Documentation ¶
Overview ¶
+groupName=maps
Index ¶
- Constants
- Variables
- func Create(path string) error
- func InitCallMaps(haveEgressCallMap bool) error
- func InitMapInfo(maxEntries int)
- func RemoveGlobalMapping(id uint32, haveEgressCallMap bool) error
- type CallKey
- type CallValue
- type PlumbingKey
- type PlumbingValue
- type PolicyEntriesDump
- type PolicyEntry
- type PolicyEntryDump
- type PolicyKey
- type PolicyMap
- func (pm *PolicyMap) Allow(id uint32, dport uint16, proto u8proto.U8proto, ...) error
- func (pm *PolicyMap) AllowKey(key PolicyKey, authType uint8, proxyPort uint16) error
- func (pm *PolicyMap) Delete(id uint32, dport uint16, proto u8proto.U8proto, ...) error
- func (pm *PolicyMap) DeleteEntry(entry *PolicyEntryDump) error
- func (pm *PolicyMap) DeleteKey(key PolicyKey) error
- func (pm *PolicyMap) Deny(id uint32, dport uint16, proto u8proto.U8proto, ...) error
- func (pm *PolicyMap) DenyKey(key PolicyKey) error
- func (pm *PolicyMap) Dump() (string, error)
- func (pm *PolicyMap) DumpToSlice() (PolicyEntriesDump, error)
- func (pm *PolicyMap) Exists(id uint32, dport uint16, proto u8proto.U8proto, ...) bool
- func (pm *PolicyMap) String() string
- type PolicyPlumbingMap
Constants ¶
const ( // PolicyCallMapName is the name of the map to do tail calls into policy // enforcement programs. PolicyCallMapName = "cilium_call_policy" // PolicyEgressCallMapName is the name of the map to do tail calls into egress policy // enforcement programs. PolicyEgressCallMapName = "cilium_egresscall_policy" // MapName is the prefix for endpoint-specific policy maps which map // identity+ports+direction to whether the policy allows communication // with that identity on that port for that direction. MapName = "cilium_policy_" // PolicyCallMaxEntries is the upper limit of entries in the program // array for the tail calls to jump into the endpoint specific policy // programs. This number *MUST* be identical to the maximum endpoint ID. PolicyCallMaxEntries = ^uint16(0) // AllPorts is used to ignore the L4 ports in PolicyMap lookups; all ports // are allowed. In the datapath, this is represented with the value 0 in the // port field of map elements. AllPorts = uint16(0) // PressureMetricThreshold sets the threshold over which map pressure will // be reported for the policy map. PressureMetricThreshold = 0.1 )
const ( NexthdrBits = uint32(sizeofNexthdr) * 8 DestPortBits = uint32(sizeofDestPort) * 8 FullPrefixBits = NexthdrBits + DestPortBits StaticPrefixBits = uint32(sizeofPolicyKey-sizeofPrefixlen)*8 - FullPrefixBits )
Variables ¶
var ( // MaxEntries is the upper limit of entries in the per endpoint policy // table ie the maximum number of peer identities that the endpoint could // send/receive traffic to/from.. It is set by InitMapInfo(), but unit // tests use the initial value below. // The default value of this upper limit is 16384. MaxEntries = 16384 )
Functions ¶
func InitCallMaps ¶ added in v0.15.7
InitCallMap creates the policy call maps in the kernel.
func InitMapInfo ¶ added in v0.15.7
func InitMapInfo(maxEntries int)
InitMapInfo updates the map info defaults for policy maps.
func RemoveGlobalMapping ¶ added in v0.15.7
RemoveGlobalMapping removes the mapping from the specified endpoint ID to the BPF policy program for that endpoint.
Types ¶
type CallKey ¶ added in v0.15.7
type CallKey struct {
// contains filtered or unexported fields
}
CallKey is the index into the prog array map.
type CallValue ¶ added in v0.15.7
type CallValue struct {
// contains filtered or unexported fields
}
CallValue is the program ID in the prog array map.
type PlumbingKey ¶ added in v0.15.7
type PlumbingKey struct {
// contains filtered or unexported fields
}
func (*PlumbingKey) New ¶ added in v0.15.7
func (k *PlumbingKey) New() bpf.MapKey
func (*PlumbingKey) String ¶ added in v0.15.7
func (k *PlumbingKey) String() string
type PlumbingValue ¶ added in v0.15.7
type PlumbingValue struct {
// contains filtered or unexported fields
}
func (*PlumbingValue) New ¶ added in v0.15.7
func (k *PlumbingValue) New() bpf.MapValue
func (*PlumbingValue) String ¶ added in v0.15.7
func (v *PlumbingValue) String() string
type PolicyEntriesDump ¶ added in v0.15.7
type PolicyEntriesDump []PolicyEntryDump
PolicyEntriesDump is a wrapper for a slice of PolicyEntryDump
func (PolicyEntriesDump) Less ¶ added in v0.15.7
func (p PolicyEntriesDump) Less(i, j int) bool
Less is a function used to sort PolicyEntriesDump by Policy Type (Deny / Allow), TrafficDirection (Ingress / Egress) and Identity (ascending order).
func (PolicyEntriesDump) String ¶ added in v0.15.7
func (p PolicyEntriesDump) String() string
String returns a string representation of PolicyEntriesDump
type PolicyEntry ¶
type PolicyEntry struct { ProxyPortNetwork uint16 `align:"proxy_port"` // In network byte-order Flags policyEntryFlags `align:"deny"` AuthType uint8 `align:"auth_type"` Pad1 uint16 `align:"pad1"` Pad2 uint16 `align:"pad2"` Packets uint64 `align:"packets"` Bytes uint64 `align:"bytes"` }
PolicyEntry represents an entry in the BPF policy map for an endpoint. It must match the layout of policy_entry in bpf/lib/common.h.
func (*PolicyEntry) Add ¶
func (pe *PolicyEntry) Add(oPe PolicyEntry)
func (*PolicyEntry) GetProxyPort ¶ added in v0.15.7
func (pe *PolicyEntry) GetProxyPort() uint16
GetProxyPort returns the ProxyPortNetwork in host byte order
func (PolicyEntry) IsDeny ¶ added in v0.15.7
func (pe PolicyEntry) IsDeny() bool
func (*PolicyEntry) New ¶ added in v0.15.7
func (pe *PolicyEntry) New() bpf.MapValue
func (*PolicyEntry) String ¶
func (pe *PolicyEntry) String() string
type PolicyEntryDump ¶
type PolicyEntryDump struct { PolicyEntry Key PolicyKey }
type PolicyKey ¶ added in v0.15.7
type PolicyKey struct { Prefixlen uint32 `align:"lpm_key"` Identity uint32 `align:"sec_label"` TrafficDirection uint8 `align:"egress"` Nexthdr uint8 `align:"protocol"` DestPortNetwork uint16 `align:"dport"` // In network byte-order }
PolicyKey represents a key in the BPF policy map for an endpoint. It must match the layout of policy_key in bpf/lib/common.h.
func NewKey ¶ added in v0.15.7
NewKey returns a PolicyKey representing the specified parameters in network byte-order.
func (*PolicyKey) GetDestPort ¶ added in v0.15.7
GetDestPort returns the DestPortNetwork in host byte order
func (*PolicyKey) GetPortMask ¶ added in v1.16.0
GetPortMask returns the port mask of the key
func (*PolicyKey) PortProtoString ¶ added in v0.15.7
type PolicyMap ¶
func OpenOrCreate ¶ added in v0.15.7
OpenOrCreate opens (or creates) a policy map at the specified path, which is used to govern which peer identities can communicate with the endpoint protected by this map.
func (*PolicyMap) Allow ¶ added in v0.15.7
func (pm *PolicyMap) Allow(id uint32, dport uint16, proto u8proto.U8proto, trafficDirection trafficdirection.TrafficDirection, authType uint8, proxyPort uint16) error
Allow pushes an entry into the PolicyMap to allow traffic in the given `trafficDirection` for identity `id` with destination port `dport` over protocol `proto`. It is assumed that `dport` and `proxyPort` are in host byte-order.
func (*PolicyMap) AllowKey ¶ added in v0.15.7
AllowKey pushes an entry into the PolicyMap for the given PolicyKey k. Returns an error if the update of the PolicyMap fails.
func (*PolicyMap) Delete ¶ added in v0.15.7
func (pm *PolicyMap) Delete(id uint32, dport uint16, proto u8proto.U8proto, trafficDirection trafficdirection.TrafficDirection) error
Delete removes an entry from the PolicyMap for identity `id` sending traffic in direction `trafficDirection` with destination port `dport` over protocol `proto`. It is assumed that `dport` is in host byte-order. Returns an error if the deletion did not succeed.
func (*PolicyMap) DeleteEntry ¶ added in v0.15.7
func (pm *PolicyMap) DeleteEntry(entry *PolicyEntryDump) error
DeleteEntry removes an entry from the PolicyMap. It can be used in conjunction with DumpToSlice() to inspect and delete map entries.
func (*PolicyMap) DeleteKey ¶ added in v0.15.7
DeleteKey deletes the key-value pair from the given PolicyMap with PolicyKey k. Returns an error if deletion from the PolicyMap fails.
func (*PolicyMap) Deny ¶ added in v0.15.7
func (pm *PolicyMap) Deny(id uint32, dport uint16, proto u8proto.U8proto, trafficDirection trafficdirection.TrafficDirection) error
Deny pushes an entry into the PolicyMap to deny traffic in the given `trafficDirection` for identity `id` with destination port `dport` over protocol `proto`. It is assumed that `dport` is in host byte-order.
func (*PolicyMap) DenyKey ¶ added in v0.15.7
DenyKey pushes an entry into the PolicyMap for the given PolicyKey k. Returns an error if the update of the PolicyMap fails.
func (*PolicyMap) DumpToSlice ¶
func (pm *PolicyMap) DumpToSlice() (PolicyEntriesDump, error)
func (*PolicyMap) Exists ¶ added in v0.15.7
func (pm *PolicyMap) Exists(id uint32, dport uint16, proto u8proto.U8proto, trafficDirection trafficdirection.TrafficDirection) bool
Exists determines whether PolicyMap currently contains an entry that allows traffic in `trafficDirection` for identity `id` with destination port `dport`over protocol `proto`. It is assumed that `dport` is in host byte-order.
type PolicyPlumbingMap ¶ added in v0.15.7
PolicyPlumbingMap maps endpoint IDs to the fd for the program which implements its policy.
func OpenCallMap ¶ added in v0.15.7
func OpenCallMap(name string) (*PolicyPlumbingMap, error)
OpenCallMap opens the map that maps endpoint IDs to program file descriptors, which allows tail calling into the policy datapath code from other BPF programs.