ctmap

package
v1.15.10 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 10, 2024 License: Apache-2.0 Imports: 29 Imported by: 89

Documentation

Overview

+groupName=maps

Index

Constants

View Source
const (

	// Map names for TCP CT tables are retained from Cilium 1.0 naming
	// scheme to minimize disruption of ongoing connections during upgrade.
	MapNamePrefix     = "cilium_ct"
	MapNameTCP6       = MapNamePrefix + "6_"
	MapNameTCP4       = MapNamePrefix + "4_"
	MapNameTCP6Global = MapNameTCP6 + "global"
	MapNameTCP4Global = MapNameTCP4 + "global"

	// Map names for "any" protocols indicate CT for non-TCP protocols.
	MapNameAny6       = MapNamePrefix + "_any6_"
	MapNameAny4       = MapNamePrefix + "_any4_"
	MapNameAny6Global = MapNameAny6 + "global"
	MapNameAny4Global = MapNameAny4 + "global"

	TUPLE_F_OUT     = 0
	TUPLE_F_IN      = 1
	TUPLE_F_RELATED = 2
	TUPLE_F_SERVICE = 4

	// MaxTime specifies the last possible time for GCFilter.Time
	MaxTime = math.MaxUint32
)
View Source
const (
	RxClosing = 1 << iota
	TxClosing
	Nat64
	LBLoopback
	SeenNonSyn
	NodePort
	ProxyRedirect
	DSR
	FromL7LB
	Reserved1
	FromTunnel
	MaxFlags
)
View Source
const SizeofCtEntry = int(unsafe.Sizeof(CtEntry{}))
View Source
const SizeofCtKey6Global = int(unsafe.Sizeof(CtKey6Global{}))

Variables

View Source
var ClusterOuterMapName = clusterOuterMapName

ClusterOuterMapName returns the name of the outer per-cluster CT map for the given type. It can be overwritten for testing purposes.

Functions

func CleanupPerClusterCTMaps added in v0.15.7

func CleanupPerClusterCTMaps(ipv4, ipv6 bool) error

CleanupPerClusterCTMaps deletes the per-cluster CT maps, including the inner ones.

func CloseLocalMaps added in v0.15.7

func CloseLocalMaps(mapname string)

CloseLocalMaps closes all local conntrack maps opened previously for lookup with the given 'mapname'.

func ClusterInnerMapName added in v0.15.7

func ClusterInnerMapName(typ mapType, clusterID uint32) string

ClusterInnerMapName returns the name of the inner per-cluster NAT map for the given IP family and cluster ID.

func ClusterOuterMapNameTestOverride added in v0.15.7

func ClusterOuterMapNameTestOverride(prefix string)

func DeleteIfUpgradeNeeded added in v0.15.7

func DeleteIfUpgradeNeeded(e CtEndpoint)

DeleteIfUpgradeNeeded attempts to open the conntrack maps associated with the specified endpoint, and delete the maps from the filesystem if any properties do not match the properties defined in this package.

The typical trigger for this is when, for example, the CT entry size changes from one version of Cilium to the next. When Cilium restarts, it may opt to restore endpoints from the prior life. Existing endpoints that use the old map style are incompatible with the new version, so the CT map must be destroyed and recreated during upgrade. By removing the old map location from the filesystem, we ensure that the next time that the endpoint is regenerated, it will recreate a new CT map with the new properties.

Note that if an existing BPF program refers to the map at the canonical paths (as fetched via the getMapPathsToKeySize() call below), then that BPF program will continue to operate on the old map, even once the map is removed from the filesystem. The old map will only be completely cleaned up once all referenced to the map are cleared - that is, all BPF programs which refer to the old map and removed/reloaded.

func DoDumpEntries added in v0.15.7

func DoDumpEntries(m CtMap) (string, error)

DoDumpEntries iterates through Map m and writes the values of the ct entries in m to a string.

func DumpEntriesWithTimeDiff added in v0.15.7

func DumpEntriesWithTimeDiff(m CtMap, clockSource *models.ClockSource) (string, error)

DumpEntriesWithTimeDiff iterates through Map m and writes the values of the ct entries in m to a string. If clockSource is not nil, it uses it to compute the time difference of each entry from now and prints that too.

func Exists added in v0.15.7

func Exists(e CtEndpoint, ipv4, ipv6 bool) bool

Exists returns false if the CT maps for the specified endpoint (or global maps if nil) are not pinned to the filesystem, or true if they exist or an internal error occurs.

func FilterMapsByProto added in v0.15.7

func FilterMapsByProto(maps []*Map, ipVsn CTMapIPVersion) (ctMapTCP *Map, ctMapAny *Map)

FilterMapsByProto filters the given CT maps by the given IP version, and returns two maps - one for TCP and one for any protocol.

func GC added in v0.9.0

func GC(m *Map, filter *GCFilter) (int, error)

GC runs garbage collection for map m with name mapType with the given filter. It returns how many items were deleted from m.

func GetInterval added in v0.15.7

func GetInterval(actualPrevInterval time.Duration, maxDeleteRatio float64) time.Duration

GetInterval returns the interval adjusted based on the deletion ratio of the last run

func InitMapInfo added in v0.15.7

func InitMapInfo(v4, v6, nodeport bool)

InitMapInfo builds the information about different CT maps for the combination of L3/L4 protocols.

func NameIsGlobal added in v0.15.7

func NameIsGlobal(filename string) bool

NameIsGlobal returns true if the specified filename (basename) denotes a global conntrack map.

func NewPerClusterCTMaps added in v0.15.7

func NewPerClusterCTMaps(ipv4, ipv6 bool) *perClusterCTMaps

NewPerClusterCTMaps returns a new instance of the per-cluster CT maps manager.

func Update added in v0.15.7

func Update(epname string, srcAddr, dstAddr string, proto u8proto.U8proto, ingress bool,
	updateFn func(*CtEntry) error) error

Update opens a conntrack map if necessary, and does a lookup on it with a key constructed from the parameters, and updates the found entry (if any) via 'updateFn'. 'epname' is a 5-digit representation of the endpoint ID if local maps are to be used, or "global" if global maps should be used.

func WriteBPFMacros added in v0.15.7

func WriteBPFMacros(fw io.Writer, e CtEndpoint)

WriteBPFMacros writes the map names for conntrack maps into the specified writer, defining usage of the global map or local maps depending on whether the specified CtEndpoint is nil.

Types

type CTMapIPVersion added in v0.15.7

type CTMapIPVersion int
const (
	CTMapIPv4 CTMapIPVersion = iota
	CTMapIPv6
)

type CtEndpoint added in v0.15.7

type CtEndpoint interface {
	GetID() uint64
}

CtEndpoint represents an endpoint for the functions required to manage conntrack maps for the endpoint.

type CtEntry

type CtEntry struct {
	RxPackets uint64 `align:"rx_packets"`
	RxBytes   uint64 `align:"$union0"`
	TxPackets uint64 `align:"tx_packets"`
	TxBytes   uint64 `align:"tx_bytes"`
	Lifetime  uint32 `align:"lifetime"`
	Flags     uint16 `align:"rx_closing"`
	// RevNAT is in network byte order
	RevNAT           uint16 `align:"rev_nat_index"`
	IfIndex          uint16 `align:"ifindex"`
	TxFlagsSeen      uint8  `align:"tx_flags_seen"`
	RxFlagsSeen      uint8  `align:"rx_flags_seen"`
	SourceSecurityID uint32 `align:"src_sec_id"`
	LastTxReport     uint32 `align:"last_tx_report"`
	LastRxReport     uint32 `align:"last_rx_report"`
}

CtEntry represents an entry in the connection tracking table.

func Lookup added in v0.15.7

func Lookup(epname string, srcAddr, dstAddr string, proto u8proto.U8proto, ingress bool) (*CtEntry, error)

Lookup opens a conntrack map if necessary, and does a lookup on it with a key constructed from the parameters 'epname' is a 5-digit representation of the endpoint ID if local maps are to be used, or "global" if global maps should be used.

func (*CtEntry) New added in v0.15.7

func (c *CtEntry) New() bpf.MapValue

func (*CtEntry) String added in v0.15.7

func (c *CtEntry) String() string

String returns the readable format

func (*CtEntry) StringWithTimeDiff added in v0.15.7

func (c *CtEntry) StringWithTimeDiff(toRemSecs func(uint32) string) string

type CtKey

type CtKey interface {
	bpf.MapKey

	// ToNetwork converts fields to network byte order.
	ToNetwork() CtKey

	// ToHost converts fields to host byte order.
	ToHost() CtKey

	// Dump contents of key to sb. Returns true if successful.
	Dump(sb *strings.Builder, reverse bool) bool

	// GetFlags flags containing the direction of the CtKey.
	GetFlags() uint8

	GetTupleKey() tuple.TupleKey
}

type CtKey4

type CtKey4 struct {
	tuple.TupleKey4
}

func (*CtKey4) Dump

func (k *CtKey4) Dump(sb *strings.Builder, reverse bool) bool

Dump writes the contents of key to sb and returns true if the value for next header in the key is nonzero.

func (*CtKey4) GetFlags added in v0.15.7

func (k *CtKey4) GetFlags() uint8

GetFlags returns the tuple's flags.

func (*CtKey4) GetTupleKey added in v0.15.7

func (k *CtKey4) GetTupleKey() tuple.TupleKey

func (*CtKey4) New added in v0.15.7

func (k *CtKey4) New() bpf.MapKey

func (*CtKey4) String added in v0.9.0

func (k *CtKey4) String() string

func (*CtKey4) ToHost added in v0.10.0

func (k *CtKey4) ToHost() CtKey

ToHost converts CtKey ports to host byte order.

func (*CtKey4) ToNetwork added in v0.10.0

func (k *CtKey4) ToNetwork() CtKey

ToNetwork converts CtKey4 ports to network byte order.

type CtKey4Global added in v0.9.0

type CtKey4Global struct {
	tuple.TupleKey4Global
}

func (*CtKey4Global) Dump added in v0.9.0

func (k *CtKey4Global) Dump(sb *strings.Builder, reverse bool) bool

Dump writes the contents of key to sb and returns true if the value for next header in the key is nonzero.

func (*CtKey4Global) GetFlags added in v0.15.7

func (k *CtKey4Global) GetFlags() uint8

GetFlags returns the tuple's flags.

func (*CtKey4Global) GetTupleKey added in v0.15.7

func (k *CtKey4Global) GetTupleKey() tuple.TupleKey

func (*CtKey4Global) New added in v0.15.7

func (k *CtKey4Global) New() bpf.MapKey

func (*CtKey4Global) String added in v0.9.0

func (k *CtKey4Global) String() string

func (*CtKey4Global) ToHost added in v0.10.0

func (k *CtKey4Global) ToHost() CtKey

ToHost converts ports to host byte order.

This is necessary to prevent callers from implicitly converting the CtKey4Global type here into a local key type in the nested TupleKey4Global field.

func (*CtKey4Global) ToNetwork added in v0.10.0

func (k *CtKey4Global) ToNetwork() CtKey

ToNetwork converts ports to network byte order.

This is necessary to prevent callers from implicitly converting the CtKey4Global type here into a local key type in the nested TupleKey4Global field.

type CtKey6

type CtKey6 struct {
	tuple.TupleKey6
}

CtKey6 is needed to provide CtEntry type to Lookup values

func (*CtKey6) Dump

func (k *CtKey6) Dump(sb *strings.Builder, reverse bool) bool

Dump writes the contents of key to sb and returns true if the value for next header in the key is nonzero.

func (*CtKey6) GetFlags added in v0.15.7

func (k *CtKey6) GetFlags() uint8

GetFlags returns the tuple's flags.

func (*CtKey6) GetTupleKey added in v0.15.7

func (k *CtKey6) GetTupleKey() tuple.TupleKey

func (*CtKey6) New added in v0.15.7

func (k *CtKey6) New() bpf.MapKey

func (*CtKey6) String added in v0.9.0

func (k *CtKey6) String() string

func (*CtKey6) ToHost added in v0.10.0

func (k *CtKey6) ToHost() CtKey

ToHost converts CtKey ports to host byte order.

func (*CtKey6) ToNetwork added in v0.10.0

func (k *CtKey6) ToNetwork() CtKey

ToNetwork converts CtKey6 ports to network byte order.

type CtKey6Global added in v0.9.0

type CtKey6Global struct {
	tuple.TupleKey6Global
}

CtKey6Global is needed to provide CtEntry type to Lookup values

func (*CtKey6Global) Dump added in v0.9.0

func (k *CtKey6Global) Dump(sb *strings.Builder, reverse bool) bool

Dump writes the contents of key to sb and returns true if the value for next header in the key is nonzero.

func (*CtKey6Global) GetFlags added in v0.15.7

func (k *CtKey6Global) GetFlags() uint8

GetFlags returns the tuple's flags.

func (*CtKey6Global) GetTupleKey added in v0.15.7

func (k *CtKey6Global) GetTupleKey() tuple.TupleKey

func (*CtKey6Global) New added in v0.15.7

func (k *CtKey6Global) New() bpf.MapKey

func (*CtKey6Global) String added in v0.9.0

func (k *CtKey6Global) String() string

func (*CtKey6Global) ToHost added in v0.10.0

func (k *CtKey6Global) ToHost() CtKey

ToHost converts ports to host byte order.

This is necessary to prevent callers from implicitly converting the CtKey6Global type here into a local key type in the nested TupleKey6Global field.

func (*CtKey6Global) ToNetwork added in v0.10.0

func (k *CtKey6Global) ToNetwork() CtKey

ToNetwork converts ports to network byte order.

This is necessary to prevent callers from implicitly converting the CtKey6Global type here into a local key type in the nested TupleKey6Global field.

type CtMap

type CtMap interface {
	Open() error
	Close() error
	Path() (string, error)
	DumpEntries() (string, error)
	DumpWithCallback(bpf.DumpCallback) error
}

CtMap interface represents a CT map, and can be reused to implement mock maps for unit tests.

type CtMapRecord added in v0.15.7

type CtMapRecord struct {
	Key   CtKey
	Value CtEntry
}

A "Record" designates a map entry (key + value), but avoid "entry" because of possible confusion with "CtEntry" (actually the value part). This type is used for JSON dump and mock maps.

type EmitCTEntryCBFunc added in v0.15.7

type EmitCTEntryCBFunc func(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, nextHdr, flags uint8, entry *CtEntry)

EmitCTEntryCBFunc is the type used for the EmitCTEntryCB callback in GCFilter

type GCFilter added in v0.10.0

type GCFilter struct {
	// RemoveExpired enables removal of all entries that have expired
	RemoveExpired bool

	// Time is the reference timestamp to remove expired entries. If
	// RemoveExpired is true and lifetime is lesser than Time, the entry is
	// removed
	Time uint32

	// ValidIPs is the list of valid IPs to scrub all entries for which the
	// source or destination IP is *not* matching one of the valid IPs.
	ValidIPs map[netip.Addr]struct{}

	// MatchIPs is the list of IPs to remove from the conntrack table
	MatchIPs map[netip.Addr]struct{}

	// EmitCTEntry is called, when non-nil, if filtering by ValidIPs and MatchIPs
	// passes. It has no impact on CT GC, but can be used to iterate over valid
	// CT entries.
	EmitCTEntryCB EmitCTEntryCBFunc
}

GCFilter contains the necessary fields to filter the CT maps. Filtering by endpoint requires both EndpointID to be > 0 and EndpointIP to be not nil.

type Map added in v0.15.7

type Map struct {
	bpf.Map
	// contains filtered or unexported fields
}

Map represents an instance of a BPF connection tracking map. It also implements the CtMap interface.

func GetClusterCTMaps added in v0.15.7

func GetClusterCTMaps(clusterID uint32, ipv4, ipv6 bool) ([]*Map, error)

GetClusterCTMaps returns the per-cluster maps for the given cluster ID. The returned maps need to be opened by the caller, and are not guaranteed to exist.

func GlobalMaps added in v0.15.7

func GlobalMaps(ipv4, ipv6 bool) []*Map

GlobalMaps returns a slice of CT maps that are used globally by all endpoints that are not otherwise configured to use their own local maps. If ipv4 or ipv6 are false, the maps for that protocol will not be returned.

The returned maps are not yet opened.

func LocalMaps added in v0.15.7

func LocalMaps(e CtEndpoint, ipv4, ipv6 bool) []*Map

LocalMaps returns a slice of CT maps for the endpoint, which are local to the endpoint and not shared with other endpoints. If ipv4 or ipv6 are false, the maps for that protocol will not be returned.

The returned maps are not yet opened.

func (*Map) DumpEntries added in v0.15.7

func (m *Map) DumpEntries() (string, error)

DumpEntries iterates through Map m and writes the values of the ct entries in m to a string.

func (*Map) Flush added in v0.15.7

func (m *Map) Flush() int

Flush runs garbage collection for map m with the name mapType, deleting all entries. The specified map must be already opened using bpf.OpenMap().

type NatGCStats added in v0.15.7

type NatGCStats struct {
	*bpf.DumpStats

	// family is the address family
	Family gcFamily

	IngressAlive   uint32
	IngressDeleted uint32
	EgressDeleted  uint32
	EgressAlive    uint32
}

func PurgeOrphanNATEntries added in v0.15.7

func PurgeOrphanNATEntries(ctMapTCP, ctMapAny *Map) *NatGCStats

PurgeOrphanNATEntries removes orphan SNAT entries. We call an SNAT entry orphan if it does not have a corresponding CT entry.

Typically NAT entries should get removed along with their owning CT entry, as part of purgeCtEntry*(). But stale NAT entries can get left behind if the CT entry disappears for other reasons - for instance by LRU eviction, or when the datapath re-purposes the CT entry.

PurgeOrphanNATEntries() is triggered by the datapath via the GC signaling mechanism. When the datapath SNAT fails to find free mapping after SNAT_SIGNAL_THRES attempts, it sends the signal via the perf ring buffer. The consumer of the buffer invokes the function.

The SNAT is being used for the following cases:

  1. By NodePort BPF on an intermediate node before fwd'ing request from outside to a destination node.
  2. A packet from local endpoint sent to outside (BPF-masq).
  3. A packet from a host local application (i.e. running in the host netns) This is needed to prevent SNAT from hijacking such connections.
  4. By DSR on a backend node to SNAT responses with service IP+port before sending to a client.

In all 4 cases we create a CT_EGRESS CT entry. This allows the CT GC to remove corresponding SNAT entries. In the case of 4, old connections might instead be using a CT_INGRESS CT entry. See the unit test TestOrphanNatGC for more examples.

type PerClusterCTMap added in v0.15.7

type PerClusterCTMap struct {
	*bpf.Map
	// contains filtered or unexported fields
}

PerClusterCTMap is a special conntrack map created when we enable cluster-aware addressing. As the name says, it is per-cluster and tracks the connection from/to specific remote clusters. It is implemented as an array-of-maps which its index is a ClusterID.

Why can't we use global CT maps? That's because we currently don't have a good way of extending CT map's key without breaking user's connection. Thus, instead of extending existing CT map key with ClusterID, we chose to create CT map per-cluster. When we have a good way of extending global CT maps in the future, we should retire this entire file.

type PerClusterCTMapKey added in v0.15.7

type PerClusterCTMapKey struct {
	ClusterID uint32
}

func (*PerClusterCTMapKey) New added in v0.15.7

func (k *PerClusterCTMapKey) New() bpf.MapKey

func (*PerClusterCTMapKey) String added in v0.15.7

func (k *PerClusterCTMapKey) String() string

type PerClusterCTMapVal added in v0.15.7

type PerClusterCTMapVal struct {
	Fd uint32
}

func (*PerClusterCTMapVal) New added in v0.15.7

func (v *PerClusterCTMapVal) New() bpf.MapValue

func (*PerClusterCTMapVal) String added in v0.15.7

func (v *PerClusterCTMapVal) String() string

type PerClusterCTMapper added in v0.15.7

type PerClusterCTMapper interface {
	// Create enforces the presence of the outer per-cluster CT maps.
	OpenOrCreate() error
	// Close closes the outer per-cluster CT maps handlers.
	Close() error

	// CreateClusterNATMaps enforces the presence of the inner maps for
	// the given cluster ID. It must be called after that OpenOrCreate()
	// has returned successfully.
	CreateClusterCTMaps(clusterID uint32) error
	// DeleteClusterNATMaps deletes the inner maps for the given cluster ID.
	// It must be called after that OpenOrCreate() has returned successfully.
	DeleteClusterCTMaps(clusterID uint32) error

	// GetClusterCTMaps returns the per-cluster maps for each known cluster ID.
	// The returned maps need to be opened by the caller.
	GetAllClusterCTMaps() []*Map
}

An interface to manage the per-cluster CT maps.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL