 +1370,8 @@ type PacketFetcher struct {
 	cacheMaxSize             int
 	enableIngress            bool
 	enableEgress             bool
+	ingressAnchor            link.Anchor
+	egressAnchor             link.Anchor
 	egressTCXLink            map[ifaces.InterfaceKey]link.Link
 	ingressTCXLink           map[ifaces.InterfaceKey]link.Link
 	lookupAndDeleteSupported bool
@@ -1605,6 +1620,7 @@ func (p *PacketFetcher) AttachTCX(iface *ifaces.Interface) error {
 			Program:   p.objects.BpfPrograms.TcxEgressPcaParse,
 			Attach:    cilium.AttachTCXEgress,
 			Interface: iface.Index,
+			Anchor:    p.egressAnchor,
 		})
 		if err != nil {
 			if errors.Is(err, fs.ErrExist) {
@@ -1640,6 +1656,7 @@ func (p *PacketFetcher) AttachTCX(iface *ifaces.Interface) error {
 			Program:   p.objects.BpfPrograms.TcxIngressPcaParse,
 			Attach:    cilium.AttachTCXIngress,
 			Interface: iface.Index,
+			Anchor:    p.ingressAnchor,
 		})
 		if err != nil {
 			if errors.Is(err, fs.ErrExist) {
@@ -1944,3 +1961,16 @@ func configureFlowSpecVariables(spec *cilium.CollectionSpec, cfg *FlowFetcherCon
 
 	return nil
 }
+
+func tcxAnchor(anchor string) link.Anchor {
+	switch anchor {
+	case tcxAnchorHead:
+		return link.Head()
+	case tcxAnchorTail:
+		return link.Tail()
+	case tcxAnchorNone:
+		return nil
+	default:
+		return nil
+	}
+}