Documentation ¶
Overview ¶
Package linux_defaults provides the Linux datapath defaults
Index ¶
Constants ¶
const ( // RouteTableIPSec is the default table ID to use for IPSec routing rules RouteTableIPSec = 200 // RouteTableWireguard is the default table ID to use for Wireguard routing // rules RouteTableWireguard = 201 // RouteTableInterfacesOffset is the offset for the per-ENI routing tables. // Each ENI interface will have its own table starting with this offset. It // is 10 because it is highly unlikely to collide with the main routing // table which is between 253-255. See ip-route(8). RouteTableInterfacesOffset = 10 // RouteMarkDecrypt is the default route mark to use to indicate datapath // needs to decrypt a packet. RouteMarkDecrypt = 0x0D00 // RouteMarkEncrypt is the default route mark to use to indicate datapath // needs to encrypt a packet. RouteMarkEncrypt = 0x0E00 // RouteMarkMask is the mask required for the route mark value RouteMarkMask = 0xF00 // RouteMarkToProxy is the default route mark to use to indicate // datapath needs to send the packet to the proxy. // // Specifically, this is used in the L7 ingress policy tunneling case // where after decryption, the packet is rerouted back into // `cilium_host` with said mark to indicate the destination as the // proxy. RouteMarkToProxy = MagicMarkIsToProxy // MarkMultinodeNodeport is used for AWS ENI to mark traffic from // another node, so that it gets routed back through the relevant // interface. MarkMultinodeNodeport = 0x80 // MaskMultinodeNodeport is the mask associated with the // RouterMarkNodePort MaskMultinodeNodeport = 0x80 // IPSecProtocolID IP protocol ID for IPSec defined in RFC4303 RouteProtocolIPSec = 50 // RulePriorityWireguard is the priority of the rule used for routing packets to Wireguard device for encryption RulePriorityWireguard = 1 // RulePriorityIngress is the priority of the rule used for ingress routing // of endpoints. This priority is after encryption and proxy rules, and // before the local table priority. RulePriorityIngress = 20 // RulePriorityEgress is the priority of the rule used for egress routing // of endpoints. This priority is after the local table priority. RulePriorityEgress = 110 // RulePriorityEgress is the v2 of the priority of the rule used for egress // routing of endpoints. This priority is after the local table priority. // // Because of https://github.com/cilium/cilium/issues/14336, we must use a // new priority value to disambiguate which rules are still under the old // scheme. RulePriorityEgressv2 = 111 // RulePriorityNodeport is the priority of the rule used with AWS ENI to // make sure that lookups for multi-node NodePort traffic are NOT done // from the table for the VPC to which the endpoint's CIDR is // associated, but from the main routing table instead. // This priority is before the egress priority. RulePriorityNodeport = RulePriorityEgress - 1 // TunnelDeviceName the default name of the tunnel device when using vxlan TunnelDeviceName = "cilium_vxlan" // IPSec offset value for node rules IPsecMaxKeyVersion = 16 // IPsecMarkMask is the mask required for the IPsec SPI and encrypt/decrypt bits IPsecMarkMask = 0xFF00 // IPsecMarkMaskIn is the mask required for IPsec to lookup encrypt/decrypt bits IPsecMarkMaskIn = 0x0F00 // IPsecFwdPriority is the priority of the fwd rules placed by IPsec IPsecFwdPriority = 0x0B9F // IPsecKeyDeleteDelay is the time to wait before removing old keys when // the IPsec key is changing. IPsecKeyDeleteDelay = 5 * time.Minute )
Linux specific constants used in Linux datapath
const ( // MagicMarkHostMask can be used to fetch the host/proxy-relevant magic // bits from a mark. MagicMarkHostMask int = 0x0F00 // MagicMarkProxyMask can be used to fetch the proxy-relevant magic // bits from a mark. MagicMarkProxyMask int = 0x0E00 // MagicMarkProxyNoIDMask can be used to fetch the proxy-relevant magic // bits from a mark for proxy reply traffic. MagicMarkProxyNoIDMask int = 0xFFFFFEFF // MagicMarkIsProxy can be used in conjunction with MagicMarkProxyMask // to determine whether the mark is indicating that traffic is sourced // from a proxy. MagicMarkIsProxy int = 0x0A00 // MagicMarkIsToProxy can be used in conjunction with MagicMarkHostMask // to determine whether the mark is indicating that traffic is destined // to a proxy. MagicMarkIsToProxy uint32 = 0x0200 // MagicMarkIngress determines that the traffic is sourced from the // proxy which is applying Ingress policy MagicMarkIngress int = 0x0A00 // MagicMarkEgress determines that the traffic is sourced from the // proxy which is applying Egress policy MagicMarkEgress int = 0x0B00 // MagicMarkHost determines that the traffic is sourced from the local // host and not from a proxy. MagicMarkHost int = 0x0C00 // MagicMarkIdentity determines that the traffic carries a security // identity in the skb->mark MagicMarkIdentity int = 0x0F00 // MagicMarkK8sMasq determines that the traffic should be masqueraded // by kube-proxy in kubernetes environments. MagicMarkK8sMasq int = 0x4000 // MagicMarkK8sDrop determines that the traffic should be dropped in // kubernetes environments. MagicMarkK8sDrop int = 0x8000 )
The skb mark is used to transmit both identity and special markers to identify traffic from and to proxies. The mark field is being used in the following way:
1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2
+-------------------------------+-------+-------+---------------+ |L L L L L L L L L L L L L L L L|R R R R|M M M M|U U U U U U U U| +-------------------------------+-------+-------+---------------+
identity k8s mark identity
Identity (24 bits): +-----------------------------------------------+ |U U U U U U U U|L L L L L L L L L L L L L L L L| +-----------------------------------------------+
1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4
Kubernetes Mark (4 bits): R R R R 0 1 0 0 Masquerade 1 0 0 0 Drop
Cilium Mark (4 bits): M M M M (see MARK_MAGIC_* in bpf/lib/common.h)
Variables ¶
This section is empty.
Functions ¶
func GetMagicProxyMark ¶
getMagicMark returns the magic marker with which each packet must be marked. The mark is different depending on whether the proxy is injected at ingress or egress.
Types ¶
This section is empty.