Documentation
¶
Overview ¶
+groupName=maps
Index ¶
- Constants
- Variables
- func Create(path string) error
- func InitCallMaps() error
- func InitMapInfo(maxEntries int)
- func RemoveGlobalMapping(id uint32, haveEgressCallMap bool) error
- type CallKey
- type CallValue
- type PlumbingKey
- type PlumbingValue
- type PolicyEntriesDump
- type PolicyEntry
- type PolicyEntryDump
- type PolicyKey
- type PolicyMap
- func (pm *PolicyMap) Allow(trafficDirection trafficdirection.TrafficDirection, ...) error
- func (pm *PolicyMap) AllowKey(key PolicyKey, authType uint8, proxyPort uint16) error
- func (pm *PolicyMap) Delete(trafficDirection trafficdirection.TrafficDirection, ...) error
- func (pm *PolicyMap) DeleteEntry(entry *PolicyEntryDump) error
- func (pm *PolicyMap) DeleteKey(key PolicyKey) error
- func (pm *PolicyMap) Deny(trafficDirection trafficdirection.TrafficDirection, ...) error
- func (pm *PolicyMap) DenyKey(key PolicyKey) error
- func (pm *PolicyMap) Dump() (string, error)
- func (pm *PolicyMap) DumpToSlice() (PolicyEntriesDump, error)
- func (pm *PolicyMap) DumpValid(cb func(key *PolicyKey, value *PolicyEntry)) error
- func (pm *PolicyMap) Exists(trafficDirection trafficdirection.TrafficDirection, ...) bool
- func (pm *PolicyMap) String() string
- type PolicyPlumbingMap
Constants ¶
const ( // PolicyCallMapName is the name of the map to do tail calls into policy // enforcement programs. PolicyCallMapName = "cilium_call_policy" // PolicyEgressCallMapName is the name of the map to do tail calls into egress policy // enforcement programs. PolicyEgressCallMapName = "cilium_egresscall_policy" // MapName is the prefix for endpoint-specific policy maps which map // identity+ports+direction to whether the policy allows communication // with that identity on that port for that direction. MapName = "cilium_policy_" // PolicyCallMaxEntries is the upper limit of entries in the program // array for the tail calls to jump into the endpoint specific policy // programs. This number *MUST* be identical to the maximum endpoint ID. PolicyCallMaxEntries = ^uint16(0) // AllPorts is used to ignore the L4 ports in PolicyMap lookups; all ports // are allowed. In the datapath, this is represented with the value 0 in the // port field of map elements. AllPorts = uint16(0) // PressureMetricThreshold sets the threshold over which map pressure will // be reported for the policy map. PressureMetricThreshold = 0.1 // SinglePortPrefixLen represents the mask argument required to lookup or // insert a single port key into the bpf map. SinglePortPrefixLen = uint8(16) )
const ( NexthdrBits = uint32(sizeofNexthdr) * 8 DestPortBits = uint32(sizeofDestPort) * 8 FullPrefixBits = NexthdrBits + DestPortBits StaticPrefixBits = uint32(sizeofPolicyKey-sizeofPrefixlen)*8 - FullPrefixBits )
Variables ¶
var ( // MaxEntries is the upper limit of entries in the per endpoint policy // table ie the maximum number of peer identities that the endpoint could // send/receive traffic to/from.. It is set by InitMapInfo(), but unit // tests use the initial value below. // The default value of this upper limit is 16384. MaxEntries = 16384 )
Functions ¶
func InitCallMaps ¶ added in v0.15.7
func InitCallMaps() error
InitCallMap creates the policy call maps in the kernel.
func InitMapInfo ¶ added in v0.15.7
func InitMapInfo(maxEntries int)
InitMapInfo updates the map info defaults for policy maps.
func RemoveGlobalMapping ¶ added in v0.15.7
RemoveGlobalMapping removes the mapping from the specified endpoint ID to the BPF policy program for that endpoint.
Types ¶
type CallKey ¶ added in v0.15.7
type CallKey struct {
// contains filtered or unexported fields
}
CallKey is the index into the prog array map.
type CallValue ¶ added in v0.15.7
type CallValue struct {
// contains filtered or unexported fields
}
CallValue is the program ID in the prog array map.
type PlumbingKey ¶ added in v0.15.7
type PlumbingKey struct {
// contains filtered or unexported fields
}
func (*PlumbingKey) New ¶ added in v0.15.7
func (k *PlumbingKey) New() bpf.MapKey
func (*PlumbingKey) String ¶ added in v0.15.7
func (k *PlumbingKey) String() string
type PlumbingValue ¶ added in v0.15.7
type PlumbingValue struct {
// contains filtered or unexported fields
}
func (*PlumbingValue) New ¶ added in v0.15.7
func (k *PlumbingValue) New() bpf.MapValue
func (*PlumbingValue) String ¶ added in v0.15.7
func (v *PlumbingValue) String() string
type PolicyEntriesDump ¶ added in v0.15.7
type PolicyEntriesDump []PolicyEntryDump
PolicyEntriesDump is a wrapper for a slice of PolicyEntryDump
func (PolicyEntriesDump) Less ¶ added in v0.15.7
func (p PolicyEntriesDump) Less(i, j int) bool
Less is a function used to sort PolicyEntriesDump by Policy Type (Deny / Allow), TrafficDirection (Ingress / Egress) and Identity (ascending order).
func (PolicyEntriesDump) String ¶ added in v0.15.7
func (p PolicyEntriesDump) String() string
String returns a string representation of PolicyEntriesDump
type PolicyEntry ¶
type PolicyEntry struct {
ProxyPortNetwork uint16 `align:"proxy_port"` // In network byte-order
Flags policyEntryFlags `align:"deny"`
AuthType uint8 `align:"auth_type"`
Pad1 uint32 `align:"pad1"`
Packets uint64 `align:"packets"`
Bytes uint64 `align:"bytes"`
}
PolicyEntry represents an entry in the BPF policy map for an endpoint. It must match the layout of policy_entry in bpf/lib/common.h.
func (*PolicyEntry) Add ¶
func (pe *PolicyEntry) Add(oPe PolicyEntry)
func (*PolicyEntry) GetPrefixLen ¶
func (pe *PolicyEntry) GetPrefixLen() uint8
GetPrefixLen returns the prefix length for the protocol / destination port (0 to 24 bits, 8 bits for unwildcarded protocol + 0 - 16 bits for the port)
func (*PolicyEntry) GetProxyPort ¶ added in v0.15.7
func (pe *PolicyEntry) GetProxyPort() uint16
GetProxyPort returns the ProxyPortNetwork in host byte order
func (PolicyEntry) IsDeny ¶ added in v0.15.7
func (pe PolicyEntry) IsDeny() bool
func (*PolicyEntry) New ¶ added in v0.15.7
func (pe *PolicyEntry) New() bpf.MapValue
func (*PolicyEntry) String ¶
func (pe *PolicyEntry) String() string
type PolicyEntryDump ¶
type PolicyEntryDump struct {
PolicyEntry
Key PolicyKey
}
type PolicyKey ¶ added in v0.15.7
type PolicyKey struct {
Prefixlen uint32 `align:"lpm_key"`
Identity uint32 `align:"sec_label"`
TrafficDirection uint8 `align:"egress"`
Nexthdr uint8 `align:"protocol"`
DestPortNetwork uint16 `align:"dport"` // In network byte-order
}
PolicyKey represents a key in the BPF policy map for an endpoint. It must match the layout of policy_key in bpf/lib/common.h.
func NewKey ¶ added in v0.15.7
func NewKey(trafficDirection trafficdirection.TrafficDirection, id identity.NumericIdentity, proto u8proto.U8proto, dport uint16, portPrefixLen uint8) PolicyKey
NewKey returns a PolicyKey representing the specified parameters in network byte-order.
func (*PolicyKey) GetDestPort ¶ added in v0.15.7
GetDestPort returns the DestPortNetwork in host byte order
func (*PolicyKey) GetPortMask ¶ added in v1.16.0
GetPortMask returns the port mask of the key
func (*PolicyKey) GetPortPrefixLen ¶
GetPortPrefixLen returns the prefix length applicable to the port in the key
func (*PolicyKey) PortProtoString ¶ added in v0.15.7
type PolicyMap ¶
func OpenOrCreate ¶ added in v0.15.7
OpenOrCreate opens (or creates) a policy map at the specified path, which is used to govern which peer identities can communicate with the endpoint protected by this map.
func (*PolicyMap) Allow ¶ added in v0.15.7
func (pm *PolicyMap) Allow(trafficDirection trafficdirection.TrafficDirection, id identity.NumericIdentity, proto u8proto.U8proto, dport uint16, portPrefixLen uint8, authType uint8, proxyPort uint16) error
Allow pushes an entry into the PolicyMap to allow traffic in the given `trafficDirection` for identity `id` with destination port `dport` over protocol `proto`. It is assumed that `dport` and `proxyPort` are in host byte-order.
func (*PolicyMap) AllowKey ¶ added in v0.15.7
AllowKey pushes an entry into the PolicyMap for the given PolicyKey k. Returns an error if the update of the PolicyMap fails.
func (*PolicyMap) Delete ¶ added in v0.15.7
func (pm *PolicyMap) Delete(trafficDirection trafficdirection.TrafficDirection, id identity.NumericIdentity, proto u8proto.U8proto, dport uint16, portPrefixLen uint8) error
Delete removes an entry from the PolicyMap for identity `id` sending traffic in direction `trafficDirection` with destination port `dport` over protocol `proto`. It is assumed that `dport` is in host byte-order. Returns an error if the deletion did not succeed.
func (*PolicyMap) DeleteEntry ¶ added in v0.15.7
func (pm *PolicyMap) DeleteEntry(entry *PolicyEntryDump) error
DeleteEntry removes an entry from the PolicyMap. It can be used in conjunction with DumpToSlice() to inspect and delete map entries.
func (*PolicyMap) DeleteKey ¶ added in v0.15.7
DeleteKey deletes the key-value pair from the given PolicyMap with PolicyKey k. Returns an error if deletion from the PolicyMap fails.
func (*PolicyMap) Deny ¶ added in v0.15.7
func (pm *PolicyMap) Deny(trafficDirection trafficdirection.TrafficDirection, id identity.NumericIdentity, proto u8proto.U8proto, dport uint16, portPrefixLen uint8) error
Deny pushes an entry into the PolicyMap to deny traffic in the given `trafficDirection` for identity `id` with destination port `dport` over protocol `proto`. It is assumed that `dport` is in host byte-order.
func (*PolicyMap) DenyKey ¶ added in v0.15.7
DenyKey pushes an entry into the PolicyMap for the given PolicyKey k. Returns an error if the update of the PolicyMap fails.
func (*PolicyMap) DumpToSlice ¶
func (pm *PolicyMap) DumpToSlice() (PolicyEntriesDump, error)
func (*PolicyMap) DumpValid ¶
func (pm *PolicyMap) DumpValid(cb func(key *PolicyKey, value *PolicyEntry)) error
DumpValid calls 'cb' for each key/value in the policy map where the prefix length fields in the key and value agree. This should be used to filter out invalid entries so that they will be rewritten with the valid values.
func (*PolicyMap) Exists ¶ added in v0.15.7
func (pm *PolicyMap) Exists(trafficDirection trafficdirection.TrafficDirection, id identity.NumericIdentity, proto u8proto.U8proto, dport uint16, portPrefixLen uint8) bool
Exists determines whether PolicyMap currently contains an entry that allows traffic in `trafficDirection` for identity `id` with destination port `dport`over protocol `proto`. It is assumed that `dport` is in host byte-order.
type PolicyPlumbingMap ¶ added in v0.15.7
PolicyPlumbingMap maps endpoint IDs to the fd for the program which implements its policy.
func OpenCallMap ¶ added in v0.15.7
func OpenCallMap(name string) (*PolicyPlumbingMap, error)
OpenCallMap opens the map that maps endpoint IDs to program file descriptors, which allows tail calling into the policy datapath code from other BPF programs.
Source Files