Documentation ¶
Index ¶
- Constants
- Variables
- func GetAntreaPolicyBaselineTierTables() []binding.Table
- func GetAntreaPolicyEgressTables() []binding.Table
- func GetAntreaPolicyIngressTables() []binding.Table
- func GetAntreaPolicyMultiTierTables() []binding.Table
- func GetFlowTableID(tableName string) uint8
- func GetFlowTableName(tableID uint8) string
- func GetTableList() []binding.Table
- type Client
- type ConjunctionNotFound
- type IPAddress
- type IPNetAddress
- type OFEntryOperations
- type OFPortAddress
- type PacketInHandler
- type ServiceGroupIDAddress
Constants ¶
const ( // We use OpenFlow Meter for packet-in rate limiting on OVS side. // Meter Entry ID. PacketInMeterIDNP = 1 PacketInMeterIDTF = 2 // Meter Entry Rate. It is represented as number of events per second. // Packets which exceed the rate will be dropped. PacketInMeterRateNP = 100 PacketInMeterRateTF = 100 // PacketIn reasons PacketInReasonTF ofpPacketInReason = 1 // PacketInReasonNP is used for the custom packetIn reasons for Network Policy, including: Logging, Reject, Deny. // It is also used to mark the DNS Response packet. PacketInReasonNP ofpPacketInReason = 0 // PacketInReasonMC shares PacketInReasonNP for IGMP packet_in message. This is because OVS "controller" action // only correctly supports reason 0 or 1. Change to another value after the OVS action is corrected. PacketInReasonMC = PacketInReasonNP // PacketInQueueSize defines the size of PacketInQueue. // When PacketInQueue reaches PacketInQueueSize, new packet-in will be dropped. PacketInQueueSize = 200 // PacketInQueueRate defines the maximum frequency of getting items from PacketInQueue. // PacketInQueueRate is represented as number of events per second. PacketInQueueRate = 100 )
const ( CtZone = 0xfff0 CtZoneV6 = 0xffe6 SNATCtZone = 0xfff1 SNATCtZoneV6 = 0xffe7 // disposition values used in AP DispositionAllow = 0b00 DispositionDrop = 0b01 DispositionRej = 0b10 DispositionPass = 0b11 // CustomReasonLogging is used when send packet-in to controller indicating this // packet need logging. CustomReasonLogging = 0b01 // CustomReasonReject is not only used when send packet-in to controller indicating // that this packet should be rejected, but also used in the case that when // controller send reject packet as packet-out, we want reject response to bypass // the connTrack to avoid unexpected drop. CustomReasonReject = 0b10 // CustomReasonDeny is used when sending packet-in message to controller indicating // that the corresponding connection has been dropped or rejected. It can be consumed // by the Flow Exporter to export flow records for connections denied by network // policy rules. CustomReasonDeny = 0b100 CustomReasonDNS = 0b1000 CustomReasonIGMP = 0b10000 )
Variables ¶
var ( // reg0 (NXM_NX_REG0) // reg0[0..3]: Field to mark the packet source. Marks in this field include, // - 0: from the tunnel port // - 1: from antrea-gw0 // - 2: from the local Pods // - 4: from the Bridge interface // - 5: from the uplink interface PktSourceField = binding.NewRegField(0, 0, 3, "PacketSource") FromTunnelRegMark = binding.NewRegMark(PktSourceField, fromTunnelVal) FromGatewayRegMark = binding.NewRegMark(PktSourceField, fromGatewayVal) FromLocalRegMark = binding.NewRegMark(PktSourceField, fromLocalVal) FromUplinkRegMark = binding.NewRegMark(PktSourceField, fromUplinkVal) FromBridgeRegMark = binding.NewRegMark(PktSourceField, fromBridgeVal) // reg0[16]: Mark to indicate the ofPort number of an interface is found. OFPortFoundRegMark = binding.NewOneBitRegMark(0, 16, "OFPortFound") // reg0[18]: Mark to indicate the packet needs DNAT to virtual IP. // If a packet uses HairpinRegMark, it will be output to the port where it enters OVS pipeline in L2ForwardingOutTable. HairpinRegMark = binding.NewOneBitRegMark(0, 18, "Hairpin") // reg0[19]: Mark to indicate the packet's MAC address needs to be rewritten. RewriteMACRegMark = binding.NewOneBitRegMark(0, 19, "RewriteMAC") // reg0[20]: Mark to indicate the packet is denied(Drop/Reject). CnpDenyRegMark = binding.NewOneBitRegMark(0, 20, "CNPDeny") // reg0[21..22]: Field to indicate disposition of Antrea Policy. It could have more bits to support more disposition // that Antrea policy support in the future. // Marks in this field include, // - 0b00: allow // - 0b01: drop // - 0b10: reject // - 0b11: pass APDispositionField = binding.NewRegField(0, 21, 22, "APDisposition") DispositionAllowRegMark = binding.NewRegMark(APDispositionField, DispositionAllow) DispositionDropRegMark = binding.NewRegMark(APDispositionField, DispositionDrop) DispositionPassRegMark = binding.NewRegMark(APDispositionField, DispositionPass) // reg0[24..27]: Field to indicate the reasons of sending packet to the controller. // Marks in this field include, // - 0b00001: logging // - 0b00010: reject // - 0b00100: deny (used by Flow Exporter) // - 0b01000: DNS packet (used by FQDN) // - 0b10000: IGMP packet (used by Multicast) CustomReasonField = binding.NewRegField(0, 24, 28, "PacketInReason") CustomReasonLoggingRegMark = binding.NewRegMark(CustomReasonField, CustomReasonLogging) CustomReasonRejectRegMark = binding.NewRegMark(CustomReasonField, CustomReasonReject) CustomReasonDenyRegMark = binding.NewRegMark(CustomReasonField, CustomReasonDeny) CustomReasonDNSRegMark = binding.NewRegMark(CustomReasonField, CustomReasonDNS) CustomReasonIGMPRegMark = binding.NewRegMark(CustomReasonField, CustomReasonIGMP) // reg1(NXM_NX_REG1) // Field to cache the ofPort of the OVS interface where to output packet. TargetOFPortField = binding.NewRegField(1, 0, 31, "TargetOFPort") // ToGatewayRegMark marks that the output interface is Antrea gateway. ToGatewayRegMark = binding.NewRegMark(TargetOFPortField, config.HostGatewayOFPort) // ToBridgeRegMark marks that the output interface is OVS bridge. ToBridgeRegMark = binding.NewRegMark(TargetOFPortField, config.BridgeOFPort) // reg2(NXM_NX_REG2) // Field to help swap values in two different flow fields in the OpenFlow actions. This field is only used in func // `arpResponderStaticFlow`. SwapField = binding.NewRegField(2, 0, 31, "SwapValue") // reg3(NXM_NX_REG3) // Field to store the selected Service Endpoint IP EndpointIPField = binding.NewRegField(3, 0, 31, "EndpointIP") // Field to store the conjunction ID which is for "deny" rule in CNP. It shares the same register with EndpointIPField, // since the service selection will finish when a packet hitting NetworkPolicy related rules. CNPDenyConjIDField = binding.NewRegField(3, 0, 31, "CNPDenyConjunctionID") // reg4(NXM_NX_REG4) // reg4[0..15]: Field to store the selected Service Endpoint port. EndpointPortField = binding.NewRegField(4, 0, 15, "EndpointPort") // reg4[16..18]: Field to store the state of a packet accessing a Service. Marks in this field include, // - 0b001: packet need to do service selection. // - 0b010: packet has done service selection. // - 0b011: packet has done service selection and the selection result needs to be cached. ServiceEPStateField = binding.NewRegField(4, 16, 18, "EndpointState") EpToSelectRegMark = binding.NewRegMark(ServiceEPStateField, 0b001) EpSelectedRegMark = binding.NewRegMark(ServiceEPStateField, 0b010) EpToLearnRegMark = binding.NewRegMark(ServiceEPStateField, 0b011) // reg4[0..18]: Field to store the union value of Endpoint port and Endpoint status. It is used as a single match // when needed. EpUnionField = binding.NewRegField(4, 0, 18, "EndpointUnion") // reg4[19]: Field to mark that whether Service type is NodePort. NodePortAddressField = binding.NewRegField(4, 19, 19, "NodePortAddress") // ToNodePortAddressRegMark marks that the Service type as NodePort. ToNodePortAddressRegMark = binding.NewRegMark(NodePortAddressField, 0b1) // reg4[20]: Field to mark that whether the packet of Service NodePort/LoadBalancer from gateway requires SNAT. ServiceSNATField = binding.NewRegField(4, 20, 20, "ServiceSNAT") // ServiceNeedSNATRegMark marks that the packet of Service NodePort/LoadBalancer requires SNAT. ServiceNeedSNATRegMark = binding.NewRegMark(ServiceSNATField, 0b1) // reg4[16..19]: Field to store the union value of Endpoint state and the mark of whether Service type is NodePort. NodePortUnionField = binding.NewRegField(4, 16, 19, "NodePortUnion") // reg4[21]: Mark to indicate the packet is from local AntreaFlexibleIPAM Pod. // NotAntreaFlexibleIPAMRegMark will be used with RewriteMACRegMark, thus the reg id must not be same due to the limitation of ofnet library. AntreaFlexibleIPAMRegMark = binding.NewOneBitRegMark(4, 21, "AntreaFlexibleIPAM") NotAntreaFlexibleIPAMRegMark = binding.NewOneBitZeroRegMark(4, 21, "AntreaFlexibleIPAM") // reg5(NXM_NX_REG5) // Field to cache the Egress conjunction ID hit by TraceFlow packet. TFEgressConjIDField = binding.NewRegField(5, 0, 31, "TFEgressConjunctionID") // reg6(NXM_NX_REG6) // Field to store the Ingress conjunction ID hit by TraceFlow packet. TFIngressConjIDField = binding.NewRegField(6, 0, 31, "TFIngressConjunctionID") // reg7(NXM_NX_REG7) // Field to store the GroupID corresponding to the Service ServiceGroupIDField = binding.NewRegField(7, 0, 31, "ServiceGroupID") )
Fields using reg.
