Documentation ¶
Overview ¶
+groupName=maps
Index ¶
- Constants
- Variables
- func CallString(id uint16) string
- func InitMapInfo(maxEntries int)
- func RemoveGlobalMapping(id uint32) error
- type PlumbingKey
- type PlumbingValue
- type PolicyEntriesDump
- type PolicyEntry
- func (pe *PolicyEntry) Add(oPe PolicyEntry)
- func (in *PolicyEntry) DeepCopy() *PolicyEntry
- func (in *PolicyEntry) DeepCopyInto(out *PolicyEntry)
- func (in *PolicyEntry) DeepCopyMapValue() bpf.MapValue
- func (pe *PolicyEntry) GetValuePtr() unsafe.Pointer
- func (pe *PolicyEntry) NewValue() bpf.MapValue
- func (pe *PolicyEntry) String() string
- type PolicyEntryDump
- type PolicyKey
- func (in *PolicyKey) DeepCopy() *PolicyKey
- func (in *PolicyKey) DeepCopyInto(out *PolicyKey)
- func (in *PolicyKey) DeepCopyMapKey() bpf.MapKey
- func (key *PolicyKey) GetKeyPtr() unsafe.Pointer
- func (key *PolicyKey) NewValue() bpf.MapValue
- func (key *PolicyKey) String() string
- func (key *PolicyKey) ToHost() PolicyKey
- func (key *PolicyKey) ToNetwork() PolicyKey
- type PolicyMap
- func (pm *PolicyMap) Allow(id uint32, dport uint16, proto u8proto.U8proto, ...) error
- func (pm *PolicyMap) AllowKey(k PolicyKey, proxyPort uint16) error
- func (pm *PolicyMap) Delete(id uint32, dport uint16, proto u8proto.U8proto, ...) error
- func (pm *PolicyMap) DeleteEntry(entry *PolicyEntryDump) error
- func (pm *PolicyMap) DeleteKeyWithErrno(key PolicyKey) (error, syscall.Errno)
- func (pm *PolicyMap) Dump() (string, error)
- func (pm *PolicyMap) DumpToSlice() (PolicyEntriesDump, error)
- func (pm *PolicyMap) Exists(id uint32, dport uint16, proto u8proto.U8proto, ...) bool
- func (pm *PolicyMap) String() string
- type PolicyPlumbingMap
Constants ¶
const ( // CallMapName is the name of the map to do tail calls into policy // enforcement programs CallMapName = "cilium_policy" // MapName is the prefix for endpoint-specific policy maps which map // identity+ports+direction to whether the policy allows communication // with that identity on that port for that direction. MapName = CallMapName + "_" // ProgArrayMaxEntries is the upper limit of entries in the program // array for the tail calls to jump into the endpoint specific policy // programs. This number *MUST* be identical to the maximum endponit ID. ProgArrayMaxEntries = ^uint16(0) // AllPorts is used to ignore the L4 ports in PolicyMap lookups; all ports // are allowed. In the datapath, this is represented with the value 0 in the // port field of map elements. AllPorts = uint16(0) )
Variables ¶
var ( // MaxEntries is the upper limit of entries in the per endpoint policy // table MaxEntries = 16384 )
Functions ¶
func CallString ¶ added in v1.5.0
CallString returns the string which indicates the calls map by index in the ELF, and index into that call map for a specific endpoint.
Derived from __section_tail(CILIUM_MAP_CALLS, NAME) per bpf/lib/tailcall.h.
func InitMapInfo ¶ added in v1.5.2
func InitMapInfo(maxEntries int)
InitMapInfo updates the map info defaults for policy maps.
func RemoveGlobalMapping ¶ added in v1.5.0
RemoveGlobalMapping removes the mapping from the specified endpoint ID to the BPF policy program for that endpoint.
Types ¶
type PlumbingKey ¶ added in v1.5.1
type PlumbingKey struct {
// contains filtered or unexported fields
}
+k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/cilium/cilium/pkg/bpf.MapKey
func (*PlumbingKey) DeepCopy ¶ added in v1.5.1
func (in *PlumbingKey) DeepCopy() *PlumbingKey
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlumbingKey.
func (*PlumbingKey) DeepCopyInto ¶ added in v1.5.1
func (in *PlumbingKey) DeepCopyInto(out *PlumbingKey)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PlumbingKey) DeepCopyMapKey ¶ added in v1.5.1
func (in *PlumbingKey) DeepCopyMapKey() bpf.MapKey
DeepCopyMapKey is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapKey.
func (*PlumbingKey) GetKeyPtr ¶ added in v1.5.1
func (k *PlumbingKey) GetKeyPtr() unsafe.Pointer
func (*PlumbingKey) NewValue ¶ added in v1.5.1
func (k *PlumbingKey) NewValue() bpf.MapValue
func (*PlumbingKey) String ¶ added in v1.5.1
func (k *PlumbingKey) String() string
type PlumbingValue ¶ added in v1.5.1
type PlumbingValue struct {
// contains filtered or unexported fields
}
+k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/cilium/cilium/pkg/bpf.MapValue
func (*PlumbingValue) DeepCopy ¶ added in v1.5.1
func (in *PlumbingValue) DeepCopy() *PlumbingValue
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlumbingValue.
func (*PlumbingValue) DeepCopyInto ¶ added in v1.5.1
func (in *PlumbingValue) DeepCopyInto(out *PlumbingValue)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PlumbingValue) DeepCopyMapValue ¶ added in v1.5.1
func (in *PlumbingValue) DeepCopyMapValue() bpf.MapValue
DeepCopyMapValue is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapValue.
func (*PlumbingValue) GetValuePtr ¶ added in v1.5.1
func (v *PlumbingValue) GetValuePtr() unsafe.Pointer
func (*PlumbingValue) String ¶ added in v1.5.1
func (v *PlumbingValue) String() string
type PolicyEntriesDump ¶ added in v1.5.0
type PolicyEntriesDump []PolicyEntryDump
PolicyEntriesDump is a wrapper for a slice of PolicyEntryDump
func (PolicyEntriesDump) Less ¶ added in v1.5.0
func (p PolicyEntriesDump) Less(i, j int) bool
Less returns true if the element in index `i` has the value of TrafficDirection lower than `j`'s TrafficDirection or if the element in index `i` has the value of TrafficDirection lower and equal than `j`'s TrafficDirection and the identity of element `i` is lower than the Identity of element j.
type PolicyEntry ¶
type PolicyEntry struct { ProxyPort uint16 // In network byte-order Pad0 uint16 Pad1 uint16 Pad2 uint16 Packets uint64 Bytes uint64 }
PolicyEntry represents an entry in the BPF policy map for an endpoint. It must match the layout of policy_entry in bpf/lib/common.h. +k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/cilium/cilium/pkg/bpf.MapValue
func (*PolicyEntry) Add ¶
func (pe *PolicyEntry) Add(oPe PolicyEntry)
func (*PolicyEntry) DeepCopy ¶ added in v1.5.1
func (in *PolicyEntry) DeepCopy() *PolicyEntry
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyEntry.
func (*PolicyEntry) DeepCopyInto ¶ added in v1.5.1
func (in *PolicyEntry) DeepCopyInto(out *PolicyEntry)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PolicyEntry) DeepCopyMapValue ¶ added in v1.5.1
func (in *PolicyEntry) DeepCopyMapValue() bpf.MapValue
DeepCopyMapValue is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapValue.
func (*PolicyEntry) GetValuePtr ¶ added in v1.5.0
func (pe *PolicyEntry) GetValuePtr() unsafe.Pointer
func (*PolicyEntry) NewValue ¶ added in v1.5.0
func (pe *PolicyEntry) NewValue() bpf.MapValue
func (*PolicyEntry) String ¶
func (pe *PolicyEntry) String() string
type PolicyEntryDump ¶
type PolicyEntryDump struct { PolicyEntry Key PolicyKey }
type PolicyKey ¶ added in v1.5.0
type PolicyKey struct { Identity uint32 DestPort uint16 // In network byte-order Nexthdr uint8 TrafficDirection uint8 }
PolicyKey represents a key in the BPF policy map for an endpoint. It must match the layout of policy_key in bpf/lib/common.h. +k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/cilium/cilium/pkg/bpf.MapKey
func (*PolicyKey) DeepCopy ¶ added in v1.5.1
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyKey.
func (*PolicyKey) DeepCopyInto ¶ added in v1.5.1
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PolicyKey) DeepCopyMapKey ¶ added in v1.5.1
DeepCopyMapKey is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapKey.
type PolicyMap ¶
func OpenOrCreate ¶ added in v1.5.0
OpenOrCreate opens (or creates) a policy map at the specified path, which is used to govern which peer identities can communicate with the endpoint protected by this map.
func (*PolicyMap) Allow ¶ added in v1.5.0
func (pm *PolicyMap) Allow(id uint32, dport uint16, proto u8proto.U8proto, trafficDirection trafficdirection.TrafficDirection, proxyPort uint16) error
Allow pushes an entry into the PolicyMap to allow traffic in the given `trafficDirection` for identity `id` with destination port `dport` over protocol `proto`. It is assumed that `dport` and `proxyPort` are in host byte-order.
func (*PolicyMap) AllowKey ¶ added in v1.5.0
AllowKey pushes an entry into the PolicyMap for the given PolicyKey k. Returns an error if the update of the PolicyMap fails.
func (*PolicyMap) Delete ¶ added in v1.5.0
func (pm *PolicyMap) Delete(id uint32, dport uint16, proto u8proto.U8proto, trafficDirection trafficdirection.TrafficDirection) error
Delete removes an entry from the PolicyMap for identity `id` sending traffic in direction `trafficDirection` with destination port `dport` over protocol `proto`. It is assumed that `dport` is in host byte-order. Returns an error if the deletion did not succeed.
func (*PolicyMap) DeleteEntry ¶ added in v1.5.0
func (pm *PolicyMap) DeleteEntry(entry *PolicyEntryDump) error
DeleteEntry removes an entry from the PolicyMap. It can be used in conjunction with DumpToSlice() to inspect and delete map entries.
func (*PolicyMap) DeleteKeyWithErrno ¶ added in v1.6.0
DeleteKey deletes the key-value pair from the given PolicyMap with PolicyKey k. Returns an error if deletion from the PolicyMap fails.
func (*PolicyMap) DumpToSlice ¶
func (pm *PolicyMap) DumpToSlice() (PolicyEntriesDump, error)
func (*PolicyMap) Exists ¶ added in v1.5.0
func (pm *PolicyMap) Exists(id uint32, dport uint16, proto u8proto.U8proto, trafficDirection trafficdirection.TrafficDirection) bool
Exists determines whether PolicyMap currently contains an entry that allows traffic in `trafficDirection` for identity `id` with destination port `dport`over protocol `proto`. It is assumed that `dport` is in host byte-order.
type PolicyPlumbingMap ¶ added in v1.5.0
PolicyPlumbingMap maps endpoint IDs to the fd for the program which implements its policy.
func OpenCallMap ¶ added in v1.5.0
func OpenCallMap() (*PolicyPlumbingMap, error)
OpenCallMap opens the map that maps endpoint IDs to program file descriptors, which allows tail calling into the policy datapath code from other BPF programs.