openflow

package
v1.13.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 11, 2023 License: Apache-2.0 Imports: 36 Imported by: 1

Documentation

Index

Constants

View Source
const (
	// PacketIn categories below are used to distribute packetIn to specific handlers.
	// PacketIn category should be loaded in the first byte of packetIn2 userData.
	// PacketInCategoryTF is used for traceflow.
	PacketInCategoryTF ofpPacketInCategory = iota
	// PacketInCategoryNP is used for packetIn messages related to Network Policy,
	// including: Logging, Reject, Deny.
	PacketInCategoryNP
	// PacketInCategoryDNS is used for DNS response packetIn messages.
	PacketInCategoryDNS
	// PacketInCategoryIGMP is used for IGMP packetIn messages.
	PacketInCategoryIGMP
	// PacketInCategorySvcReject is used to process the Service packets not matching any
	// Endpoints within packetIn message.
	PacketInCategorySvcReject

	// PacketIn operations below are used to decide which operation(s) should be
	// executed by a handler. It(they) should be loaded in the second byte of the
	// packetIn2 userData. Operations for different handlers could share the value.
	// If there is only one operation for a handler, then there is no need to provide an
	// operation.
	// For example, if a packetIn2 needs Reject and Logging, the userData of the
	// packetIn2 will be []byte{1, 0b11}. The first byte indicate that this packetIn2
	// should be sent to NetworkPolicy packetIn handler(PacketInCategoryNP). And the
	// second byte, which is 0b1 & 0b10 indicating that it needs
	// PacketInNPLoggingOperation and PacketInNPRejectOperation.
	// PacketInNPLoggingOperation is used when sending packetIn to NetworkPolicy
	// handler indicating this packet needs logging.
	PacketInNPLoggingOperation = 0b1
	// PacketInNPRejectOperation is used when sending packetIn to controller
	// indicating that this packet should be rejected.
	PacketInNPRejectOperation = 0b10
	// PacketInNPStoreDenyOperation is used when sending packetIn message to controller
	// indicating that the corresponding connection has been dropped or rejected. It
	// can be consumed by the Flow Exporter to export flow records for connections
	// denied by network policy rules.
	PacketInNPStoreDenyOperation = 0b100

	// We use OpenFlow Meter for packetIn rate limiting on OVS side.
	// Meter Entry ID.
	PacketInMeterIDNP  = 1
	PacketInMeterIDTF  = 2
	PacketInMeterIDDNS = 3
	// Meter Entry Rate. It is represented as number of events per second.
	// Packets which exceed the rate will be dropped.
	PacketInMeterRateNP  = 500
	PacketInMeterRateTF  = 500
	PacketInMeterRateDNS = 500

	// PacketInQueueSize defines the size of PacketInQueue.
	// When PacketInQueue reaches PacketInQueueSize, new packetIn will be dropped.
	PacketInQueueSize = 1000
	// PacketInQueueRate defines the maximum frequency of getting items from PacketInQueue.
	// PacketInQueueRate is represented as number of events per second.
	PacketInQueueRate = 500
)
View Source
const (
	CtZone       = 0xfff0
	CtZoneV6     = 0xffe6
	SNATCtZone   = 0xfff1
	SNATCtZoneV6 = 0xffe7

	// disposition values used in AP
	DispositionAllow = 0b00
	DispositionDrop  = 0b01
	DispositionRej   = 0b10
	DispositionPass  = 0b11
	// DispositionL7NPRedirect is used when sending packet-in to controller for
	// logging layer 7 NetworkPolicy indicating that this packet is redirected to
	// l7 engine to determine the disposition.
	DispositionL7NPRedirect = 0b1

	// EtherTypeDot1q is used when adding 802.1Q VLAN header in OVS action
	EtherTypeDot1q = 0x8100
)
View Source
const UnknownLabelIdentity = uint32(0xffffff)

UnknownLabelIdentity represents an unknown label identity. 24 bits in VNI are used for label identity. The max value is reserved for UnknownLabelIdentity.

Variables

View Source
var (

	// reg0 (NXM_NX_REG0)
	// reg0[0..3]: Field to store the packet source. Marks in this field include:
	//   - 1: from tunnel port.
	//   - 2: from Antrea gateway port.
	//   - 3: from local Pods.
	//   - 4: from uplink port.
	//   - 5: from bridge local port.
	//   - 6: from traffic control return port.
	PktSourceField      = binding.NewRegField(0, 0, 3)
	FromTunnelRegMark   = binding.NewRegMark(PktSourceField, tunnelVal)
	FromGatewayRegMark  = binding.NewRegMark(PktSourceField, gatewayVal)
	FromLocalRegMark    = binding.NewRegMark(PktSourceField, localVal)
	FromUplinkRegMark   = binding.NewRegMark(PktSourceField, uplinkVal)
	FromBridgeRegMark   = binding.NewRegMark(PktSourceField, bridgeVal)
	FromTCReturnRegMark = binding.NewRegMark(PktSourceField, tcReturnVal)
	// reg0[4..7]: Field to store the packet destination. Marks in this field include:
	//   - 1: to tunnel port.
	//   - 2: to Antrea gateway port.
	//   - 3: to local Pods.
	//   - 4: to uplink port.
	//   - 5: to bridge local port.
	PktDestinationField = binding.NewRegField(0, 4, 7)
	ToTunnelRegMark     = binding.NewRegMark(PktDestinationField, tunnelVal)
	ToGatewayRegMark    = binding.NewRegMark(PktDestinationField, gatewayVal)
	ToUplinkRegMark     = binding.NewRegMark(PktDestinationField, uplinkVal)
	// reg0[9]: Field to indicate whether the packet's source / destination MAC address needs to be rewritten.
	RewriteMACRegMark    = binding.NewOneBitRegMark(0, 9)
	NotRewriteMACRegMark = binding.NewOneBitZeroRegMark(0, 9)
	// reg0[10]: Mark to indicate the packet is denied(Drop/Reject) for Antrea Policy.
	// K8s default drop will not be recorded in this reg.
	APDenyRegMark = binding.NewOneBitRegMark(0, 10)
	// reg0[11..12]: Field to indicate disposition of Antrea Policy. It could have more bits to support more dispositions
	// that Antrea Policy support in the future. Marks in this field include:
	//   - 0b00: allow
	//   - 0b01: drop
	//   - 0b11: pass
	APDispositionField      = binding.NewRegField(0, 11, 12)
	DispositionAllowRegMark = binding.NewRegMark(APDispositionField, DispositionAllow)
	DispositionDropRegMark  = binding.NewRegMark(APDispositionField, DispositionDrop)
	DispositionPassRegMark  = binding.NewRegMark(APDispositionField, DispositionPass)
	// reg0[13]: Mark to indicate the packet is a generated reject response packet-out.
	GeneratedRejectPacketOutRegMark = binding.NewOneBitRegMark(0, 13)
	// reg0[14]: Mark to indicate a Service without any Endpoints (used by Proxy)
	SvcNoEpRegMark = binding.NewOneBitRegMark(0, 14)
	// reg0[19]: Mark to indicate remote SNAT for Egress.
	RemoteSNATRegMark = binding.NewOneBitRegMark(0, 19)
	// reg0[20]: Field to indicate redirect action of layer 7 NetworkPolicy.
	L7NPRegField        = binding.NewRegField(0, 20, 20)
	L7NPRedirectRegMark = binding.NewRegMark(L7NPRegField, DispositionL7NPRedirect)
	// reg0[21..22]: Field to indicate how the packet leaves OVS pipeline. Marks in this field include:
	//   - 1: Output to an OVS port.
	//   - 2: Send packet to Antrea Agent.
	OutputRegField            = binding.NewRegField(0, 21, 22)
	OutputToOFPortRegMark     = binding.NewRegMark(OutputRegField, outputToPortVal)
	OutputToControllerRegMark = binding.NewRegMark(OutputRegField, outputToControllerVal)
	// reg0[25..32]: Field to indicate Antrea-native policy packetIn operations
	PacketInOperationField = binding.NewRegField(0, 25, 32)

	// reg1(NXM_NX_REG1)
	// Field to cache the ofPort of the OVS interface where to output packet.
	TargetOFPortField = binding.NewRegField(1, 0, 31)

	// reg2(NXM_NX_REG2)
	// Field to help swap values in two different flow fields in the OpenFlow actions. This field is only used in func
	// `arpResponderStaticFlow`.
	SwapField = binding.NewRegField(2, 0, 31)
	// Field to store the OVS table where the packet is decided to be sent to controller. This may be different from
	// packetIn.TableId where the flow with "SendToController" action is located as we may install the packetIn flows
	// in a single table, e.g., Antrea-native policy logging flows.
	PacketInTableField = binding.NewRegField(2, 0, 7)

	// reg3(NXM_NX_REG3)
	// Field to store the selected Service Endpoint IP
	EndpointIPField = binding.NewRegField(3, 0, 31)
	// Field to store the conjunction ID which is for rule in Antrea Policy. It shares the same register with EndpointIPField,
	// since the service selection will finish when a packet hitting NetworkPolicy related rules.
	APConjIDField = binding.NewRegField(3, 0, 31)

	// reg4(NXM_NX_REG4)
	// reg4[0..15]: Field to store the selected Service Endpoint port.
	EndpointPortField = binding.NewRegField(4, 0, 15)
	// reg4[16..18]: Field to store the state of a packet accessing a Service. Marks in this field include:
	//	- 0b001: packet need to do service selection.
	//	- 0b010: packet has done service selection.
	//	- 0b011: packet has done service selection and the selection result needs to be cached.
	ServiceEPStateField = binding.NewRegField(4, 16, 18)
	EpToSelectRegMark   = binding.NewRegMark(ServiceEPStateField, 0b001)
	EpSelectedRegMark   = binding.NewRegMark(ServiceEPStateField, 0b010)
	EpToLearnRegMark    = binding.NewRegMark(ServiceEPStateField, 0b011)
	// reg4[0..18]: Field to store the union value of Endpoint port and Endpoint status. It is used as a single match
	// when needed.
	EpUnionField = binding.NewRegField(4, 0, 18)
	// reg4[19]: Mark to indicate the Service type is NodePort.
	ToNodePortAddressRegMark = binding.NewOneBitRegMark(4, 19)
	// reg4[20]: Field to indicate whether the packet is from local Antrea IPAM Pod. NotAntreaFlexibleIPAMRegMark will
	// be used with RewriteMACRegMark, thus the reg id must not be same due to the limitation of ofnet library.
	AntreaFlexibleIPAMRegMark    = binding.NewOneBitRegMark(4, 20)
	NotAntreaFlexibleIPAMRegMark = binding.NewOneBitZeroRegMark(4, 20)
	// reg4[21]: Mark to indicate whether the packet is to a Service's external IP, like NodePort, LoadBalancerIP or ExternalIP.
	ToExternalAddressRegMark = binding.NewOneBitRegMark(4, 21)
	// reg4[22..23]: Field to store the action of a traffic control rule. Marks in this field include:
	TrafficControlActionField     = binding.NewRegField(4, 22, 23)
	TrafficControlMirrorRegMark   = binding.NewRegMark(TrafficControlActionField, 0b01)
	TrafficControlRedirectRegMark = binding.NewRegMark(TrafficControlActionField, 0b10)
	// reg4[24]: Mark to indicate that whether the Service is backed by Service IPs of other Services.
	NestedServiceRegMark = binding.NewOneBitRegMark(4, 24)
	// reg4[25]: Mark to indicate that whether the Service traffic works in DSR mode.
	DSRServiceRegMark    = binding.NewOneBitRegMark(4, 25)
	NotDSRServiceRegMark = binding.NewOneBitZeroRegMark(4, 25)
	// reg4[26]: Mark to indicate that whether a remote non-hostNetwork Endpoint is selected.
	RemoteEndpointRegMark = binding.NewOneBitRegMark(4, 26)
	// reg4[27]: Mark to indicate that whether the traffic's source is an external IP.
	// If a packet is from gateway but its source IP is not the gateway IP, it's considered external sourced traffic.
	// The masquerade rule in iptables nat table guarantees the other IPs of the Node won't be used as source IP when
	// the Node's traffic is forwarded to OVS. And even if there is no masquerade rule, there should be no problem to
	// consider the packet external sourced as the other IPs are routable externally anyway.
	FromExternalRegMark = binding.NewOneBitRegMark(4, 27)

	// reg5(NXM_NX_REG5)
	// Field to cache the Egress conjunction ID hit by TraceFlow packet.
	TFEgressConjIDField = binding.NewRegField(5, 0, 31)

	// reg6(NXM_NX_REG6)
	// Field to store the Ingress conjunction ID hit by TraceFlow packet.
	TFIngressConjIDField = binding.NewRegField(6, 0, 31)

	// reg7(NXM_NX_REG7)
	// Field to store the GroupID corresponding to the Service.
	ServiceGroupIDField = binding.NewRegField(7, 0, 31)

	// reg8(NXM_NX_REG8)
	// Field to store the VLAN ID. Valid value is 0~4094. value=0 indicates packet without 802.1q header.
	// VLANIDField for all incoming IP/IPv6 traffic with VLAN must be set explicitly at ClassifierTable or SpoofGuardTable.
	VLANIDField = binding.NewRegField(8, 0, 11)
	// Field to store the CtZone type.
	// CtZoneTypeField for all incoming IP/IPv6 traffic must be set explicitly at ClassifierTable or SpoofGuardTable.
	CtZoneTypeField       = binding.NewRegField(8, 12, 15)
	IPCtZoneTypeRegMark   = binding.NewRegMark(CtZoneTypeField, 0b0001)
	IPv6CtZoneTypeRegMark = binding.NewRegMark(CtZoneTypeField, 0b0011)
	// Field to store the CtZone ID, which is a combination of VLANIDField and CtZoneTypeField to indicate CtZone for DstNAT.
	CtZoneField = binding.NewRegField(8, 0, 15)

	// reg9(NXM_NX_REG9)
	// Field to cache the ofPort of the OVS interface to output traffic control packets.
	TrafficControlTargetOFPortField = binding.NewRegField(9, 0, 31)
)

Fields using reg.

View Source
var (

	// CTMark (NXM_NX_CT_MARK)
	// CTMark[0..3]: Field to mark the source of the connection. This field has the same bits and positions as PktSourceField
	// for persisting the value from reg0 to CTMark when committing the first packet of the connection with CT action.
	// This CT mark is only used in CtZone / CtZoneV6.
	ConnSourceCTMarkField = binding.NewCTMarkField(0, 3)
	FromGatewayCTMark     = binding.NewCTMark(ConnSourceCTMarkField, gatewayVal)
	FromBridgeCTMark      = binding.NewCTMark(ConnSourceCTMarkField, bridgeVal)

	// CTMark[4]: Marks to indicate whether DNAT is performed on the connection for Service.
	// These CT marks are used in CtZone / CtZoneV6 and SNATCtZone / SNATCtZoneV6.
	ServiceCTMark    = binding.NewOneBitCTMark(4)
	NotServiceCTMark = binding.NewOneBitZeroCTMark(4)

	// CTMark[5]: Mark to indicate SNAT is performed on the connection for Service.
	// This CT mark is only used in CtZone / CtZoneV6.
	ConnSNATCTMark = binding.NewOneBitCTMark(5)

	// CTMark[6]: Mark to indicate the connection is hairpin.
	// This CT mark is used in CtZone / CtZoneV6 and SNATCtZone / SNATCtZoneV6.
	HairpinCTMark = binding.NewOneBitCTMark(6)

	// CTMark[7]: Mark to indicate the connection should be redirected to an application-aware engine. This mark is only
	// for L7 NetworkPolicy.
	// This CT mark is used in CtZone / CtZoneV6.
	L7NPRedirectCTMark = binding.NewOneBitCTMark(7)
)

Marks using CT.

View Source
var (
	// Field to store the ingress rule ID.
	IngressRuleCTLabel = binding.NewCTLabel(0, 31)

	// Field to store the egress rule ID.
	EgressRuleCTLabel = binding.NewCTLabel(32, 63)

	// Field to store the VLAN ID allocated for a L7 NetworkPolicy rule.
	L7NPRuleVlanIDCTLabel = binding.NewCTLabel(64, 75)
)

Fields using CT label.

View Source
var (
	MatchDstIP          = types.NewMatchKey(binding.ProtocolIP, types.IPAddr, "nw_dst")
	MatchSrcIP          = types.NewMatchKey(binding.ProtocolIP, types.IPAddr, "nw_src")
	MatchDstIPNet       = types.NewMatchKey(binding.ProtocolIP, types.IPNetAddr, "nw_dst")
	MatchSrcIPNet       = types.NewMatchKey(binding.ProtocolIP, types.IPNetAddr, "nw_src")
	MatchCTDstIP        = types.NewMatchKey(binding.ProtocolIP, types.IPAddr, "ct_nw_dst")
	MatchCTSrcIP        = types.NewMatchKey(binding.ProtocolIP, types.IPAddr, "ct_nw_src")
	MatchCTDstIPNet     = types.NewMatchKey(binding.ProtocolIP, types.IPNetAddr, "ct_nw_dst")
	MatchCTSrcIPNet     = types.NewMatchKey(binding.ProtocolIP, types.IPNetAddr, "ct_nw_src")
	MatchDstIPv6        = types.NewMatchKey(binding.ProtocolIPv6, types.IPAddr, "ipv6_dst")
	MatchSrcIPv6        = types.NewMatchKey(binding.ProtocolIPv6, types.IPAddr, "ipv6_src")
	MatchDstIPNetv6     = types.NewMatchKey(binding.ProtocolIPv6, types.IPNetAddr, "ipv6_dst")
	MatchSrcIPNetv6     = types.NewMatchKey(binding.ProtocolIPv6, types.IPNetAddr, "ipv6_src")
	MatchCTDstIPv6      = types.NewMatchKey(binding.ProtocolIPv6, types.IPAddr, "ct_ipv6_dst")
	MatchCTSrcIPv6      = types.NewMatchKey(binding.ProtocolIPv6, types.IPAddr, "ct_ipv6_src")
	MatchCTDstIPNetv6   = types.NewMatchKey(binding.ProtocolIPv6, types.IPNetAddr, "ct_ipv6_dst")
	MatchCTSrcIPNetv6   = types.NewMatchKey(binding.ProtocolIPv6, types.IPNetAddr, "ct_ipv6_src")
	MatchDstOFPort      = types.NewMatchKey(binding.ProtocolIP, types.OFPortAddr, "reg1[0..31]")
	MatchSrcOFPort      = types.NewMatchKey(binding.ProtocolIP, types.OFPortAddr, "in_port")
	MatchTCPDstPort     = types.NewMatchKey(binding.ProtocolTCP, types.L4PortAddr, "tp_dst")
	MatchTCPv6DstPort   = types.NewMatchKey(binding.ProtocolTCPv6, types.L4PortAddr, "tp_dst")
	MatchUDPDstPort     = types.NewMatchKey(binding.ProtocolUDP, types.L4PortAddr, "tp_dst")
	MatchUDPv6DstPort   = types.NewMatchKey(binding.ProtocolUDPv6, types.L4PortAddr, "tp_dst")
	MatchSCTPDstPort    = types.NewMatchKey(binding.ProtocolSCTP, types.L4PortAddr, "tp_dst")
	MatchSCTPv6DstPort  = types.NewMatchKey(binding.ProtocolSCTPv6, types.L4PortAddr, "tp_dst")
	MatchSCTPSrcPort    = types.NewMatchKey(binding.ProtocolSCTP, types.L4PortAddr, "tp_src")
	MatchSCTPv6SrcPort  = types.NewMatchKey(binding.ProtocolSCTPv6, types.L4PortAddr, "tp_src")
	MatchTCPSrcPort     = types.NewMatchKey(binding.ProtocolTCP, types.L4PortAddr, "tp_src")
	MatchTCPv6SrcPort   = types.NewMatchKey(binding.ProtocolTCPv6, types.L4PortAddr, "tp_src")
	MatchUDPSrcPort     = types.NewMatchKey(binding.ProtocolUDP, types.L4PortAddr, "tp_src")
	MatchUDPv6SrcPort   = types.NewMatchKey(binding.ProtocolUDPv6, types.L4PortAddr, "tp_src")
	MatchICMPType       = types.NewMatchKey(binding.ProtocolICMP, types.ICMPAddr, "icmp_type")
	MatchICMPCode       = types.NewMatchKey(binding.ProtocolICMP, types.ICMPAddr, "icmp_code")
	MatchICMPv6Type     = types.NewMatchKey(binding.ProtocolICMPv6, types.ICMPAddr, "icmpv6_type")
	MatchICMPv6Code     = types.NewMatchKey(binding.ProtocolICMPv6, types.ICMPAddr, "icmpv6_code")
	MatchServiceGroupID = types.NewMatchKey(binding.ProtocolIP, types.ServiceGroupIDAddr, "reg7[0..31]")
	MatchIGMPProtocol   = types.NewMatchKey(binding.ProtocolIGMP, types.IGMPAddr, "igmp")
	MatchLabelID        = types.NewMatchKey(binding.ProtocolIP, types.LabelIDAddr, "tun_id")
	MatchTCPFlags       = types.NewMatchKey(binding.ProtocolTCP, types.TCPFlagsAddr, "tcp_flags")
	MatchTCPv6Flags     = types.NewMatchKey(binding.ProtocolTCPv6, types.TCPFlagsAddr, "tcp_flags")
	// MatchCTState should be used with ct_state condition as matchValue.
	// MatchValue example: `+rpl+trk`.
	MatchCTState = types.NewMatchKey(binding.ProtocolIP, types.CTStateAddr, "ct_state")
	Unsupported  = types.NewMatchKey(binding.ProtocolIP, types.UnSupported, "unknown")
)
View Source
var (

	// PipelineRootClassifierTable is the only table of pipelineRoot at this moment and its table ID should be 0. Packets
	// are forwarded to pipelineIP or pipelineARP in this table.
	PipelineRootClassifierTable = newTable("PipelineRootClassifier", stageStart, pipelineRoot, defaultDrop)

	// Tables in stageValidation:
	ARPSpoofGuardTable = newTable("ARPSpoofGuard", stageValidation, pipelineARP, defaultDrop)

	// Tables in stageOutput:
	ARPResponderTable = newTable("ARPResponder", stageOutput, pipelineARP)

	// Tables in stageClassifier:
	ClassifierTable = newTable("Classifier", stageClassifier, pipelineIP, defaultDrop)

	// Tables in stageValidation:
	SpoofGuardTable           = newTable("SpoofGuard", stageValidation, pipelineIP, defaultDrop)
	IPv6Table                 = newTable("IPv6", stageValidation, pipelineIP)
	PipelineIPClassifierTable = newTable("PipelineIPClassifier", stageValidation, pipelineIP)

	// Tables in stageConntrackState:
	UnSNATTable         = newTable("UnSNAT", stageConntrackState, pipelineIP)
	ConntrackTable      = newTable("ConntrackZone", stageConntrackState, pipelineIP)
	ConntrackStateTable = newTable("ConntrackState", stageConntrackState, pipelineIP)

	// Tables in stagePreRouting:
	// When proxy is enabled.
	PreRoutingClassifierTable = newTable("PreRoutingClassifier", stagePreRouting, pipelineIP)
	NodePortMarkTable         = newTable("NodePortMark", stagePreRouting, pipelineIP)
	SessionAffinityTable      = newTable("SessionAffinity", stagePreRouting, pipelineIP)
	ServiceLBTable            = newTable("ServiceLB", stagePreRouting, pipelineIP)
	DSRServiceMarkTable       = newTable("DSRServiceMark", stagePreRouting, pipelineIP)
	EndpointDNATTable         = newTable("EndpointDNAT", stagePreRouting, pipelineIP)
	// When proxy is disabled.
	DNATTable = newTable("DNAT", stagePreRouting, pipelineIP)

	// Tables in stageEgressSecurity:
	EgressSecurityClassifierTable = newTable("EgressSecurityClassifier", stageEgressSecurity, pipelineIP)
	AntreaPolicyEgressRuleTable   = newTable("AntreaPolicyEgressRule", stageEgressSecurity, pipelineIP)
	EgressRuleTable               = newTable("EgressRule", stageEgressSecurity, pipelineIP)
	EgressDefaultTable            = newTable("EgressDefaultRule", stageEgressSecurity, pipelineIP)
	EgressMetricTable             = newTable("EgressMetric", stageEgressSecurity, pipelineIP)

	// Tables in stageRouting:
	L3ForwardingTable = newTable("L3Forwarding", stageRouting, pipelineIP)
	EgressMarkTable   = newTable("EgressMark", stageRouting, pipelineIP)
	L3DecTTLTable     = newTable("L3DecTTL", stageRouting, pipelineIP)

	// Tables in stagePostRouting:
	SNATMarkTable = newTable("SNATMark", stagePostRouting, pipelineIP)
	SNATTable     = newTable("SNAT", stagePostRouting, pipelineIP)

	// Tables in stageSwitching:
	L2ForwardingCalcTable = newTable("L2ForwardingCalc", stageSwitching, pipelineIP)
	TrafficControlTable   = newTable("TrafficControl", stageSwitching, pipelineIP)

	// Tables in stageIngressSecurity:
	IngressSecurityClassifierTable = newTable("IngressSecurityClassifier", stageIngressSecurity, pipelineIP)
	AntreaPolicyIngressRuleTable   = newTable("AntreaPolicyIngressRule", stageIngressSecurity, pipelineIP)
	IngressRuleTable               = newTable("IngressRule", stageIngressSecurity, pipelineIP)
	IngressDefaultTable            = newTable("IngressDefaultRule", stageIngressSecurity, pipelineIP)
	IngressMetricTable             = newTable("IngressMetric", stageIngressSecurity, pipelineIP)

	// Tables in stageConntrack:
	ConntrackCommitTable = newTable("ConntrackCommit", stageConntrack, pipelineIP)

	// Tables in stageOutput:
	VLANTable   = newTable("VLAN", stageOutput, pipelineIP)
	OutputTable = newTable("Output", stageOutput, pipelineIP)

	// Tables of pipelineMulticast are declared below. Do don't declare any tables of other pipelines here!
	// Tables in stageEgressSecurity:
	// Since IGMP Egress rules only support IGMP report which is handled by packetIn, it is not necessary to add
	// MulticastIGMPEgressMetricTable here.
	MulticastEgressRuleTable   = newTable("MulticastEgressRule", stageEgressSecurity, pipelineMulticast)
	MulticastEgressMetricTable = newTable("MulticastEgressMetric", stageEgressSecurity, pipelineMulticast)

	MulticastEgressPodMetricTable = newTable("MulticastEgressPodMetric", stageEgressSecurity, pipelineMulticast)

	// Tables in stageRouting:
	MulticastRoutingTable = newTable("MulticastRouting", stageRouting, pipelineMulticast)
	// Tables in stageIngressSecurity
	MulticastIngressRuleTable      = newTable("MulticastIngressRule", stageIngressSecurity, pipelineMulticast)
	MulticastIngressMetricTable    = newTable("MulticastIngressMetric", stageIngressSecurity, pipelineMulticast)
	MulticastIngressPodMetricTable = newTable("MulticastIngressPodMetric", stageIngressSecurity, pipelineMulticast)
	// Tables in stageOutput
	MulticastOutputTable = newTable("MulticastOutput", stageOutput, pipelineMulticast)

	// NonIPTable is used when Antrea Agent is running on an external Node. It forwards the non-IP packet
	// between the uplink and its pair port directly.
	NonIPTable = newTable("NonIP", stageClassifier, pipelineNonIP, defaultDrop)
)
View Source
var DispositionToString = map[uint32]string{
	DispositionAllow: "Allow",
	DispositionDrop:  "Drop",
	DispositionRej:   "Reject",
	DispositionPass:  "Pass",
}
View Source
var (
	// xxreg3(NXM_NX_XXREG3)
	// xxreg3: Field to cache Endpoint IPv6 address. It occupies reg12-reg15 in the meanwhile.
	EndpointIP6Field = binding.NewXXRegField(3, 0, 127)
)

Fields using xxreg.

View Source
var (
	GlobalVirtualMAC, _ = net.ParseMAC("aa:bb:cc:dd:ee:ff")
)
View Source
var GlobalVirtualMACForMulticluster, _ = net.ParseMAC("aa:bb:cc:dd:ee:f0")

GlobalVirtualMACForMulticluster is a vritual MAC which will be used only for cross-cluster traffic to distinguish from in-cluster traffic.

Functions

func CleanOFTableCache added in v1.6.0

func CleanOFTableCache()

CleanOFTableCache is used to reset ofTableCache and only used in integration tests. When all integration tests about openflow run in batch, unexpected flows could be installed on OVS due to stale ofTableCache, which may cause some tests to fail. For example, for TestFuncA, EgressMarkTable is needed; for TestFuncB, EgressMarkTable is not needed. If TestFuncB is run after TestFuncA, since ofTableCache (EgressMarkTable is added by TestFuncA) is not reset, default flow of EgressMarkTable will also be realized on OVS when running TestFuncB (see "func (c *client) defaultFlows() (flows []binding.Flow)"). Note that, the unexpected flows are not included in the map tableCache of OFBridge defined in pkg/ovs/openflow/ofctrl_bridge.go, because the bridge will be destroyed after every test. For some tests, function checkOVSFlowMetrics (defined in test/integration/agent/openflow_test.go) is used to check the flow number of every installed table. The expected table list is read from the map tableCache of OFBridge, but the actual table list is dumped from OVS bridge (including the unexpected flow). They are different, and as a result, TestFuncB will fail.

func GetEthernetPacket added in v1.11.0

func GetEthernetPacket(pktIn *ofctrl.PacketIn) (*protocol.Ethernet, error)

func GetFlowModMessages added in v1.12.0

func GetFlowModMessages(flows []binding.Flow, op binding.OFOperation) []*openflow15.FlowMod

func GetFlowTableID added in v1.4.0

func GetFlowTableID(tableName string) uint8

GetFlowTableID does a case insensitive lookup of the table name, and returns the flow table number if the table is found. Otherwise TableIDAll is returned if the table cannot be found.

func GetFlowTableName

func GetFlowTableName(tableID uint8) string

GetFlowTableName returns the flow table name given the table ID. An empty string is returned if the table cannot be found.

func GetInfoInReg added in v1.11.0

func GetInfoInReg(regMatch *ofctrl.MatchField, rng *openflow15.NXRange) (uint32, error)

func GetMatchFieldByRegID added in v1.8.0

func GetMatchFieldByRegID(matchers *ofctrl.Matchers, regID int) *ofctrl.MatchField

func GetTableList added in v1.4.0

func GetTableList() []binding.Table

func InitMockTables added in v1.6.0

func InitMockTables(tableMap map[*Table]uint8)

InitMockTables is used to init mock tables.

func InitOFTableCache added in v1.11.0

func InitOFTableCache(tableMap map[*Table]uint8)

InitOFTableCache is used to update ofTableCache in tests.

func NewClient

func NewClient(bridgeName string,
	mgmtAddr string,
	nodeIPCheck nodeip.Checker,
	enableProxy bool,
	enableAntreaPolicy bool,
	enableL7NetworkPolicy bool,
	enableEgress bool,
	enableDenyTracking bool,
	proxyAll bool,
	enableDSR bool,
	connectUplinkToBridge bool,
	enableMulticast bool,
	enableTrafficControl bool,
	enableMulticluster bool,
	groupIDAllocator GroupAllocator,
	enablePrometheusMetrics bool,
) *client

NewClient is the constructor of the Client interface.

func ResetOFTable added in v1.6.0

func ResetOFTable()

ResetOFTable is used for integration tests.

func SendRejectPacketOut added in v1.11.0

func SendRejectPacketOut(ofClient Client,
	srcMAC string,
	dstMAC string,
	srcIP string,
	dstIP string,
	inPort uint32,
	outPort uint32,
	isIPv6 bool,
	ethernetPkt *protocol.Ethernet,
	proto uint8,
	mutateFunc func(binding.PacketOutBuilder) binding.PacketOutBuilder) error

Types

type CTIPAddress added in v1.8.0

type CTIPAddress net.IP

CT IP address calculated from Pod's address.

func NewCTIPAddress added in v1.8.0

func NewCTIPAddress(addr net.IP) *CTIPAddress

func (*CTIPAddress) GetMatchKey added in v1.8.0

func (a *CTIPAddress) GetMatchKey(addrType types.AddressType) *types.MatchKey

func (*CTIPAddress) GetMatchValue added in v1.8.0

func (a *CTIPAddress) GetMatchValue() string

func (*CTIPAddress) GetValue added in v1.8.0

func (a *CTIPAddress) GetValue() interface{}

type CTIPNetAddress added in v1.8.0

type CTIPNetAddress net.IPNet

CT IP block calculated from Pod's address.

func NewCTIPNetAddress added in v1.8.0

func NewCTIPNetAddress(addr net.IPNet) *CTIPNetAddress

func (*CTIPNetAddress) GetMatchKey added in v1.8.0

func (a *CTIPNetAddress) GetMatchKey(addrType types.AddressType) *types.MatchKey

func (*CTIPNetAddress) GetMatchValue added in v1.8.0

func (a *CTIPNetAddress) GetMatchValue() string

func (*CTIPNetAddress) GetValue added in v1.8.0

func (a *CTIPNetAddress) GetValue() interface{}

type Client

type Client interface {
	// Initialize sets up all basic flows on the specific OVS bridge. It returns a channel which
	// is used to notify the caller in case of a reconnection, in which case ReplayFlows should
	// be called to ensure that the set of OVS flows is correct. All flows programmed in the
	// switch which match the current round number will be deleted before any new flow is
	// installed.
	Initialize(roundInfo types.RoundInfo,
		config *config.NodeConfig,
		networkConfig *config.NetworkConfig,
		egressConfig *config.EgressConfig,
		serviceConfig *config.ServiceConfig,
		l7NetworkPolicyConfig *config.L7NetworkPolicyConfig) (<-chan struct{}, error)

	// InstallNodeFlows should be invoked when a connection to a remote Node is going to be set
	// up. The hostname is used to identify the added flows. When IPsec tunnel is enabled,
	// ipsecTunOFPort must be set to the OFPort number of the IPsec tunnel port to the remote Node;
	// otherwise ipsecTunOFPort must be set to 0.
	// InstallNodeFlows has all-or-nothing semantics(call succeeds if all the flows are installed
	// successfully, otherwise no flows will be installed). Calls to InstallNodeFlows are idempotent.
	// Concurrent calls to InstallNodeFlows and / or UninstallNodeFlows are supported as long as they
	// are all for different hostnames.
	InstallNodeFlows(
		hostname string,
		peerConfigs map[*net.IPNet]net.IP,
		tunnelPeerIP *utilip.DualStackIPs,
		ipsecTunOFPort uint32,
		peerNodeMAC net.HardwareAddr) error

	// UninstallNodeFlows removes the connection to the remote Node specified with the
	// hostname. UninstallNodeFlows will do nothing if no connection to the host was established.
	UninstallNodeFlows(hostname string) error

	// InstallPodFlows should be invoked when a connection to a Pod on current Node. The
	// interfaceName is used to identify the added flows. InstallPodFlows has all-or-nothing
	// semantics(call succeeds if all the flows are installed successfully, otherwise no
	// flows will be installed). Calls to InstallPodFlows are idempotent. Concurrent calls
	// to InstallPodFlows and / or UninstallPodFlows are supported as long as they are all
	// for different interfaceNames.
	InstallPodFlows(interfaceName string, podInterfaceIPs []net.IP, podInterfaceMAC net.HardwareAddr, ofPort uint32, vlanID uint16, labelID *uint32) error

	// UninstallPodFlows removes the connection to the local Pod specified with the
	// interfaceName. UninstallPodFlows will do nothing if no connection to the Pod was established.
	UninstallPodFlows(interfaceName string) error

	// InstallServiceGroup installs a group for Service LB. Each endpoint
	// is a bucket of the group. For now, each bucket has the same weight.
	InstallServiceGroup(groupID binding.GroupIDType, withSessionAffinity bool, endpoints []proxy.Endpoint) error
	// UninstallServiceGroup removes the group and its buckets that are
	// installed by InstallServiceGroup.
	UninstallServiceGroup(groupID binding.GroupIDType) error

	// InstallEndpointFlows installs flows for accessing Endpoints.
	// If an Endpoint is on the current Node, then flows for hairpin and endpoint
	// L2 forwarding should also be installed.
	InstallEndpointFlows(protocol binding.Protocol, endpoints []proxy.Endpoint) error
	// UninstallEndpointFlows removes flows of the Endpoint installed by
	// InstallEndpointFlows.
	UninstallEndpointFlows(protocol binding.Protocol, endpoints []proxy.Endpoint) error

	// InstallServiceFlows installs flows for accessing Service NodePort, LoadBalancer, ExternalIP and ClusterIP. It
	// installs the flow that uses the group/bucket to do Service LB. If the affinityTimeout is not zero, it also
	// installs the flow which has a learn action to maintain the LB decision. The group with the groupID must be
	// installed before, otherwise the installation will fail.
	// For an external IP with Local traffic policy (IsExternal == true and TrafficPolicyLocal == true), it also
	// installs the flow to implement short-circuiting for internally originated traffic towards external IPs.
	InstallServiceFlows(config *types.ServiceConfig) error
	// UninstallServiceFlows removes flows installed by InstallServiceFlows.
	UninstallServiceFlows(svcIP net.IP, svcPort uint16, protocol binding.Protocol) error

	// GetFlowTableStatus should return an array of flow table status, all existing flow tables should be included in the list.
	GetFlowTableStatus() []binding.TableStatus

	// InstallPolicyRuleFlows installs flows for a new NetworkPolicy rule. Rule should include all fields in the
	// NetworkPolicy rule. Each ingress/egress policy rule installs Openflow entries on two tables, one for
	// ruleTable and the other for dropTable. If a packet does not pass the ruleTable, it will be dropped by the
	// dropTable.
	InstallPolicyRuleFlows(ofPolicyRule *types.PolicyRule) error

	// BatchInstallPolicyRuleFlows installs multiple flows for NetworkPolicy rules in batch.
	BatchInstallPolicyRuleFlows(ofPolicyRules []*types.PolicyRule) error

	// UninstallPolicyRuleFlows removes the Openflow entry relevant to the specified NetworkPolicy rule.
	// It also returns a slice of stale ofPriorities used by ClusterNetworkPolicies.
	// UninstallPolicyRuleFlows will do nothing if no Openflow entry for the rule is installed.
	UninstallPolicyRuleFlows(ruleID uint32) ([]string, error)

	// AddPolicyRuleAddress adds one or multiple addresses to the specified NetworkPolicy rule. If addrType is true, the
	// addresses are added to PolicyRule.From, else to PolicyRule.To.
	AddPolicyRuleAddress(ruleID uint32, addrType types.AddressType, addresses []types.Address, priority *uint16, enableLogging, isMCNPRule bool) error

	// DeletePolicyRuleAddress removes addresses from the specified NetworkPolicy rule. If addrType is srcAddress, the addresses
	// are removed from PolicyRule.From, else from PolicyRule.To.
	DeletePolicyRuleAddress(ruleID uint32, addrType types.AddressType, addresses []types.Address, priority *uint16) error

	// InstallSNATMarkFlows installs flows for a local SNAT IP. On Linux, a
	// single flow is added to mark the packets tunnelled from remote Nodes
	// that should be SNAT'd with the SNAT IP.
	InstallSNATMarkFlows(snatIP net.IP, mark uint32) error

	// UninstallSNATMarkFlows removes the flows installed to set the packet
	// mark for a SNAT IP.
	UninstallSNATMarkFlows(mark uint32) error

	// InstallPodSNATFlows installs the SNAT flows for a local Pod. If the
	// SNAT IP for the Pod is on the local Node, a non-zero SNAT ID should
	// allocated for the SNAT IP, and the installed flow sets the SNAT IP
	// mark on the egress packets from the ofPort; if the SNAT IP is on a
	// remote Node, snatMark should be set to 0, and the installed flow
	// tunnels egress packets to the remote Node using the SNAT IP as the
	// tunnel destination, and the packets should be SNAT'd on the remote
	// Node. As of now, a Pod can be configured to use only a single SNAT
	// IP in a single address family (IPv4 or IPv6).
	InstallPodSNATFlows(ofPort uint32, snatIP net.IP, snatMark uint32) error

	// UninstallPodSNATFlows removes the SNAT flows for the local Pod.
	UninstallPodSNATFlows(ofPort uint32) error

	// Disconnect disconnects the connection between client and OFSwitch.
	Disconnect() error

	// IsConnected returns the connection status between client and OFSwitch. The return value is true if the OFSwitch is connected.
	IsConnected() bool

	// ReplayFlows should be called when a spurious disconnection occurs. After we reconnect to
	// the OFSwitch, we need to replay all the flows cached by the client. ReplayFlows will try
	// to replay as many flows as possible, and will log an error when a flow cannot be
	// installed.
	ReplayFlows()

	// DeleteStaleFlows deletes all flows from the previous round which are no longer needed. It
	// should be called by the agent after all required flows have been installed / updated with
	// the new round number.
	DeleteStaleFlows() error

	// GetTunnelVirtualMAC() returns GlobalVirtualMAC used for tunnel traffic.
	GetTunnelVirtualMAC() net.HardwareAddr

	// GetPodFlowKeys returns the keys (match strings) of the cached flows for a
	// Pod.
	GetPodFlowKeys(interfaceName string) []string

	// GetServiceFlowKeys returns the keys (match strings) of the cached
	// flows for a Service (port) and its endpoints.
	GetServiceFlowKeys(svcIP net.IP, svcPort uint16, protocol binding.Protocol, endpoints []proxy.Endpoint) []string

	// GetNetworkPolicyFlowKeys returns the keys (match strings) of the cached
	// flows for a NetworkPolicy. Flows are grouped by policy rules, and duplicated
	// entries can be added due to conjunctive match flows shared by multiple
	// rules.
	GetNetworkPolicyFlowKeys(npName, npNamespace string) []string

	// ReassignFlowPriorities takes a list of priority updates, and update the actionFlows to replace
	// the old priority with the desired one, for each priority update on that table.
	ReassignFlowPriorities(updates map[uint16]uint16, table uint8) error

	// SubscribePacketIn subscribes to packet in messages for the given category. Packets
	// will be placed in the queue and if the queue is full, the packet in messages
	// will be dropped. pktInQueue supports rate-limiting for the consumer, in order to
	// constrain the compute resources that may be used by the consumer.
	SubscribePacketIn(reason uint8, pktInQueue *binding.PacketInQueue) error

	// SendTraceflowPacket injects packet to specified OVS port for Openflow.
	SendTraceflowPacket(dataplaneTag uint8, packet *binding.Packet, inPort uint32, outPort int32) error

	// InstallTraceflowFlows installs flows for a Traceflow request.
	InstallTraceflowFlows(dataplaneTag uint8, liveTraffic, droppedOnly, receiverOnly bool, packet *binding.Packet, ofPort uint32, timeoutSeconds uint16) error

	// UninstallTraceflowFlows uninstalls flows for a Traceflow request.
	UninstallTraceflowFlows(dataplaneTag uint8) error

	// GetPolicyInfoFromConjunction returns the following policy information for the provided conjunction ID:
	// NetworkPolicy reference, OF priority, rule name, label
	// The boolean return value indicates whether the policy information was found.
	GetPolicyInfoFromConjunction(ruleID uint32) (bool, *v1beta2.NetworkPolicyReference, string, string, string)

	// RegisterPacketInHandler uses SubscribePacketIn to get PacketIn message and process received
	// packets through registered handler.
	RegisterPacketInHandler(packetHandlerReason uint8, packetInHandler interface{})

	StartPacketInHandler(stopCh <-chan struct{})
	// Get traffic metrics of each NetworkPolicy rule.
	NetworkPolicyMetrics() map[uint32]*types.RuleMetric

	// Get multicast ingress metrics of each Pod in MulticastIngressPodMetricTable.
	MulticastIngressPodMetrics() map[uint32]*types.RuleMetric
	// Get multicast Pod ingress statistics from MulticastIngressPodMetricTable with specified ofPort.
	MulticastIngressPodMetricsByOFPort(ofPort int32) *types.RuleMetric
	// Get multicast egress metrics of each Pod in MulticastEgressPodMetricTable.
	MulticastEgressPodMetrics() map[string]*types.RuleMetric
	// Get multicast Pod ingress statistics from MulticastEgressPodMetricTable with specified src IP.
	MulticastEgressPodMetricsByIP(ip net.IP) *types.RuleMetric

	// SendTCPPacketOut sends TCP packet as a packet-out to OVS.
	SendTCPPacketOut(
		srcMAC string,
		dstMAC string,
		srcIP string,
		dstIP string,
		inPort uint32,
		outPort uint32,
		isIPv6 bool,
		tcpSrcPort uint16,
		tcpDstPort uint16,
		tcpSeqNum uint32,
		tcpAckNum uint32,
		tcpHdrLen uint8,
		tcpFlag uint8,
		tcpWinSize uint16,
		tcpData []byte,
		mutatePacketOut func(builder binding.PacketOutBuilder) binding.PacketOutBuilder) error
	// SendICMPPacketOut sends ICMP packet as a packet-out to OVS.
	SendICMPPacketOut(
		srcMAC string,
		dstMAC string,
		srcIP string,
		dstIP string,
		inPort uint32,
		outPort uint32,
		isIPv6 bool,
		icmpType uint8,
		icmpCode uint8,
		icmpData []byte,
		mutatePacketOut func(builder binding.PacketOutBuilder) binding.PacketOutBuilder) error
	// SendUDPPacketOut sends UDP packet as a packet-out to OVS.
	SendUDPPacketOut(
		srcMAC string,
		dstMAC string,
		srcIP string,
		dstIP string,
		inPort uint32,
		outPort uint32,
		isIPv6 bool,
		udpSrcPort uint16,
		udpDstPort uint16,
		udpData []byte,
		mutatePacketOut func(builder binding.PacketOutBuilder) binding.PacketOutBuilder) error
	// SendEthPacketOut sends ethernet packet as a packet-out to OVS.
	SendEthPacketOut(inPort, outPort uint32, ethPkt *protocol.Ethernet, mutatePacketOut func(builder binding.PacketOutBuilder) binding.PacketOutBuilder) error
	// ResumePausePacket resumes a paused packetIn.
	ResumePausePacket(packetIn *ofctrl.PacketIn) error
	// NewDNSPacketInConjunction creates a policyRuleConjunction for the dns response interception flows.
	NewDNSPacketInConjunction(id uint32) error
	// AddAddressToDNSConjunction adds addresses to the toAddresses of the dns packetIn conjunction,
	// so that dns response packets sent towards these addresses will be intercepted and parsed by
	// the fqdnController.
	AddAddressToDNSConjunction(id uint32, addrs []types.Address) error
	// DeleteAddressFromDNSConjunction removes addresses from the toAddresses of the dns packetIn conjunction.
	DeleteAddressFromDNSConjunction(id uint32, addrs []types.Address) error

	// InstallMulticastFlows installs the flow to forward Multicast traffic normally, and output it to antrea-gw0
	// to ensure it can be forwarded to the external addresses.
	InstallMulticastFlows(multicastIP net.IP, groupID binding.GroupIDType) error

	// UninstallMulticastFlows removes the flow matching the given multicastIP.
	UninstallMulticastFlows(multicastIP net.IP) error

	// InstallMulticastRemoteReportFlows installs flows to forward the IGMP report messages to the other Nodes,
	// and packetIn the report messages to Antrea Agent which is received via tunnel port.
	// The OpenFlow group identified by groupID is used to forward packet to all other Nodes in the cluster
	// over tunnel.
	InstallMulticastRemoteReportFlows(groupID binding.GroupIDType) error
	// SendIGMPQueryPacketOut sends the IGMPQuery packet as a packet-out to OVS from the gateway port.
	SendIGMPQueryPacketOut(
		dstMAC net.HardwareAddr,
		dstIP net.IP,
		outPort uint32,
		igmp ofutil.Message) error

	// InstallTrafficControlMarkFlows installs the flows to mark the packets for a traffic control rule.
	InstallTrafficControlMarkFlows(name string, sourceOFPorts []uint32, targetOFPort uint32, direction crdv1alpha2.Direction, action crdv1alpha2.TrafficControlAction) error

	// UninstallTrafficControlMarkFlows removes the flows for a traffic control rule.
	UninstallTrafficControlMarkFlows(name string) error

	// InstallTrafficControlReturnPortFlow installs the flow to classify the packets from a return port.
	InstallTrafficControlReturnPortFlow(returnOFPort uint32) error

	// UninstallTrafficControlReturnPortFlow removes the flow to classify the packets from a return port.
	UninstallTrafficControlReturnPortFlow(returnOFPort uint32) error

	InstallMulticastGroup(ofGroupID binding.GroupIDType, localReceivers []uint32, remoteNodeReceivers []net.IP) error
	// UninstallMulticastGroup removes the group and its buckets that are
	// installed by InstallMulticastGroup.
	UninstallMulticastGroup(groupID binding.GroupIDType) error

	// SendIGMPRemoteReportPacketOut sends the IGMP report packet as a packet-out to remote Nodes via the tunnel port.
	SendIGMPRemoteReportPacketOut(
		dstMAC net.HardwareAddr,
		dstIP net.IP,
		igmp ofutil.Message) error

	// InstallMulticlusterNodeFlows installs flows to handle cross-cluster packets between a regular
	// Node and a local Gateway.
	InstallMulticlusterNodeFlows(
		clusterID string,
		peerConfigs map[*net.IPNet]net.IP,
		tunnelPeerIP net.IP,
		enableStretchedNetworkPolicy bool) error

	// InstallMulticlusterGatewayFlows installs flows to handle cross-cluster packets between Gateways.
	InstallMulticlusterGatewayFlows(
		clusterID string,
		peerConfigs map[*net.IPNet]net.IP,
		tunnelPeerIP net.IP,
		localGatewayIP net.IP,
		enableStretchedNetworkPolicy bool) error

	// InstallMulticlusterClassifierFlows installs flows to classify cross-cluster packets.
	InstallMulticlusterClassifierFlows(tunnelOFPort uint32, isGateway bool) error

	// InstallMulticlusterPodFlows installs flows to handle cross-cluster packets from Multi-cluster Gateway to
	// regular Nodes.
	InstallMulticlusterPodFlows(podIP net.IP, tunnelPeerIP net.IP) error

	// UninstallMulticlusterFlows removes cross-cluster flows matching the given cache key on
	// a regular Node or a Gateway.
	UninstallMulticlusterFlows(clusterID string) error

	// UninstallMulticlusterPodFlows removes Pod flows matching the given cache key on
	// a Gateway. When the podIP is empty, all Pod flows will be removed.
	UninstallMulticlusterPodFlows(podIP string) error

	// InstallVMUplinkFlows installs flows to forward packet between uplinkPort and hostPort. On a VM, the
	// uplink and host internal port are paired directly, and no layer 2/3 forwarding flow is installed.
	InstallVMUplinkFlows(hostInterfaceName string, hostPort int32, uplinkPort int32) error

	// UninstallVMUplinkFlows removes the flows installed to forward packet between uplinkPort and hostPort.
	UninstallVMUplinkFlows(hostInterfaceName string) error

	// InstallPolicyBypassFlows installs flows to bypass the NetworkPolicy rules on the traffic with the given ipnet
	// or ip, port, protocol and direction. It is used to bypass NetworkPolicy enforcement on a VM for the particular
	// traffic.
	InstallPolicyBypassFlows(protocol binding.Protocol, ipNet *net.IPNet, port uint16, isIngress bool) error
}

Client is the interface to program OVS flows for entity connectivity of Antrea.

type ConjunctionNotFound

type ConjunctionNotFound uint32

ConjunctionNotFound is an error response when the specified policyRuleConjunction is not found from the local cache.

func (*ConjunctionNotFound) Error

func (e *ConjunctionNotFound) Error() string

type GroupAllocator added in v1.6.0

type GroupAllocator interface {
	Allocate() binding.GroupIDType
	Next() binding.GroupIDType
	Release(id binding.GroupIDType)
}

func NewGroupAllocator added in v1.6.0

func NewGroupAllocator() GroupAllocator

type IPAddress

type IPAddress net.IP

IP address calculated from Pod's address.

func NewIPAddress

func NewIPAddress(addr net.IP) *IPAddress

func (*IPAddress) GetMatchKey

func (a *IPAddress) GetMatchKey(addrType types.AddressType) *types.MatchKey

func (*IPAddress) GetMatchValue

func (a *IPAddress) GetMatchValue() string

func (*IPAddress) GetValue

func (a *IPAddress) GetValue() interface{}

type IPNetAddress

type IPNetAddress net.IPNet

IP block calculated from Pod's address.

func NewIPNetAddress

func NewIPNetAddress(addr net.IPNet) *IPNetAddress

func (*IPNetAddress) GetMatchKey

func (a *IPNetAddress) GetMatchKey(addrType types.AddressType) *types.MatchKey

func (*IPNetAddress) GetMatchValue

func (a *IPNetAddress) GetMatchValue() string

func (*IPNetAddress) GetValue

func (a *IPNetAddress) GetValue() interface{}

type LabelIDAddress added in v1.10.0

type LabelIDAddress uint32

func NewLabelIDAddress added in v1.10.0

func NewLabelIDAddress(labelID uint32) *LabelIDAddress

func (*LabelIDAddress) GetMatchKey added in v1.10.0

func (a *LabelIDAddress) GetMatchKey(addrType types.AddressType) *types.MatchKey

func (*LabelIDAddress) GetMatchValue added in v1.10.0

func (a *LabelIDAddress) GetMatchValue() string

func (*LabelIDAddress) GetValue added in v1.10.0

func (a *LabelIDAddress) GetValue() interface{}

type OFEntryOperations

type OFEntryOperations interface {
	AddAll(flows []*openflow15.FlowMod) error
	ModifyAll(flows []*openflow15.FlowMod) error
	BundleOps(adds, mods, dels []*openflow15.FlowMod) error
	DeleteAll(flows []*openflow15.FlowMod) error
	AddOFEntries(ofEntries []binding.OFEntry) error
	ModifyOFEntries(ofEntries []binding.OFEntry) error
	DeleteOFEntries(ofEntries []binding.OFEntry) error
}

type OFPortAddress

type OFPortAddress int32

OFPortAddress is the Openflow port of an interface.

func NewOFPortAddress

func NewOFPortAddress(addr int32) *OFPortAddress

func (*OFPortAddress) GetMatchKey

func (a *OFPortAddress) GetMatchKey(addrType types.AddressType) *types.MatchKey

func (*OFPortAddress) GetMatchValue

func (a *OFPortAddress) GetMatchValue() string

func (*OFPortAddress) GetValue

func (a *OFPortAddress) GetValue() interface{}

type Option added in v1.6.0

type Option func(*Table)

Option is a modifier for Table.

type PacketInHandler

type PacketInHandler interface {
	// HandlePacketIn should not modify the input pktIn and should not
	// assume that the pktIn contents(e.g. NWSrc/NWDst) will not be
	// modified at a later time.
	HandlePacketIn(pktIn *ofctrl.PacketIn) error
}

type ServiceGroupIDAddress added in v1.4.0

type ServiceGroupIDAddress binding.GroupIDType

func NewServiceGroupIDAddress added in v1.4.0

func NewServiceGroupIDAddress(groupID binding.GroupIDType) *ServiceGroupIDAddress

func (*ServiceGroupIDAddress) GetMatchKey added in v1.4.0

func (a *ServiceGroupIDAddress) GetMatchKey(addrType types.AddressType) *types.MatchKey

func (*ServiceGroupIDAddress) GetMatchValue added in v1.4.0

func (a *ServiceGroupIDAddress) GetMatchValue() string

func (*ServiceGroupIDAddress) GetValue added in v1.4.0

func (a *ServiceGroupIDAddress) GetValue() interface{}

type TCPFlags added in v1.11.0

type TCPFlags struct {
	Flag uint16
	Mask uint16
}

type Table added in v1.6.0

type Table struct {
	// contains filtered or unexported fields
}

Table in FlexiblePipeline is the basic unit to build OVS pipelines. A Table can be referenced by one or more features, but its member struct ofTable will be initialized and realized on OVS only when it is referenced by any activated features.

func GetAntreaIGMPIngressTables added in v1.7.0

func GetAntreaIGMPIngressTables() []*Table

func GetAntreaMulticastEgressTables added in v1.7.0

func GetAntreaMulticastEgressTables() []*Table

func GetAntreaPolicyBaselineTierTables

func GetAntreaPolicyBaselineTierTables() []*Table

func GetAntreaPolicyEgressTables

func GetAntreaPolicyEgressTables() []*Table

func GetAntreaPolicyIngressTables

func GetAntreaPolicyIngressTables() []*Table

func GetAntreaPolicyMultiTierTables

func GetAntreaPolicyMultiTierTables() []*Table

func (*Table) GetID added in v1.6.0

func (t *Table) GetID() uint8

func (*Table) GetMissAction added in v1.6.0

func (t *Table) GetMissAction() binding.MissActionType

func (*Table) GetName added in v1.6.0

func (t *Table) GetName() string

func (*Table) GetNext added in v1.6.0

func (t *Table) GetNext() uint8

Directories

Path Synopsis
Package cookie implements a cookie allocator.
Package cookie implements a cookie allocator.
Package testing is a generated GoMock package.
Package testing is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL