linux_defaults

package
v1.10.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 16, 2021 License: Apache-2.0 Imports: 1 Imported by: 24

Documentation

Overview

Package linux_defaults provides the Linux datapath defaults

Index

Constants

View Source
const (
	// RouteTableIPSec is the default table ID to use for IPSec routing rules
	RouteTableIPSec = 200

	// RouteTableWireguard is the default table ID to use for Wireguard routing
	// rules
	RouteTableWireguard = 201

	// RouteTableInterfacesOffset is the offset for the per-ENI routing tables.
	// Each ENI interface will have its own table starting with this offset. It
	// is 10 because it is highly unlikely to collide with the main routing
	// table which is between 253-255. See ip-route(8).
	RouteTableInterfacesOffset = 10

	// RouteMarkDecrypt is the default route mark to use to indicate datapath
	// needs to decrypt a packet.
	RouteMarkDecrypt = 0x0D00

	// RouteMarkEncrypt is the default route mark to use to indicate datapath
	// needs to encrypt a packet.
	RouteMarkEncrypt = 0x0E00

	// RouteMarkMask is the mask required for the route mark value
	RouteMarkMask = 0xF00

	// RouteMarkToProxy is the default route mark to use to indicate
	// datapath needs to send the packet to the proxy.
	//
	// Specifically, this is used in the L7 ingress policy tunneling case
	// where after decryption, the packet is rerouted back into
	// `cilium_host` with said mark to indicate the destination as the
	// proxy.
	RouteMarkToProxy = MagicMarkIsToProxy

	// MarkMultinodeNodeport is used for AWS ENI to mark traffic from
	// another node, so that it gets routed back through the relevant
	// interface.
	MarkMultinodeNodeport = 0x80

	// MaskMultinodeNodeport is the mask associated with the
	// RouterMarkNodePort
	MaskMultinodeNodeport = 0x80

	// IPSecProtocolID IP protocol ID for IPSec defined in RFC4303
	RouteProtocolIPSec = 50

	// RulePriorityWireguard is the priority of the rule used for routing packets to Wireguard device for encryption
	RulePriorityWireguard = 1

	// RulePriorityIngress is the priority of the rule used for ingress routing
	// of endpoints. This priority is after encryption and proxy rules, and
	// before the local table priority.
	RulePriorityIngress = 20

	// RulePriorityEgress is the priority of the rule used for egress routing
	// of endpoints. This priority is after the local table priority.
	RulePriorityEgress = 110

	// RulePriorityEgress is the v2 of the priority of the rule used for egress
	// routing of endpoints. This priority is after the local table priority.
	//
	// Because of https://github.com/cilium/cilium/issues/14336, we must use a
	// new priority value to disambiguate which rules are still under the old
	// scheme.
	RulePriorityEgressv2 = 111

	// RulePriorityNodeport is the priority of the rule used with AWS ENI to
	// make sure that lookups for multi-node NodePort traffic are NOT done
	// from the table for the VPC to which the endpoint's CIDR is
	// associated, but from the main routing table instead.
	// This priority is before the egress priority.
	RulePriorityNodeport = RulePriorityEgress - 1

	// TunnelDeviceName the default name of the tunnel device when using vxlan
	TunnelDeviceName = "cilium_vxlan"

	// IPSec offset value for node rules
	IPsecMaxKeyVersion = 16

	// IPsecMarkMask is the mask required for the IPsec SPI and encrypt/decrypt bits
	IPsecMarkMask = 0xFF00

	// IPsecMarkMaskIn is the mask required for IPsec to lookup encrypt/decrypt bits
	IPsecMarkMaskIn = 0x0F00

	// IPsecFwdPriority is the priority of the fwd rules placed by IPsec
	IPsecFwdPriority = 0x0B9F

	// IPsecKeyDeleteDelay is the time to wait before removing old keys when
	// the IPsec key is changing.
	IPsecKeyDeleteDelay = 5 * time.Minute
)

Linux specific constants used in Linux datapath

View Source
const (
	// MagicMarkHostMask can be used to fetch the host/proxy-relevant magic
	// bits from a mark.
	MagicMarkHostMask int = 0x0F00
	// MagicMarkProxyMask can be used to fetch the proxy-relevant magic
	// bits from a mark.
	MagicMarkProxyMask int = 0x0E00
	// MagicMarkProxyNoIDMask can be used to fetch the proxy-relevant magic
	// bits from a mark for proxy reply traffic.
	MagicMarkProxyNoIDMask int = 0xFFFFFEFF
	// MagicMarkIsProxy can be used in conjunction with MagicMarkProxyMask
	// to determine whether the mark is indicating that traffic is sourced
	// from a proxy.
	MagicMarkIsProxy int = 0x0A00
	// MagicMarkIsToProxy can be used in conjunction with MagicMarkHostMask
	// to determine whether the mark is indicating that traffic is destined
	// to a proxy.
	MagicMarkIsToProxy uint32 = 0x0200

	// MagicMarkIngress determines that the traffic is sourced from the
	// proxy which is applying Ingress policy
	MagicMarkIngress int = 0x0A00
	// MagicMarkEgress determines that the traffic is sourced from the
	// proxy which is applying Egress policy
	MagicMarkEgress int = 0x0B00

	// MagicMarkHost determines that the traffic is sourced from the local
	// host and not from a proxy.
	MagicMarkHost int = 0x0C00

	// MagicMarkIdentity determines that the traffic carries a security
	// identity in the skb->mark
	MagicMarkIdentity int = 0x0F00

	// MagicMarkK8sMasq determines that the traffic should be masqueraded
	// by kube-proxy in kubernetes environments.
	MagicMarkK8sMasq int = 0x4000
	// MagicMarkK8sDrop determines that the traffic should be dropped in
	// kubernetes environments.
	MagicMarkK8sDrop int = 0x8000
)

The skb mark is used to transmit both identity and special markers to identify traffic from and to proxies. The mark field is being used in the following way:

1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2

+-------------------------------+-------+-------+---------------+ |L L L L L L L L L L L L L L L L|R R R R|M M M M|U U U U U U U U| +-------------------------------+-------+-------+---------------+

identity                        k8s     mark    identity

Identity (24 bits): +-----------------------------------------------+ |U U U U U U U U|L L L L L L L L L L L L L L L L| +-----------------------------------------------+

1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4

Kubernetes Mark (4 bits): R R R R 0 1 0 0 Masquerade 1 0 0 0 Drop

Cilium Mark (4 bits): M M M M (see MARK_MAGIC_* in bpf/lib/common.h)

Variables

This section is empty.

Functions

func GetMagicProxyMark

func GetMagicProxyMark(isIngress bool, identity int) int

getMagicMark returns the magic marker with which each packet must be marked. The mark is different depending on whether the proxy is injected at ingress or egress.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL