Documentation ¶
Overview ¶
Package linux_defaults provides the Linux datapath defaults
Index ¶
Constants ¶
const ( // RouteTableIPSec is the default table ID to use for IPSec routing rules RouteTableIPSec = 200 // RouteTableVtep is the default table ID to use for VTEP routing rules RouteTableVtep = 202 // RouteTableToProxy is the default table ID to use routing rules to the proxy. RouteTableToProxy = 2004 // RouteTableFromProxy is the default table ID to use routing rules from the proxy. RouteTableFromProxy = 2005 // RouteTableInterfacesOffset is the offset for the per-ENI routing tables. // Each ENI interface will have its own table starting with this offset. It // is 10 because it is highly unlikely to collide with the main routing // table which is between 253-255. See ip-route(8). RouteTableInterfacesOffset = 10 // MarkProxyToWorld is the default mark to use to indicate that a packet // from proxy needs to be sent to the world. MarkProxyToWorld = 0x800 // RouteMarkDecrypt is the default route mark to use to indicate datapath // needs to decrypt a packet. RouteMarkDecrypt = MagicMarkDecrypt // RouteMarkDecryptedOverlay is the output mark used for EncryptedOverlay // XFRM policies. // // When this mark is present on a packet it indicates that overlay traffic // was decrypted by XFRM and should be forwarded to a tunnel device for // decapsulation. RouteMarkDecryptedOverlay = MagicMarkDecryptedOverlay // RouteMarkEncrypt is the default route mark to use to indicate datapath // needs to encrypt a packet. RouteMarkEncrypt = MagicMarkEncrypt // RouteMarkMask is the mask required for the route mark value RouteMarkMask = 0xF00 // OutputMarkMask is the mask to use in output-mark of XFRM states. It is // used to clear the node ID and the SPI from the packet mark. OutputMarkMask = 0xFFFFFF00 // RouteMarkToProxy is the default route mark to use to indicate // datapath needs to send the packet to the proxy. // // Specifically, this is used in the L7 ingress policy tunneling case // where after decryption, the packet is rerouted back into // `cilium_host` with said mark to indicate the destination as the // proxy. RouteMarkToProxy = MagicMarkIsToProxy // MarkMultinodeNodeport is used for AWS ENI to mark traffic from // another node, so that it gets routed back through the relevant // interface. MarkMultinodeNodeport = 0x80 // MaskMultinodeNodeport is the mask associated with the // RouterMarkNodePort MaskMultinodeNodeport = 0x80 // RTProto is the protocol we install our fib rules and routes with. Use the // kernel proto to make sure systemd-networkd doesn't interfere with these // rules (see networkd config directive ManageForeignRoutingPolicyRules, set // to 'yes' by default). RTProto = unix.RTPROT_KERNEL // RulePriorityToProxyIngress is the priority of the routing rule installed by // the proxy package for redirecting inbound packets to the proxy. RulePriorityToProxyIngress = 9 // RulePriorityFromProxy is the priority of the routing rule installed by // the proxy package for redirecting packets from the proxy. RulePriorityFromProxy = 10 // RulePriorityIngress is the priority of the rule used for ingress routing // of endpoints. This priority is after encryption and proxy rules, and // before the local table priority. RulePriorityIngress = 20 // RulePriorityLocalLookup is the priority for the local lookup rule which is // moved on init from 0 RulePriorityLocalLookup = 100 // RulePriorityEgress is the priority of the rule used for egress routing // of endpoints. This priority is after the local table priority. RulePriorityEgress = 110 // RulePriorityEgress is the v2 of the priority of the rule used for egress // routing of endpoints. This priority is after the local table priority. // // Because of https://github.com/cilium/cilium/issues/14336, we must use a // new priority value to disambiguate which rules are still under the old // scheme. RulePriorityEgressv2 = 111 // RulePriorityNodeport is the priority of the rule used with AWS ENI to // make sure that lookups for multi-node NodePort traffic are NOT done // from the table for the VPC to which the endpoint's CIDR is // associated, but from the main routing table instead. // This priority is before the egress priority. RulePriorityNodeport = RulePriorityEgress - 1 // RulePriorityVtep is the priority of the rule used for routing packets to VTEP device RulePriorityVtep = 112 // IPSec offset value for node rules IPsecMaxKeyVersion = 15 // IPsecMarkMaskNodeID is the mask used for the node ID. IPsecMarkMaskNodeID = 0xFFFF0000 // IPsecMarkBitMask is the mask used for the encrypt and decrypt bits. IPsecMarkBitMask = 0x0F00 // IPsecOldMarkMaskOut is the mask that was previously used. It can be // removed in Cilium v1.17. IPsecOldMarkMaskOut = 0xFF00 // IPsecMarkMask is the mask required for the IPsec SPI, node ID, and encrypt/decrypt bits IPsecMarkMaskOut = IPsecOldMarkMaskOut | IPsecMarkMaskNodeID // IPsecMarkMaskIn is the mask required for the IPsec node ID and encrypt/decrypt bits IPsecMarkMaskIn = IPsecMarkBitMask | IPsecMarkMaskNodeID // IPsecFwdPriority is the priority of the fwd rules placed by IPsec IPsecFwdPriority = 0x0B9F // IPsecXFRMMarkSPIShift defines how many bits the SPI is shifted when // encoded in a XfrmMark IPsecXFRMMarkSPIShift = 12 )
Linux specific constants used in Linux datapath
const ( // MagicMarkHostMask can be used to fetch the host/proxy-relevant magic // bits from a mark. MagicMarkHostMask int = 0x0F00 // MagicMarkProxyMask can be used to fetch the proxy-relevant magic // bits from a mark. MagicMarkProxyMask int = 0x0E00 // MagicMarkProxyNoIDMask can be used to fetch the proxy-relevant magic // bits from a mark for proxy reply traffic. MagicMarkProxyNoIDMask int = 0xFFFFFEFF // MagicMarkIsProxyEPID can be used in conjunction with // MagicMarkProxyMask to determine whether the mark is indicating that // traffic is sourced from a proxy prior to endpoint policy enforcement. MagicMarkIsProxyEPID int = 0x0800 // MagicMarkIsProxy can be used in conjunction with MagicMarkProxyMask // to determine whether the mark is indicating that traffic is sourced // from a proxy. MagicMarkIsProxy int = 0x0A00 // MagicMarkIsToProxy can be used in conjunction with MagicMarkHostMask // to determine whether the mark is indicating that traffic is destined // to a proxy. MagicMarkIsToProxy uint32 = 0x0200 MagicMarkSNATDone int = 0x0300 // MagicMarkOverlay is set by the to-overlay program, and can be used // to identify cilium-managed overlay traffic. MagicMarkOverlay int = 0x0400 // MagicMarkProxyEgressEPID determines that the traffic is sourced from // the proxy which is capturing traffic before it is subject to egress // policy enforcement that must be done after the proxy. The identity // stored in the mark is source Endpoint ID. // // Note that this is not used from Go code, but is included here to // document this pattern. This must match the definition of // MARK_MAGIC_PROXY_EGRESS_EPID in the datapath, and the Envoy code in // cilium/proxy/cilium/bpf_metadata.cc MagicMarkProxyEgressEPID int = 0x0900 // MagicMarkIngress determines that the traffic is sourced from the // proxy which is applying Ingress policy MagicMarkIngress int = 0x0A00 // MagicMarkEgress determines that the traffic is sourced from the // proxy which is applying Egress policy MagicMarkEgress int = 0x0B00 // MagicMarkHost determines that the traffic is sourced from the local // host and not from a proxy. MagicMarkHost int = 0x0C00 // MagicMarkIdentity determines that the traffic carries a security // identity in the skb->mark MagicMarkIdentity int = 0x0F00 // MagicMarkK8sMasq determines that the traffic should be masqueraded // by kube-proxy in kubernetes environments. MagicMarkK8sMasq int = 0x4000 // MagicMarkK8sDrop determines that the traffic should be dropped in // kubernetes environments. MagicMarkK8sDrop int = 0x8000 // MagicMarkWireGuardEncrypted is set by the WireGuard tunnel device // in order to indicate that a packet has been encrypted, and that there // is no need to forward it again to the WG tunnel netdev. // // The mark invades the K8s mark space described above. This is because // some packets might carry a security identity which is indicated with // MagicMarkIdentity which takes all 4 bits. The LSB bit which we take // from the K8s space is not used, so this is fine). I.e., the LSB bit is // 0x1000, and the K8s marks are 0x4000 and 0x8000. So both are not // interfering with that bit. MagicMarkWireGuardEncrypted int = 0x1E00 // MagicMarkDecrypt is the packet mark used to indicate the datapath needs // to decrypt a packet. MagicMarkDecrypt = 0x0D00 // MagicMarkDecryptedOverlay indicates to the datapath that the packet // was IPsec decrypted and now contains a vxlan header. // // When this mark is present on a packet it indicates that overlay traffic // was decrypted by XFRM and should be forwarded to a tunnel device for // decapsulation. MagicMarkDecryptedOverlay = 0x1D00 // MagicMarkEncrypt is the packet mark to use to indicate datapath // needs to encrypt a packet. MagicMarkEncrypt = 0x0E00 )
The skb mark is used to transmit both identity and special markers to identify traffic from and to proxies. The mark field is being used in the following way:
1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 +-------------------------------+-------+-------+---------------+ |L L L L L L L L L L L L L L L L|R R R R|M M M M|U U U U U U U U| +-------------------------------+-------+-------+---------------+ identity k8s mark identity
Identity (24 bits):
+-----------------------------------------------+ |U U U U U U U U|L L L L L L L L L L L L L L L L| +-----------------------------------------------+ 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4
Kubernetes Mark (4 bits; see MagicMarkWireGuardEncrypted for usage of some of K8s mark space): R R R R 0 1 0 0 Masquerade 1 0 0 0 Drop
Cilium Mark (4 bits): M M M M (see MARK_MAGIC_* in bpf/lib/common.h)
Variables ¶
This section is empty.
Functions ¶
func GetMagicProxyMark ¶
getMagicMark returns the magic marker with which each packet must be marked. The mark is different depending on whether the proxy is injected at ingress or egress.
Types ¶
This section is empty.