var ( // CTMark (NXM_NX_CT_MARK) // CTMark[0..3]: Field to mark the source of the connection. This field has the same bits and positions as PktSourceField // for persisting the value from reg0 to CTMark when committing the first packet of the connection with CT action. ConnSourceCTMarkField = binding.NewCTMarkField(0, 3) FromGatewayCTMark = binding.NewCTMark(ConnSourceCTMarkField, fromGatewayVal) FromBridgeCTMark = binding.NewCTMark(ConnSourceCTMarkField, fromBridgeVal) // CTMark[4]: Mark to indicate DNAT is performed on the connection for Service. ServiceCTMark = binding.NewOneBitCTMark(4) )
Marks using CT.
var ( // Field to store the ingress rule ID. IngressRuleCTLabel = binding.NewCTLabel(0, 31, "ingressRuleCTLabel") // Field to store the egress rule ID. EgressRuleCTLabel = binding.NewCTLabel(32, 63, "egressRuleCTLabel") )
Fields using CT label.
var ( MatchDstIP = types.NewMatchKey(binding.ProtocolIP, types.IPAddr, "nw_dst") MatchSrcIP = types.NewMatchKey(binding.ProtocolIP, types.IPAddr, "nw_src") MatchDstIPNet = types.NewMatchKey(binding.ProtocolIP, types.IPNetAddr, "nw_dst") MatchSrcIPNet = types.NewMatchKey(binding.ProtocolIP, types.IPNetAddr, "nw_src") MatchDstIPv6 = types.NewMatchKey(binding.ProtocolIPv6, types.IPAddr, "ipv6_dst") MatchSrcIPv6 = types.NewMatchKey(binding.ProtocolIPv6, types.IPAddr, "ipv6_src") MatchDstIPNetv6 = types.NewMatchKey(binding.ProtocolIPv6, types.IPNetAddr, "ipv6_dst") MatchSrcIPNetv6 = types.NewMatchKey(binding.ProtocolIPv6, types.IPNetAddr, "ipv6_src") MatchDstOFPort = types.NewMatchKey(binding.ProtocolIP, types.OFPortAddr, "reg1[0..31]") MatchSrcOFPort = types.NewMatchKey(binding.ProtocolIP, types.OFPortAddr, "in_port") MatchTCPDstPort = types.NewMatchKey(binding.ProtocolTCP, types.L4PortAddr, "tp_dst") MatchTCPv6DstPort = types.NewMatchKey(binding.ProtocolTCPv6, types.L4PortAddr, "tp_dst") MatchUDPDstPort = types.NewMatchKey(binding.ProtocolUDP, types.L4PortAddr, "tp_dst") MatchUDPv6DstPort = types.NewMatchKey(binding.ProtocolUDPv6, types.L4PortAddr, "tp_dst") MatchSCTPDstPort = types.NewMatchKey(binding.ProtocolSCTP, types.L4PortAddr, "tp_dst") MatchSCTPv6DstPort = types.NewMatchKey(binding.ProtocolSCTPv6, types.L4PortAddr, "tp_dst") MatchTCPSrcPort = types.NewMatchKey(binding.ProtocolTCP, types.L4PortAddr, "tp_src") MatchTCPv6SrcPort = types.NewMatchKey(binding.ProtocolTCPv6, types.L4PortAddr, "tp_src") MatchUDPSrcPort = types.NewMatchKey(binding.ProtocolUDP, types.L4PortAddr, "tp_src") MatchUDPv6SrcPort = types.NewMatchKey(binding.ProtocolUDPv6, types.L4PortAddr, "tp_src") MatchServiceGroupID = types.NewMatchKey(binding.ProtocolIP, types.ServiceGroupIDAddr, "reg7[0..31]") Unsupported = types.NewMatchKey(binding.ProtocolIP, types.UnSupported, "unknown") )
var ( ClassifierTable = binding.NewOFTable(0, "Classification") UplinkTable = binding.NewOFTable(5, "Uplink") SpoofGuardTable = binding.NewOFTable(10, "SpoofGuard") IPv6Table = binding.NewOFTable(21, "IPv6") MulticastTable = binding.NewOFTable(22, "Multicast") ServiceHairpinTable = binding.NewOFTable(23, "ServiceHairpin") ServiceConntrackTable = binding.NewOFTable(24, "ServiceConntrack") // serviceConntrackTable use a new ct_zone to transform SNAT'd connections. ConntrackTable = binding.NewOFTable(30, "ConntrackZone") ConntrackStateTable = binding.NewOFTable(31, "ConntrackState") ServiceClassifierTable = binding.NewOFTable(35, "ServiceClassifier") SessionAffinityTable = binding.NewOFTable(40, "SessionAffinity") DNATTable = binding.NewOFTable(40, "DNAT(SessionAffinity)") ServiceLBTable = binding.NewOFTable(41, "ServiceLB") EndpointDNATTable = binding.NewOFTable(42, "EndpointDNAT") AntreaPolicyEgressRuleTable = binding.NewOFTable(45, "AntreaPolicyEgressRule") DefaultTierEgressRuleTable = binding.NewOFTable(49, "DefaultTierEgressRule") EgressRuleTable = binding.NewOFTable(50, "EgressRule") EgressDefaultTable = binding.NewOFTable(60, "EgressDefaultRule") EgressMetricTable = binding.NewOFTable(61, "EgressMetric") L3ForwardingTable = binding.NewOFTable(70, "L3Forwarding") SNATTable = binding.NewOFTable(71, "SNAT") L3DecTTLTable = binding.NewOFTable(72, "IPTTLDec") L2ForwardingCalcTable = binding.NewOFTable(80, "L2Forwarding") AntreaPolicyIngressRuleTable = binding.NewOFTable(85, "AntreaPolicyIngressRule") DefaultTierIngressRuleTable = binding.NewOFTable(89, "DefaultTierIngressRule") IngressRuleTable = binding.NewOFTable(90, "IngressRule") IngressDefaultTable = binding.NewOFTable(100, "IngressDefaultRule") IngressMetricTable = binding.NewOFTable(101, "IngressMetric") ConntrackCommitTable = binding.NewOFTable(105, "ConntrackCommit") ServiceConntrackCommitTable = binding.NewOFTable(106, "ServiceConntrackCommit") HairpinSNATTable = binding.NewOFTable(108, "HairpinSNAT") L2ForwardingOutTable = binding.NewOFTable(110, "Output") )
var DispositionToString = map[uint32]string{ DispositionAllow: "Allow", DispositionDrop: "Drop", DispositionRej: "Reject", DispositionPass: "Pass", }
var ( // xxreg3(NXM_NX_XXREG3) // xxreg3: Field to cache Endpoint IPv6 address. It occupies reg12-reg15 in the meanwhile. EndpointIP6Field = binding.NewXXRegField(3, 0, 127) )
Fields using xxreg.
var (
GlobalVirtualMAC, _ = net.ParseMAC("aa:bb:cc:dd:ee:ff")
)
Functions ¶
func GetFlowTableID ¶ added in v1.4.0
GetFlowTableID does a case insensitive lookup of the table name, and returns the flow table number if the table is found. Otherwise TableIDAll is returned if the table cannot be found.
func GetFlowTableName ¶
GetFlowTableName returns the flow table name given the table ID. An empty string is returned if the table cannot be found.
func GetTableList ¶ added in v1.4.0
Types ¶
type Client ¶
type Client interface { // Initialize sets up all basic flows on the specific OVS bridge. It returns a channel which // is used to notify the caller in case of a reconnection, in which case ReplayFlows should // be called to ensure that the set of OVS flows is correct. All flows programmed in the // switch which match the current round number will be deleted before any new flow is // installed. Initialize(roundInfo types.RoundInfo, config *config.NodeConfig, networkconfig *config.NetworkConfig) (<-chan struct{}, error) // InstallGatewayFlows sets up flows related to an OVS gateway port, the gateway must exist. InstallGatewayFlows() error // InstallClusterServiceCIDRFlows sets up the appropriate flows so that traffic can reach // the different Services running in the Cluster. This method needs to be invoked once with // the Cluster Service CIDR as a parameter. InstallClusterServiceCIDRFlows(serviceNets []*net.IPNet) error // InstallDefaultServiceFlows sets up the appropriate flows so that traffic can reach // the different Services running in the Cluster. This method needs to be invoked once. InstallDefaultServiceFlows(nodePortAddressesIPv4, nodePortAddressesIPv6 []net.IP) error // InstallDefaultTunnelFlows sets up the classification flow for the default (flow based) tunnel. InstallDefaultTunnelFlows() error // InstallNodeFlows should be invoked when a connection to a remote Node is going to be set // up. The hostname is used to identify the added flows. When IPsec tunnel is enabled, // ipsecTunOFPort must be set to the OFPort number of the IPsec tunnel port to the remote Node; // otherwise ipsecTunOFPort must be set to 0. // InstallNodeFlows has all-or-nothing semantics(call succeeds if all the flows are installed // successfully, otherwise no flows will be installed). Calls to InstallNodeFlows are idempotent. // Concurrent calls to InstallNodeFlows and / or UninstallNodeFlows are supported as long as they // are all for different hostnames. InstallNodeFlows( hostname string, peerConfigs map[*net.IPNet]net.IP, tunnelPeerIP *utilip.DualStackIPs, ipsecTunOFPort uint32, peerNodeMAC net.HardwareAddr) error // UninstallNodeFlows removes the connection to the remote Node specified with the // hostname. UninstallNodeFlows will do nothing if no connection to the host was established. UninstallNodeFlows(hostname string) error // InstallPodFlows should be invoked when a connection to a Pod on current Node. The // interfaceName is used to identify the added flows. InstallPodFlows has all-or-nothing // semantics(call succeeds if all the flows are installed successfully, otherwise no // flows will be installed). Calls to InstallPodFlows are idempotent. Concurrent calls // to InstallPodFlows and / or UninstallPodFlows are supported as long as they are all // for different interfaceNames. InstallPodFlows(interfaceName string, podInterfaceIPs []net.IP, podInterfaceMAC net.HardwareAddr, ofPort uint32) error // UninstallPodFlows removes the connection to the local Pod specified with the // interfaceName. UninstallPodFlows will do nothing if no connection to the Pod was established. UninstallPodFlows(interfaceName string) error // InstallServiceGroup installs a group for Service LB. Each endpoint // is a bucket of the group. For now, each bucket has the same weight. InstallServiceGroup(groupID binding.GroupIDType, withSessionAffinity bool, endpoints []proxy.Endpoint) error // UninstallServiceGroup removes the group and its buckets that are // installed by InstallServiceGroup. UninstallServiceGroup(groupID binding.GroupIDType) error // InstallEndpointFlows installs flows for accessing Endpoints. // If an Endpoint is on the current Node, then flows for hairpin and endpoint // L2 forwarding should also be installed. InstallEndpointFlows(protocol binding.Protocol, endpoints []proxy.Endpoint) error // UninstallEndpointFlows removes flows of the Endpoint installed by // InstallEndpointFlows. UninstallEndpointFlows(protocol binding.Protocol, endpoint proxy.Endpoint) error // InstallServiceFlows installs flows for accessing Service NodePort, LoadBalancer and ClusterIP. It installs the // flow that uses the group/bucket to do service LB. If the affinityTimeout is not zero, it also installs the flow // which has a learn action to maintain the LB decision. The group with the groupID must be installed before, // otherwise the installation will fail. If the externalTrafficPolicy of NodePort/LoadBalancer is Local, // nodeLocalExternal will be true, otherwise it will be false. InstallServiceFlows(groupID binding.GroupIDType, svcIP net.IP, svcPort uint16, protocol binding.Protocol, affinityTimeout uint16, nodeLocalExternal bool, svcType v1.ServiceType) error // UninstallServiceFlows removes flows installed by InstallServiceFlows. UninstallServiceFlows(svcIP net.IP, svcPort uint16, protocol binding.Protocol) error // InstallLoadBalancerServiceFromOutsideFlows installs flows for LoadBalancer Service traffic from outside node. // The traffic is received from uplink port and will be forwarded to gateway by the installed flows. And then // kube-proxy will handle the traffic. // This function is only used for Windows platform. InstallLoadBalancerServiceFromOutsideFlows(svcIP net.IP, svcPort uint16, protocol binding.Protocol) error // UninstallLoadBalancerServiceFromOutsideFlows removes flows installed by InstallLoadBalancerServiceFromOutsideFlows. UninstallLoadBalancerServiceFromOutsideFlows(svcIP net.IP, svcPort uint16, protocol binding.Protocol) error // GetFlowTableStatus should return an array of flow table status, all existing flow tables should be included in the list. GetFlowTableStatus() []binding.TableStatus // InstallPolicyRuleFlows installs flows for a new NetworkPolicy rule. Rule should include all fields in the // NetworkPolicy rule. Each ingress/egress policy rule installs Openflow entries on two tables, one for // ruleTable and the other for dropTable. If a packet does not pass the ruleTable, it will be dropped by the // dropTable. InstallPolicyRuleFlows(ofPolicyRule *types.PolicyRule) error // BatchInstallPolicyRuleFlows installs multiple flows for NetworkPolicy rules in batch. BatchInstallPolicyRuleFlows(ofPolicyRules []*types.PolicyRule) error // UninstallPolicyRuleFlows removes the Openflow entry relevant to the specified NetworkPolicy rule. // It also returns a slice of stale ofPriorities used by ClusterNetworkPolicies. // UninstallPolicyRuleFlows will do nothing if no Openflow entry for the rule is installed. UninstallPolicyRuleFlows(ruleID uint32) ([]string, error) // AddPolicyRuleAddress adds one or multiple addresses to the specified NetworkPolicy rule. If addrType is true, the // addresses are added to PolicyRule.From, else to PolicyRule.To. AddPolicyRuleAddress(ruleID uint32, addrType types.AddressType, addresses []types.Address, priority *uint16) error // DeletePolicyRuleAddress removes addresses from the specified NetworkPolicy rule. If addrType is srcAddress, the addresses // are removed from PolicyRule.From, else from PolicyRule.To. DeletePolicyRuleAddress(ruleID uint32, addrType types.AddressType, addresses []types.Address, priority *uint16) error // InstallBridgeUplinkFlows installs Openflow flows between bridge local port and uplink port to support // host networking. // This function is only used for Windows platform. InstallBridgeUplinkFlows() error // InstallExternalFlows sets up flows to enable Pods to communicate to // the external IP addresses. The flows identify the packets from local // Pods to the external IP address, and mark the packets to be SNAT'd // with the configured SNAT IPs. On Windows Node, the flows also perform // SNAT with the Openflow NAT action. InstallExternalFlows(exceptCIDRs []net.IPNet) error // InstallSNATMarkFlows installs flows for a local SNAT IP. On Linux, a // single flow is added to mark the packets tunnelled from remote Nodes // that should be SNAT'd with the SNAT IP. On Windows, an extra flow is // added to perform SNAT for the marked packets with the SNAT IP. InstallSNATMarkFlows(snatIP net.IP, mark uint32) error // UninstallSNATMarkFlows removes the flows installed to set the packet // mark for a SNAT IP. UninstallSNATMarkFlows(mark uint32) error // InstallPodSNATFlows installs the SNAT flows for a local Pod. If the // SNAT IP for the Pod is on the local Node, a non-zero SNAT ID should // allocated for the SNAT IP, and the installed flow sets the SNAT IP // mark on the egress packets from the ofPort; if the SNAT IP is on a // remote Node, snatMark should be set to 0, and the installed flow // tunnels egress packets to the remote Node using the SNAT IP as the // tunnel destination, and the packets should be SNAT'd on the remote // Node. As of now, a Pod can be configured to use only a single SNAT // IP in a single address family (IPv4 or IPv6). InstallPodSNATFlows(ofPort uint32, snatIP net.IP, snatMark uint32) error // UninstallPodSNATFlows removes the SNAT flows for the local Pod. UninstallPodSNATFlows(ofPort uint32) error // Disconnect disconnects the connection between client and OFSwitch. Disconnect() error // IsConnected returns the connection status between client and OFSwitch. The return value is true if the OFSwitch is connected. IsConnected() bool // ReplayFlows should be called when a spurious disconnection occurs. After we reconnect to // the OFSwitch, we need to replay all the flows cached by the client. ReplayFlows will try // to replay as many flows as possible, and will log an error when a flow cannot be // installed. ReplayFlows() // DeleteStaleFlows deletes all flows from the previous round which are no longer needed. It // should be called by the agent after all required flows have been installed / updated with // the new round number. DeleteStaleFlows() error // GetTunnelVirtualMAC() returns GlobalVirtualMAC used for tunnel traffic. GetTunnelVirtualMAC() net.HardwareAddr // GetPodFlowKeys returns the keys (match strings) of the cached flows for a // Pod. GetPodFlowKeys(interfaceName string) []string // GetServiceFlowKeys returns the keys (match strings) of the cached // flows for a Service (port) and its endpoints. GetServiceFlowKeys(svcIP net.IP, svcPort uint16, protocol binding.Protocol, endpoints []proxy.Endpoint) []string // GetNetworkPolicyFlowKeys returns the keys (match strings) of the cached // flows for a NetworkPolicy. Flows are grouped by policy rules, and duplicated // entries can be added due to conjunctive match flows shared by multiple // rules. GetNetworkPolicyFlowKeys(npName, npNamespace string) []string // ReassignFlowPriorities takes a list of priority updates, and update the actionFlows to replace // the old priority with the desired one, for each priority update on that table. ReassignFlowPriorities(updates map[uint16]uint16, table uint8) error // SubscribePacketIn subscribes to packet in messages for the given reason. Packets // will be placed in the queue and if the queue is full, the packet in messages // will be dropped. pktInQueue supports rate-limiting for the consumer, in order to // constrain the compute resources that may be used by the consumer. SubscribePacketIn(reason uint8, pktInQueue *binding.PacketInQueue) error // SendTraceflowPacket injects packet to specified OVS port for Openflow. SendTraceflowPacket(dataplaneTag uint8, packet *binding.Packet, inPort uint32, outPort int32) error // InstallTraceflowFlows installs flows for a Traceflow request. InstallTraceflowFlows(dataplaneTag uint8, liveTraffic, droppedOnly, receiverOnly bool, packet *binding.Packet, ofPort uint32, timeoutSeconds uint16) error // UninstallTraceflowFlows uninstalls flows for a Traceflow request. UninstallTraceflowFlows(dataplaneTag uint8) error // Initial tun_metadata0 in TLV map for Traceflow. InitialTLVMap() error // Find Network Policy reference and OFpriority by conjunction ID. GetPolicyInfoFromConjunction(ruleID uint32) (string, string) // RegisterPacketInHandler uses SubscribePacketIn to get PacketIn message and process received // packets through registered handlers. RegisterPacketInHandler(packetHandlerReason uint8, packetHandlerName string, packetInHandler interface{}) StartPacketInHandler(packetInStartedReason []uint8, stopCh <-chan struct{}) // Get traffic metrics of each NetworkPolicy rule. NetworkPolicyMetrics() map[uint32]*types.RuleMetric // Returns if IPv4 is supported on this Node or not. IsIPv4Enabled() bool // Returns if IPv6 is supported on this Node or not. IsIPv6Enabled() bool // SendTCPPacketOut sends TCP packet as a packet-out to OVS. SendTCPPacketOut( srcMAC string, dstMAC string, srcIP string, dstIP string, inPort uint32, outPort uint32, isIPv6 bool, tcpSrcPort uint16, tcpDstPort uint16, tcpAckNum uint32, tcpFlag uint8, mutatePacketOut func(builder binding.PacketOutBuilder) binding.PacketOutBuilder) error // SendICMPPacketOut sends ICMP packet as a packet-out to OVS. SendICMPPacketOut( srcMAC string, dstMAC string, srcIP string, dstIP string, inPort uint32, outPort uint32, isIPv6 bool, icmpType uint8, icmpCode uint8, icmpData []byte, mutatePacketOut func(builder binding.PacketOutBuilder) binding.PacketOutBuilder) error // SendUDPPacketOut sends UDP packet as a packet-out to OVS. SendUDPPacketOut( srcMAC string, dstMAC string, srcIP string, dstIP string, inPort uint32, outPort uint32, isIPv6 bool, udpSrcPort uint16, udpDstPort uint16, udpData []byte, mutatePacketOut func(builder binding.PacketOutBuilder) binding.PacketOutBuilder) error // NewDNSpacketInConjunction creates a policyRuleConjunction for the dns response interception flows. NewDNSpacketInConjunction(id uint32) error // AddAddressToDNSConjunction adds addresses to the toAddresses of the dns packetIn conjunction, // so that dns response packets sent towards these addresses will be intercepted and parsed by // the fqdnController. AddAddressToDNSConjunction(id uint32, addrs []types.Address) error // DeleteAddressFromDNSConjunction removes addresses from the toAddresses of the dns packetIn conjunction. DeleteAddressFromDNSConjunction(id uint32, addrs []types.Address) error // InstallMulticastInitialFlows installs OpenFlow to packetIn the IGMP messages and output the Multicast traffic to // antrea-gw0 so that local Pods could access external Multicast servers. InstallMulticastInitialFlows(pktInReason uint8) error // InstallMulticastFlow installs the flow to forward Multicast traffic normally, and output it to antrea-gw0 // to ensure it can be forwarded to the external addresses. InstallMulticastFlow(multicastIP net.IP) error // UninstallMulticastFlow removes the flow matching the given multicastIP. UninstallMulticastFlow(multicastIP net.IP) error // SendIGMPQueryPacketOut sends the IGMPQuery packet as a packet-out to OVS from the gateway port. SendIGMPQueryPacketOut( dstMAC net.HardwareAddr, dstIP net.IP, outPort uint32, igmp ofutil.Message) error }
Client is the interface to program OVS flows for entity connectivity of Antrea.
func NewClient ¶
func NewClient(bridgeName string, mgmtAddr string, ovsDatapathType ovsconfig.OVSDatapathType, enableProxy bool, enableAntreaPolicy bool, enableEgress bool, enableDenyTracking bool, proxyAll bool, connectUplinkToBridge bool, enableMulticast bool) Client
NewClient is the constructor of the Client interface.
type ConjunctionNotFound ¶
type ConjunctionNotFound uint32
ConjunctionNotFound is an error response when the specified policyRuleConjunction is not found from the local cache.
func (*ConjunctionNotFound) Error ¶
func (e *ConjunctionNotFound) Error() string
type IPAddress ¶
IP address calculated from Pod's address.
func NewIPAddress ¶
func (*IPAddress) GetMatchKey ¶
func (a *IPAddress) GetMatchKey(addrType types.AddressType) *types.MatchKey
func (*IPAddress) GetMatchValue ¶
type IPNetAddress ¶
IP block calculated from Pod's address.
func NewIPNetAddress ¶
func NewIPNetAddress(addr net.IPNet) *IPNetAddress
func (*IPNetAddress) GetMatchKey ¶
func (a *IPNetAddress) GetMatchKey(addrType types.AddressType) *types.MatchKey
func (*IPNetAddress) GetMatchValue ¶
func (a *IPNetAddress) GetMatchValue() string
func (*IPNetAddress) GetValue ¶
func (a *IPNetAddress) GetValue() interface{}
type OFEntryOperations ¶
type OFEntryOperations interface { Add(flow binding.Flow) error Modify(flow binding.Flow) error Delete(flow binding.Flow) error AddAll(flows []binding.Flow) error ModifyAll(flows []binding.Flow) error BundleOps(adds []binding.Flow, mods []binding.Flow, dels []binding.Flow) error DeleteAll(flows []binding.Flow) error AddOFEntries(ofEntries []binding.OFEntry) error DeleteOFEntries(ofEntries []binding.OFEntry) error }
type OFPortAddress ¶
type OFPortAddress int32
OFPortAddress is the Openflow port of an interface.
func NewOFPortAddress ¶
func NewOFPortAddress(addr int32) *OFPortAddress
func (*OFPortAddress) GetMatchKey ¶
func (a *OFPortAddress) GetMatchKey(addrType types.AddressType) *types.MatchKey
func (*OFPortAddress) GetMatchValue ¶
func (a *OFPortAddress) GetMatchValue() string
func (*OFPortAddress) GetValue ¶
func (a *OFPortAddress) GetValue() interface{}
type PacketInHandler ¶
type ServiceGroupIDAddress ¶ added in v1.4.0
type ServiceGroupIDAddress binding.GroupIDType
func NewServiceGroupIDAddress ¶ added in v1.4.0
func NewServiceGroupIDAddress(groupID binding.GroupIDType) *ServiceGroupIDAddress
func (*ServiceGroupIDAddress) GetMatchKey ¶ added in v1.4.0
func (a *ServiceGroupIDAddress) GetMatchKey(addrType types.AddressType) *types.MatchKey
func (*ServiceGroupIDAddress) GetMatchValue ¶ added in v1.4.0
func (a *ServiceGroupIDAddress) GetMatchValue() string
func (*ServiceGroupIDAddress) GetValue ¶ added in v1.4.0
func (a *ServiceGroupIDAddress) GetValue() interface{}