polprog

Documentation

Index

• Variables
• func SubProgramJumpIdx(polProgIdx, subProgIdx, stride int) int
• type Builder
  • func NewBuilder(ipSetIDProvider ipSetIDProvider, ...) *Builder
  • func (p *Builder) Instructions(rules Rules) ([]Insns, error)
• type Option
  • func WithAllowDenyJumps(allow, deny int) Option
  • func WithIPv6() Option
  • func WithPolicyDebugEnabled() Option
  • func WithPolicyMapIndexAndStride(entryPointIdx, stride int) Option
• type Policy
• type Profile
• type Rule
• type RuleMatchID
• type Rules
• type Tier
• type TierEndAction

Variables

var (

	// Bits in the state flags field.
	FlagDestIsHost uint64 = 1 << 2
	FlagSrcIsHost  uint64 = 1 << 3
)

Functions

func SubProgramJumpIdx

func SubProgramJumpIdx(polProgIdx, subProgIdx, stride int) int

Types

type Builder

type Builder struct {
	// contains filtered or unexported fields
}

func NewBuilder

func NewBuilder(
	ipSetIDProvider ipSetIDProvider,
	ipsetMapFD, stateMapFD, staticProgsMapFD, policyJumpMapFD maps.FD,
	opts ...Option) *Builder

func (*Builder) Instructions

func (p *Builder) Instructions(rules Rules) ([]Insns, error)

type Option

type Option func(b *Builder)

Option is an additional option that can change default behaviour

func WithAllowDenyJumps

func WithAllowDenyJumps(allow, deny int) Option

func WithIPv6

func WithIPv6() Option

func WithPolicyDebugEnabled

func WithPolicyDebugEnabled() Option

WithPolicyDebug enables policy debug.

func WithPolicyMapIndexAndStride

func WithPolicyMapIndexAndStride(entryPointIdx, stride int) Option

WithPolicyMapIndexAndStride tells the builder the "shape" of the policy jump map, allowing it to split the program if it gets too large. entryPointIdx is the jump map key for the first "entry point" program. stride is the number of indexes to skip to get to the next sub-program. If WithPolicyMapIndexAndStride is not provided, program-splitting is disabled.

type Policy

type Policy struct {
	Name  string
	Rules []Rule
}

type Profile

type Profile = Policy

type Rule

type Rule struct {
	*proto.Rule
	MatchID RuleMatchID
}

type RuleMatchID

type RuleMatchID = uint64

type Rules

type Rules struct {
	// Both workload and host interfaces can enforce host endpoint policy (carried here in the
	// Host... fields); in the case of a workload interface, that can only come from the
	// wildcard host endpoint, aka "host-*".
	//
	// However, only a workload interface can have any workload policy (carried here in the
	// Tiers and Profiles fields), and workload interfaces also Deny by default when there is no
	// workload policy at all.  ForHostInterface (with reversed polarity) is the boolean that
	// tells us whether or not to implement workload policy and that default Deny.
	ForHostInterface bool

	// Indicates to suppress normal host policy because it's trumped by the setting of
	// DefaultEndpointToHostAction.
	SuppressNormalHostPolicy bool

	// Workload policy.
	Tiers    []Tier
	Profiles []Profile

	// Host endpoint policy.
	HostPreDnatTiers []Tier
	HostForwardTiers []Tier
	HostNormalTiers  []Tier
	HostProfiles     []Profile

	// True when building a policy program for XDP, as opposed to for TC.  This also means that
	// we are implementing untracked policy (provided in the HostNormalTiers field) and that
	// traffic is allowed to continue if not explicitly allowed or denied.
	ForXDP bool
}

type Tier

type Tier struct {
	Name      string
	EndAction TierEndAction
	Policies  []Policy
}

type TierEndAction

type TierEndAction string

const (
	TierEndUndef TierEndAction = ""
	TierEndDeny  TierEndAction = "deny"
	TierEndPass  TierEndAction = "pass"
)