Documentation ¶
Overview ¶
Package linux_defaults provides the Linux datapath defaults
Index ¶
Constants ¶
const ( // RouteTableIPSec is the default table ID to use for IPSec routing rules RouteTableIPSec = 200 // RouteTableWireguard is the default table ID to use for Wireguard routing // rules RouteTableWireguard = 201 // RouteTableVtep is the default table ID to use for VTEP routing rules RouteTableVtep = 202 // RouteTableEgressGatewayInterfacesOffset is the offset for the per-ENI // egress gateway routing tables. // Each ENI interface will have its own table starting with this offset. It // is 300 because it is highly unlikely to collide with the main routing // table which is between 253-255. See ip-route(8). RouteTableEgressGatewayInterfacesOffset = 300 // RouteTableInterfacesOffset is the offset for the per-ENI routing tables. // Each ENI interface will have its own table starting with this offset. It // is 10 because it is highly unlikely to collide with the main routing // table which is between 253-255. See ip-route(8). RouteTableInterfacesOffset = 10 // RouteMarkDecrypt is the default route mark to use to indicate datapath // needs to decrypt a packet. RouteMarkDecrypt = 0x0D00 // RouteMarkEncrypt is the default route mark to use to indicate datapath // needs to encrypt a packet. RouteMarkEncrypt = 0x0E00 // RouteMarkMask is the mask required for the route mark value RouteMarkMask = 0xF00 // OutputMarkMask is the mask to use in output-mark of XFRM states. It is // used to clear the node ID and the SPI from the packet mark. OutputMarkMask = 0xFFFFFF00 // RouteMarkToProxy is the default route mark to use to indicate // datapath needs to send the packet to the proxy. // // Specifically, this is used in the L7 ingress policy tunneling case // where after decryption, the packet is rerouted back into // `cilium_host` with said mark to indicate the destination as the // proxy. RouteMarkToProxy = MagicMarkIsToProxy // MarkMultinodeNodeport is used for AWS ENI to mark traffic from // another node, so that it gets routed back through the relevant // interface. MarkMultinodeNodeport = 0x80 // MaskMultinodeNodeport is the mask associated with the // RouterMarkNodePort MaskMultinodeNodeport = 0x80 // IPSecProtocolID IP protocol ID for IPSec defined in RFC4303 RouteProtocolIPSec = 50 // RulePriorityWireguard is the priority of the rule used for routing packets to Wireguard device for encryption RulePriorityWireguard = 1 // RulePriorityEgressGateway is the priority used in IP routes added by the manager. // This value was picked as it's lower than the ones used by Cilium // (RulePriorityEgressv2 = 111) or the AWS CNI (10) to install the IP // rules for routing EP traffic to the correct ENI interface RulePriorityEgressGateway = 8 // RulePriorityIngress is the priority of the rule used for ingress routing // of endpoints. This priority is after encryption and proxy rules, and // before the local table priority. RulePriorityIngress = 20 // RulePriorityEgress is the priority of the rule used for egress routing // of endpoints. This priority is after the local table priority. RulePriorityEgress = 110 // RulePriorityEgress is the v2 of the priority of the rule used for egress // routing of endpoints. This priority is after the local table priority. // // Because of https://github.com/cilium/cilium/issues/14336, we must use a // new priority value to disambiguate which rules are still under the old // scheme. RulePriorityEgressv2 = 111 // RulePriorityNodeport is the priority of the rule used with AWS ENI to // make sure that lookups for multi-node NodePort traffic are NOT done // from the table for the VPC to which the endpoint's CIDR is // associated, but from the main routing table instead. // This priority is before the egress priority. RulePriorityNodeport = RulePriorityEgress - 1 // RulePriorityVtep is the priority of the rule used for routing packets to VTEP device RulePriorityVtep = 112 // TunnelDeviceName the default name of the tunnel device when using vxlan TunnelDeviceName = "cilium_vxlan" // IPSec offset value for node rules IPsecMaxKeyVersion = 15 // IPsecMarkMaskNodeID is the mask used for the node ID. IPsecMarkMaskNodeID = 0xFFFF0000 // IPsecOldMarkMaskOut is the mask that was previously used. It can be // removed in Cilium v1.15. IPsecOldMarkMaskOut = 0xFF00 // IPsecMarkMask is the mask required for the IPsec SPI, node ID, and encrypt/decrypt bits IPsecMarkMaskOut = IPsecOldMarkMaskOut | IPsecMarkMaskNodeID // IPsecMarkMaskIn is the mask required for IPsec to lookup encrypt/decrypt bits IPsecMarkMaskIn = 0x0F00 // IPsecFwdPriority is the priority of the fwd rules placed by IPsec IPsecFwdPriority = 0x0B9F // IPsecKeyDeleteDelay is the time to wait before removing old keys when // the IPsec key is changing. IPsecKeyDeleteDelay = 5 * time.Minute // IPsecXFRMMarkSPIShift defines how many bits the SPI is shifted when // encoded in a XfrmMark IPsecXFRMMarkSPIShift = 12 )
Linux specific constants used in Linux datapath
const ( // MagicMarkHostMask can be used to fetch the host/proxy-relevant magic // bits from a mark. MagicMarkHostMask int = 0x0F00 // MagicMarkProxyMask can be used to fetch the proxy-relevant magic // bits from a mark. MagicMarkProxyMask int = 0x0E00 // MagicMarkProxyNoIDMask can be used to fetch the proxy-relevant magic // bits from a mark for proxy reply traffic. MagicMarkProxyNoIDMask int = 0xFFFFFEFF // MagicMarkIsProxyEPID can be used in conjunction with // MagicMarkProxyMask to determine whether the mark is indicating that // traffic is sourced from a proxy prior to endpoint policy enforcement. MagicMarkIsProxyEPID int = 0x0800 // MagicMarkIsProxy can be used in conjunction with MagicMarkProxyMask // to determine whether the mark is indicating that traffic is sourced // from a proxy. MagicMarkIsProxy int = 0x0A00 // MagicMarkIsToProxy can be used in conjunction with MagicMarkHostMask // to determine whether the mark is indicating that traffic is destined // to a proxy. MagicMarkIsToProxy uint32 = 0x0200 // MagicMarkProxyEgressEPID determines that the traffic is sourced from // the proxy which is capturing traffic before it is subject to egress // policy enforcement that must be done after the proxy. The identity // stored in the mark is source Endpoint ID. // // Note that this is not used from Go code, but is included here to // document this pattern. This must match the definition of // MARK_MAGIC_PROXY_EGRESS_EPID in the datapath, and the Envoy code in // cilium/proxy/cilium/bpf_metadata.cc MagicMarkProxyEgressEPID int = 0x0900 // MagicMarkIngress determines that the traffic is sourced from the // proxy which is applying Ingress policy MagicMarkIngress int = 0x0A00 // MagicMarkEgress determines that the traffic is sourced from the // proxy which is applying Egress policy MagicMarkEgress int = 0x0B00 // MagicMarkHost determines that the traffic is sourced from the local // host and not from a proxy. MagicMarkHost int = 0x0C00 // MagicMarkIdentity determines that the traffic carries a security // identity in the skb->mark MagicMarkIdentity int = 0x0F00 // MagicMarkK8sMasq determines that the traffic should be masqueraded // by kube-proxy in kubernetes environments. MagicMarkK8sMasq int = 0x4000 // MagicMarkK8sDrop determines that the traffic should be dropped in // kubernetes environments. MagicMarkK8sDrop int = 0x8000 )
The skb mark is used to transmit both identity and special markers to identify traffic from and to proxies. The mark field is being used in the following way:
1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2
+-------------------------------+-------+-------+---------------+ |L L L L L L L L L L L L L L L L|R R R R|M M M M|U U U U U U U U| +-------------------------------+-------+-------+---------------+
identity k8s mark identity
Identity (24 bits): +-----------------------------------------------+ |U U U U U U U U|L L L L L L L L L L L L L L L L| +-----------------------------------------------+
1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4
Kubernetes Mark (4 bits): R R R R 0 1 0 0 Masquerade 1 0 0 0 Drop
Cilium Mark (4 bits): M M M M (see MARK_MAGIC_* in bpf/lib/common.h)
Variables ¶
This section is empty.
Functions ¶
func GetMagicProxyMark ¶
getMagicMark returns the magic marker with which each packet must be marked. The mark is different depending on whether the proxy is injected at ingress or egress.
Types ¶
This section is empty.