Documentation ¶
Index ¶
- Constants
- Variables
- func GetAntreaPolicyBaselineTierTables() []binding.TableIDType
- func GetAntreaPolicyEgressTables() []binding.TableIDType
- func GetAntreaPolicyIngressTables() []binding.TableIDType
- func GetAntreaPolicyMultiTierTables() []binding.TableIDType
- func GetFlowTableName(tableNumber binding.TableIDType) string
- func GetFlowTableNumber(tableName string) binding.TableIDType
- type Client
- type ConjunctionNotFound
- type IPAddress
- type IPNetAddress
- type OFEntryOperations
- type OFPortAddress
- type PacketInHandler
Constants ¶
View Source
const ( // PacketIn reasons PacketInReasonTF ofpPacketInReason = 1 PacketInReasonNP ofpPacketInReason = 0 // PacketInQueueSize defines the size of PacketInQueue. // When PacketInQueue reaches PacketInQueueSize, new packet-in will be dropped. PacketInQueueSize = 200 // PacketInQueueRate defines the maximum frequency of getting items from PacketInQueue. // PacketInQueueRate is represented as number of events per second. PacketInQueueRate = 100 )
View Source
const ( // Flow table id index ClassifierTable binding.TableIDType = 0 AntreaPolicyEgressRuleTable binding.TableIDType = 45 DefaultTierEgressRuleTable binding.TableIDType = 49 EgressRuleTable binding.TableIDType = 50 EgressDefaultTable binding.TableIDType = 60 EgressMetricTable binding.TableIDType = 61 AntreaPolicyIngressRuleTable binding.TableIDType = 85 DefaultTierIngressRuleTable binding.TableIDType = 89 IngressRuleTable binding.TableIDType = 90 IngressDefaultTable binding.TableIDType = 100 IngressMetricTable binding.TableIDType = 101 L2ForwardingOutTable binding.TableIDType = 110 )
View Source
const ( PortCacheReg regType = 1 EgressReg regType = 5 IngressReg regType = 6 TraceflowReg regType = 9 // Use reg9[28..31] to store traceflow dataplaneTag. // CNPDenyConjIDReg reuses reg3 which will also be used for storing endpoint IP to store the rule ID. Since // the service selection will finish when a packet hitting NetworkPolicy related rules, there is no conflict. CNPDenyConjIDReg regType = 3 CtZone = 0xfff0 CtZoneV6 = 0xffe6 ServiceCTMark = 0x21 // disposition is loaded in marksReg [21-22] DispositionMarkReg regType = 0 // disposition marks the flow action DispositionAllow = 0b00 DispositionDrop = 0b01 DispositionRej = 0b10 // custom reason is loaded in marksReg [24-26] // The custom reason mark is used to indicate the reason(s) for sending the packet // to the controller. Reasons can be or-ed to indicate that the packets was sent // for multiple reasons. // For example, a value of 0b11 (CustomReasonLogging | CustomReasonReject) means // that the packet is sent to the controller both for NetworkPolicy logging and // because of a Reject action. CustomReasonMarkReg regType = 0 // CustomReasonLogging is used when send packet-in to controller indicating this // packet need logging. CustomReasonLogging = 0b01 // CustomReasonReject is not only used when send packet-in to controller indicating // that this packet should be rejected, but also used in the case that when // controller send reject packet as packet-out, we want reject response to bypass // the connTrack to avoid unexpected drop. CustomReasonReject = 0b10 // CustomReasonDeny is used when sending packet-in message to controller indicating // that the corresponding connection has been dropped or rejected. It can be consumed // by the Flow Exporter to export flow records for connections denied by network // policy rules. CustomReasonDeny = 0b100 )
Variables ¶
View Source
var ( MatchDstIP = types.NewMatchKey(binding.ProtocolIP, types.IPAddr, "nw_dst") MatchSrcIP = types.NewMatchKey(binding.ProtocolIP, types.IPAddr, "nw_src") MatchDstIPNet = types.NewMatchKey(binding.ProtocolIP, types.IPNetAddr, "nw_dst") MatchSrcIPNet = types.NewMatchKey(binding.ProtocolIP, types.IPNetAddr, "nw_src") MatchDstIPv6 = types.NewMatchKey(binding.ProtocolIPv6, types.IPAddr, "ipv6_dst") MatchSrcIPv6 = types.NewMatchKey(binding.ProtocolIPv6, types.IPAddr, "ipv6_src") MatchDstIPNetv6 = types.NewMatchKey(binding.ProtocolIPv6, types.IPNetAddr, "ipv6_dst") MatchSrcIPNetv6 = types.NewMatchKey(binding.ProtocolIPv6, types.IPNetAddr, "ipv6_src") MatchDstOFPort = types.NewMatchKey(binding.ProtocolIP, types.OFPortAddr, "reg1[0..31]") MatchSrcOFPort = types.NewMatchKey(binding.ProtocolIP, types.OFPortAddr, "in_port") MatchTCPDstPort = types.NewMatchKey(binding.ProtocolTCP, types.L4PortAddr, "tp_dst") MatchTCPv6DstPort = types.NewMatchKey(binding.ProtocolTCPv6, types.L4PortAddr, "tp_dst") MatchUDPDstPort = types.NewMatchKey(binding.ProtocolUDP, types.L4PortAddr, "tp_dst") MatchUDPv6DstPort = types.NewMatchKey(binding.ProtocolUDPv6, types.L4PortAddr, "tp_dst") MatchSCTPDstPort = types.NewMatchKey(binding.ProtocolSCTP, types.L4PortAddr, "tp_dst") MatchSCTPv6DstPort = types.NewMatchKey(binding.ProtocolSCTPv6, types.L4PortAddr, "tp_dst") Unsupported = types.NewMatchKey(binding.ProtocolIP, types.UnSupported, "unknown") )
View Source
var ( // APDispositionMarkRange takes the 21 to 22 bits of register marksReg to indicate // disposition of Antrea Policy. It could have more bits to support more disposition // that Antrea policy support in the future. APDispositionMarkRange = binding.Range{21, 22} // CustomReasonMarkRange takes the 24 to 26 bits of register marksReg to indicate // the reason of sending packet to the controller. It could have more bits to // support more customReason in the future. CustomReasonMarkRange = binding.Range{24, 26} )
View Source
var DispositionToString = map[uint32]string{ DispositionAllow: "Allow", DispositionDrop: "Drop", DispositionRej: "Reject", }
View Source
var ( FlowTables = []struct { Number binding.TableIDType Name string }{ {ClassifierTable, "Classification"}, {uplinkTable, "Uplink"}, {spoofGuardTable, "SpoofGuard"}, {arpResponderTable, "ARPResponder"}, {ipv6Table, "IPv6"}, {serviceHairpinTable, "ServiceHairpin"}, {conntrackTable, "ConntrackZone"}, {conntrackStateTable, "ConntrackState"}, {dnatTable, "DNAT(SessionAffinity)"}, {sessionAffinityTable, "SessionAffinity"}, {serviceLBTable, "ServiceLB"}, {endpointDNATTable, "EndpointDNAT"}, {AntreaPolicyEgressRuleTable, "AntreaPolicyEgressRule"}, {EgressRuleTable, "EgressRule"}, {EgressDefaultTable, "EgressDefaultRule"}, {EgressMetricTable, "EgressMetric"}, {l3ForwardingTable, "L3Forwarding"}, {snatTable, "SNAT"}, {l3DecTTLTable, "IPTTLDec"}, {l2ForwardingCalcTable, "L2Forwarding"}, {AntreaPolicyIngressRuleTable, "AntreaPolicyIngressRule"}, {IngressRuleTable, "IngressRule"}, {IngressDefaultTable, "IngressDefaultRule"}, {IngressMetricTable, "IngressMetric"}, {conntrackCommitTable, "ConntrackCommit"}, {hairpinSNATTable, "HairpinSNATTable"}, {L2ForwardingOutTable, "Output"}, } )
Functions ¶
func GetAntreaPolicyBaselineTierTables ¶
func GetAntreaPolicyBaselineTierTables() []binding.TableIDType
func GetAntreaPolicyEgressTables ¶
func GetAntreaPolicyEgressTables() []binding.TableIDType
func GetAntreaPolicyIngressTables ¶
func GetAntreaPolicyIngressTables() []binding.TableIDType
func GetAntreaPolicyMultiTierTables ¶
func GetAntreaPolicyMultiTierTables() []binding.TableIDType
func GetFlowTableName ¶
func GetFlowTableName(tableNumber binding.TableIDType) string
GetFlowTableName returns the flow table name given the table number. An empty string is returned if the table cannot be found.
func GetFlowTableNumber ¶
func GetFlowTableNumber(tableName string) binding.TableIDType
GetFlowTableNumber does a case insensitive lookup of the table name, and returns the flow table number if the table is found. Otherwise TableIDAll is returned if the table cannot be found.
Types ¶
type Client ¶
type Client interface { // Initialize sets up all basic flows on the specific OVS bridge. It returns a channel which // is used to notify the caller in case of a reconnection, in which case ReplayFlows should // be called to ensure that the set of OVS flows is correct. All flows programmed in the // switch which match the current round number will be deleted before any new flow is // installed. Initialize(roundInfo types.RoundInfo, config *config.NodeConfig, encapMode config.TrafficEncapModeType) (<-chan struct{}, error) // InstallGatewayFlows sets up flows related to an OVS gateway port, the gateway must exist. InstallGatewayFlows() error // InstallClusterServiceCIDRFlows sets up the appropriate flows so that traffic can reach // the different Services running in the Cluster. This method needs to be invoked once with // the Cluster Service CIDR as a parameter. InstallClusterServiceCIDRFlows(serviceNets []*net.IPNet) error // InstallClusterServiceFlows sets up the appropriate flows so that traffic can reach // the different Services running in the Cluster. This method needs to be invoked once. InstallClusterServiceFlows() error // InstallDefaultTunnelFlows sets up the classification flow for the default (flow based) tunnel. InstallDefaultTunnelFlows() error // InstallNodeFlows should be invoked when a connection to a remote Node is going to be set // up. The hostname is used to identify the added flows. When IPSec tunnel is enabled, // ipsecTunOFPort must be set to the OFPort number of the IPSec tunnel port to the remote Node; // otherwise ipsecTunOFPort must be set to 0. // InstallNodeFlows has all-or-nothing semantics(call succeeds if all the flows are installed // successfully, otherwise no flows will be installed). Calls to InstallNodeFlows are idempotent. // Concurrent calls to InstallNodeFlows and / or UninstallNodeFlows are supported as long as they // are all for different hostnames. InstallNodeFlows( hostname string, peerConfigs map[*net.IPNet]net.IP, tunnelPeerIP net.IP, ipsecTunOFPort uint32, peerNodeMAC net.HardwareAddr) error // UninstallNodeFlows removes the connection to the remote Node specified with the // hostname. UninstallNodeFlows will do nothing if no connection to the host was established. UninstallNodeFlows(hostname string) error // InstallPodFlows should be invoked when a connection to a Pod on current Node. The // interfaceName is used to identify the added flows. InstallPodFlows has all-or-nothing // semantics(call succeeds if all the flows are installed successfully, otherwise no // flows will be installed). Calls to InstallPodFlows are idempotent. Concurrent calls // to InstallPodFlows and / or UninstallPodFlows are supported as long as they are all // for different interfaceNames. InstallPodFlows(interfaceName string, podInterfaceIPs []net.IP, podInterfaceMAC net.HardwareAddr, ofPort uint32) error // UninstallPodFlows removes the connection to the local Pod specified with the // interfaceName. UninstallPodFlows will do nothing if no connection to the Pod was established. UninstallPodFlows(interfaceName string) error // InstallServiceGroup installs a group for Service LB. Each endpoint // is a bucket of the group. For now, each bucket has the same weight. InstallServiceGroup(groupID binding.GroupIDType, withSessionAffinity bool, endpoints []proxy.Endpoint) error // UninstallServiceGroup removes the group and its buckets that are // installed by InstallServiceGroup. UninstallServiceGroup(groupID binding.GroupIDType) error // InstallEndpointFlows installs flows for accessing Endpoints. // If an Endpoint is on the current Node, then flows for hairpin and endpoint // L2 forwarding should also be installed. InstallEndpointFlows(protocol binding.Protocol, endpoints []proxy.Endpoint) error // UninstallEndpointFlows removes flows of the Endpoint installed by // InstallEndpointFlows. UninstallEndpointFlows(protocol binding.Protocol, endpoint proxy.Endpoint) error // InstallServiceFlows installs flows for accessing Service with clusterIP. // It installs the flow that uses the group/bucket to do service LB. If the // affinityTimeout is not zero, it also installs the flow which has a learn // action to maintain the LB decision. // The group with the groupID must be installed before, otherwise the // installation will fail. InstallServiceFlows(groupID binding.GroupIDType, svcIP net.IP, svcPort uint16, protocol binding.Protocol, affinityTimeout uint16) error // UninstallServiceFlows removes flows installed by InstallServiceFlows. UninstallServiceFlows(svcIP net.IP, svcPort uint16, protocol binding.Protocol) error // InstallLoadBalancerServiceFromOutsideFlows installs flows for LoadBalancer Service traffic from outside node. // The traffic is received from uplink port and will be forwarded to gateway by the installed flows. And then // kube-proxy will handle the traffic. // This function is only used for Windows platform. InstallLoadBalancerServiceFromOutsideFlows(svcIP net.IP, svcPort uint16, protocol binding.Protocol) error // UninstallLoadBalancerServiceFromOutsideFlows removes flows installed by InstallLoadBalancerServiceFromOutsideFlows. UninstallLoadBalancerServiceFromOutsideFlows(svcIP net.IP, svcPort uint16, protocol binding.Protocol) error // GetFlowTableStatus should return an array of flow table status, all existing flow tables should be included in the list. GetFlowTableStatus() []binding.TableStatus // InstallPolicyRuleFlows installs flows for a new NetworkPolicy rule. Rule should include all fields in the // NetworkPolicy rule. Each ingress/egress policy rule installs Openflow entries on two tables, one for // ruleTable and the other for dropTable. If a packet does not pass the ruleTable, it will be dropped by the // dropTable. InstallPolicyRuleFlows(ofPolicyRule *types.PolicyRule) error // BatchInstallPolicyRuleFlows installs multiple flows for NetworkPolicy rules in batch. BatchInstallPolicyRuleFlows(ofPolicyRules []*types.PolicyRule) error // UninstallPolicyRuleFlows removes the Openflow entry relevant to the specified NetworkPolicy rule. // It also returns a slice of stale ofPriorities used by ClusterNetworkPolicies. // UninstallPolicyRuleFlows will do nothing if no Openflow entry for the rule is installed. UninstallPolicyRuleFlows(ruleID uint32) ([]string, error) // AddPolicyRuleAddress adds one or multiple addresses to the specified NetworkPolicy rule. If addrType is true, the // addresses are added to PolicyRule.From, else to PolicyRule.To. AddPolicyRuleAddress(ruleID uint32, addrType types.AddressType, addresses []types.Address, priority *uint16) error // DeletePolicyRuleAddress removes addresses from the specified NetworkPolicy rule. If addrType is srcAddress, the addresses // are removed from PolicyRule.From, else from PolicyRule.To. DeletePolicyRuleAddress(ruleID uint32, addrType types.AddressType, addresses []types.Address, priority *uint16) error // InstallBridgeUplinkFlows installs Openflow flows between bridge local port and uplink port to support // host networking. // This function is only used for Windows platform. InstallBridgeUplinkFlows() error // InstallExternalFlows sets up flows to enable Pods to communicate to // the external IP addresses. The flows identify the packets from local // Pods to the external IP address, and mark the packets to be SNAT'd // with the configured SNAT IPs. On Windows Node, the flows also perform // SNAT with the Openflow NAT action. InstallExternalFlows() error // InstallSNATMarkFlows installs flows for a local SNAT IP. On Linux, a // single flow is added to mark the packets tunnelled from remote Nodes // that should be SNAT'd with the SNAT IP. On Windows, an extra flow is // added to perform SNAT for the marked packets with the SNAT IP. InstallSNATMarkFlows(snatIP net.IP, mark uint32) error // UninstallSNATMarkFlows removes the flows installed to set the packet // mark for a SNAT IP. UninstallSNATMarkFlows(mark uint32) error // InstallSNATPolicyFlow installs the SNAT flows for a local Pod. If the // SNAT IP for the Pod is on the local Node, a non-zero SNAT ID should // allocated for the SNAT IP, and the installed flow sets the SNAT IP // mark on the egress packets from the ofPort; if the SNAT IP is on a // remote Node, snatMark should be set to 0, and the installed flow // tunnels egress packets to the remote Node using the SNAT IP as the // tunnel destination, and the packets should be SNAT'd on the remote // Node. As of now, a Pod can be configured to use only a single SNAT // IP in a single address family (IPv4 or IPv6). InstallPodSNATFlows(ofPort uint32, snatIP net.IP, snatMark uint32) error // UninstallPodSNATFlows removes the SNAT flows for the local Pod. UninstallPodSNATFlows(ofPort uint32) error // Disconnect disconnects the connection between client and OFSwitch. Disconnect() error // IsConnected returns the connection status between client and OFSwitch. The return value is true if the OFSwitch is connected. IsConnected() bool // ReplayFlows should be called when a spurious disconnection occurs. After we reconnect to // the OFSwitch, we need to replay all the flows cached by the client. ReplayFlows will try // to replay as many flows as possible, and will log an error when a flow cannot be // installed. ReplayFlows() // DeleteStaleFlows deletes all flows from the previous round which are no longer needed. It // should be called by the agent after all required flows have been installed / updated with // the new round number. DeleteStaleFlows() error // GetTunnelVirtualMAC() returns globalVirtualMAC used for tunnel traffic. GetTunnelVirtualMAC() net.HardwareAddr // GetPodFlowKeys returns the keys (match strings) of the cached flows for a // Pod. GetPodFlowKeys(interfaceName string) []string // GetServiceFlowKeys returns the keys (match strings) of the cached // flows for a Service (port) and its endpoints. GetServiceFlowKeys(svcIP net.IP, svcPort uint16, protocol binding.Protocol, endpoints []proxy.Endpoint) []string // GetNetworkPolicyFlowKeys returns the keys (match strings) of the cached // flows for a NetworkPolicy. Flows are grouped by policy rules, and duplicated // entries can be added due to conjunctive match flows shared by multiple // rules. GetNetworkPolicyFlowKeys(npName, npNamespace string) []string // ReassignFlowPriorities takes a list of priority updates, and update the actionFlows to replace // the old priority with the desired one, for each priority update on that table. ReassignFlowPriorities(updates map[uint16]uint16, table binding.TableIDType) error // SubscribePacketIn subscribes to packet in messages for the given reason. Packets // will be placed in the queue and if the queue is full, the packet in messages // will be dropped. pktInQueue supports rate-limiting for the consumer, in order to // constrain the compute resources that may be used by the consumer. SubscribePacketIn(reason uint8, pktInQueue *binding.PacketInQueue) error // SendTraceflowPacket injects packet to specified OVS port for Openflow. SendTraceflowPacket(dataplaneTag uint8, packet *binding.Packet, inPort uint32, outPort int32) error // InstallTraceflowFlows installs flows for a Traceflow request. InstallTraceflowFlows(dataplaneTag uint8, liveTraffic, droppedOnly, receiverOnly bool, packet *binding.Packet, ofPort uint32, timeoutSeconds uint16) error // UninstallTraceflowFlows uninstalls flows for a Traceflow request. UninstallTraceflowFlows(dataplaneTag uint8) error // Initial tun_metadata0 in TLV map for Traceflow. InitialTLVMap() error // Find Network Policy reference and OFpriority by conjunction ID. GetPolicyInfoFromConjunction(ruleID uint32) (string, string) // RegisterPacketInHandler uses SubscribePacketIn to get PacketIn message and process received // packets through registered handlers. RegisterPacketInHandler(packetHandlerReason uint8, packetHandlerName string, packetInHandler interface{}) StartPacketInHandler(packetInStartedReason []uint8, stopCh <-chan struct{}) // Get traffic metrics of each NetworkPolicy rule. NetworkPolicyMetrics() map[uint32]*types.RuleMetric // Returns if IPv4 is supported on this Node or not. IsIPv4Enabled() bool // Returns if IPv6 is supported on this Node or not. IsIPv6Enabled() bool // SendTCPPacketOut sends TCP packet as a packet-out to OVS. SendTCPPacketOut( srcMAC string, dstMAC string, srcIP string, dstIP string, inPort uint32, outPort int32, isIPv6 bool, tcpSrcPort uint16, tcpDstPort uint16, tcpAckNum uint32, tcpFlag uint8, isReject bool) error // SendICMPPacketOut sends ICMP packet as a packet-out to OVS. SendICMPPacketOut( srcMAC string, dstMAC string, srcIP string, dstIP string, inPort uint32, outPort int32, isIPv6 bool, icmpType uint8, icmpCode uint8, icmpData []byte, isReject bool) error }
Client is the interface to program OVS flows for entity connectivity of Antrea.
type ConjunctionNotFound ¶
type ConjunctionNotFound uint32
ConjunctionNotFound is an error response when the specified policyRuleConjunction is not found from the local cache.
func (*ConjunctionNotFound) Error ¶
func (e *ConjunctionNotFound) Error() string
type IPAddress ¶
IP address calculated from Pod's address.
func NewIPAddress ¶
func (*IPAddress) GetMatchKey ¶
func (a *IPAddress) GetMatchKey(addrType types.AddressType) *types.MatchKey
func (*IPAddress) GetMatchValue ¶
type IPNetAddress ¶
IP block calculated from Pod's address.
func NewIPNetAddress ¶
func NewIPNetAddress(addr net.IPNet) *IPNetAddress
func (*IPNetAddress) GetMatchKey ¶
func (a *IPNetAddress) GetMatchKey(addrType types.AddressType) *types.MatchKey
func (*IPNetAddress) GetMatchValue ¶
func (a *IPNetAddress) GetMatchValue() string
func (*IPNetAddress) GetValue ¶
func (a *IPNetAddress) GetValue() interface{}
type OFEntryOperations ¶
type OFEntryOperations interface { Add(flow binding.Flow) error Modify(flow binding.Flow) error Delete(flow binding.Flow) error AddAll(flows []binding.Flow) error ModifyAll(flows []binding.Flow) error BundleOps(adds []binding.Flow, mods []binding.Flow, dels []binding.Flow) error DeleteAll(flows []binding.Flow) error AddOFEntries(ofEntries []binding.OFEntry) error DeleteOFEntries(ofEntries []binding.OFEntry) error }
type OFPortAddress ¶
type OFPortAddress int32
OFPortAddress is the Openflow port of an interface.
func NewOFPortAddress ¶
func NewOFPortAddress(addr int32) *OFPortAddress
func (*OFPortAddress) GetMatchKey ¶
func (a *OFPortAddress) GetMatchKey(addrType types.AddressType) *types.MatchKey
func (*OFPortAddress) GetMatchValue ¶
func (a *OFPortAddress) GetMatchValue() string
func (*OFPortAddress) GetValue ¶
func (a *OFPortAddress) GetValue() interface{}
type PacketInHandler ¶
Source Files ¶
Click to show internal directories.
Click to hide internal directories.