From a589d184c9be1b52568cfc14495fc787b4fe5afb Mon Sep 17 00:00:00 2001
From: Casey Davenport <davenport.cas@gmail.com>
Date: Mon, 26 Jan 2026 14:47:21 -0800
Subject: [PATCH 1/2] Use nftablesMode=Auto in FelixConfiguration

---
 .../crd.projectcalico.org/v1/felixconfig.go   |  1 +
 .../installation/core_controller.go           | 22 +++++++++++--------
 .../installation/core_controller_test.go      |  2 +-
 3 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/pkg/apis/crd.projectcalico.org/v1/felixconfig.go b/pkg/apis/crd.projectcalico.org/v1/felixconfig.go
index 2ac7b613f3..afe40f0400 100644
--- a/pkg/apis/crd.projectcalico.org/v1/felixconfig.go
+++ b/pkg/apis/crd.projectcalico.org/v1/felixconfig.go
@@ -25,6 +25,7 @@ type NFTablesMode string
 const (
 	NFTablesModeEnabled  NFTablesMode = "Enabled"
 	NFTablesModeDisabled NFTablesMode = "Disabled"
+	NFTablesModeAuto     NFTablesMode = "Auto"
 )
 
 type IptablesBackend string
diff --git a/pkg/controller/installation/core_controller.go b/pkg/controller/installation/core_controller.go
index 22cfbc0e5c..39fdcfa281 100644
--- a/pkg/controller/installation/core_controller.go
+++ b/pkg/controller/installation/core_controller.go
@@ -1814,17 +1814,21 @@ func (r *ReconcileInstallation) setNftablesMode(_ context.Context, install *oper
 	// we don't need to handle upgrades from versions that were previously FelixConfiguration only - nftables mode has always
 	// been controlled by the operator.
 	if install.Spec.CalicoNetwork.LinuxDataplane != nil {
+		nftablesMode := crdv1.NFTablesModeDisabled
 		if install.Spec.IsNftables() {
-			// The operator is configured to use the nftables dataplane. Configure Felix to use nftables.
-			updated = fc.Spec.NFTablesMode == nil || *fc.Spec.NFTablesMode != crdv1.NFTablesModeEnabled
-			nftablesMode := crdv1.NFTablesModeEnabled
-			fc.Spec.NFTablesMode = &nftablesMode
-		} else {
-			// The operator is configured to use another dataplane. Disable nftables.
-			updated = fc.Spec.NFTablesMode == nil || *fc.Spec.NFTablesMode != crdv1.NFTablesModeDisabled
-			nftablesMode := crdv1.NFTablesModeDisabled
-			fc.Spec.NFTablesMode = &nftablesMode
+			// The operator is configured to use the nftables dataplane.
+			if install.Spec.BPFEnabled() {
+				// For BPF mode, we always use nftables, as we don't use the upstream kube-proxy and so don't need to
+				// worry about compatibility with its mode of operation.
+				nftablesMode = crdv1.NFTablesModeEnabled
+			} else {
+				// Otherwise, kube-proxy is running - configure Felix to auto-detect whether it should use nftables or iptables on
+				// a per-node basis, allowing for smoother upgrades.
+				nftablesMode = crdv1.NFTablesModeAuto
+			}
 		}
+		updated = fc.Spec.NFTablesMode == nil || *fc.Spec.NFTablesMode != nftablesMode
+		fc.Spec.NFTablesMode = &nftablesMode
 	}
 	if updated {
 		reqLogger.Info("Patching nftables mode", "nftablesMode", *fc.Spec.NFTablesMode)
diff --git a/pkg/controller/installation/core_controller_test.go b/pkg/controller/installation/core_controller_test.go
index 6064594b72..0db859634d 100644
--- a/pkg/controller/installation/core_controller_test.go
+++ b/pkg/controller/installation/core_controller_test.go
@@ -1099,7 +1099,7 @@ var _ = Describe("Testing core-controller installation", func() {
 				err = c.Get(ctx, types.NamespacedName{Name: "default"}, fc)
 				Expect(err).ShouldNot(HaveOccurred())
 				Expect(fc.Spec.NFTablesMode).ToNot(BeNil())
-				Expect(*fc.Spec.NFTablesMode).To(Equal(crdv1.NFTablesModeEnabled))
+				Expect(*fc.Spec.NFTablesMode).To(Equal(crdv1.NFTablesModeAuto))
 			})
 
 			It("should set NFTablesMode to Disabled if nftables mode is changed", func() {

From f7fed50730f0feeb98e8bcee945d8d6bdee00ce0 Mon Sep 17 00:00:00 2001
From: Casey Davenport <davenport.cas@gmail.com>
Date: Fri, 30 Jan 2026 10:55:56 -0800
Subject: [PATCH 2/2] Generation

---
 .../calico/crd.projectcalico.org_felixconfigurations.yaml     | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml b/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml
index cd33e38e17..89d9263ad3 100644
--- a/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml
+++ b/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml
@@ -1020,12 +1020,14 @@ spec:
                   format: int32
                   type: integer
                 nftablesMode:
+                  default: Auto
                   description:
                     "NFTablesMode configures nftables support in Felix. [Default:
-                    Disabled]"
+                    Auto]"
                   enum:
                     - Disabled
                     - Enabled
+                    - Auto
                   type: string
                 nftablesRefreshInterval:
                   description: