policymap

package
v1.7.11 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 28, 2020 License: Apache-2.0 Imports: 10 Imported by: 88

Documentation

Overview

+groupName=maps

Index

Constants

View Source
const (
	// CallMapName is the name of the map to do tail calls into policy
	// enforcement programs
	CallMapName = "cilium_policy"

	// MapName is the prefix for endpoint-specific policy maps which map
	// identity+ports+direction to whether the policy allows communication
	// with that identity on that port for that direction.
	MapName = CallMapName + "_"

	// ProgArrayMaxEntries is the upper limit of entries in the program
	// array for the tail calls to jump into the endpoint specific policy
	// programs. This number *MUST* be identical to the maximum endponit ID.
	ProgArrayMaxEntries = ^uint16(0)

	// AllPorts is used to ignore the L4 ports in PolicyMap lookups; all ports
	// are allowed. In the datapath, this is represented with the value 0 in the
	// port field of map elements.
	AllPorts = uint16(0)
)

Variables

View Source
var (

	// MaxEntries is the upper limit of entries in the per endpoint policy
	// table
	MaxEntries = 16384
)

Functions

func CallString added in v0.15.7

func CallString(id uint16) string

CallString returns the string which indicates the calls map by index in the ELF, and index into that call map for a specific endpoint.

Derived from __section_tail(CILIUM_MAP_CALLS, NAME) per bpf/lib/tailcall.h.

func InitMapInfo added in v0.15.7

func InitMapInfo(maxEntries int)

InitMapInfo updates the map info defaults for policy maps.

func RemoveGlobalMapping added in v0.15.7

func RemoveGlobalMapping(id uint32) error

RemoveGlobalMapping removes the mapping from the specified endpoint ID to the BPF policy program for that endpoint.

Types

type PlumbingKey added in v0.15.7

type PlumbingKey struct {
	// contains filtered or unexported fields
}

+k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/cilium/cilium/pkg/bpf.MapKey

func (*PlumbingKey) DeepCopy added in v1.5.1

func (in *PlumbingKey) DeepCopy() *PlumbingKey

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlumbingKey.

func (*PlumbingKey) DeepCopyInto added in v1.5.1

func (in *PlumbingKey) DeepCopyInto(out *PlumbingKey)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PlumbingKey) DeepCopyMapKey added in v1.5.1

func (in *PlumbingKey) DeepCopyMapKey() bpf.MapKey

DeepCopyMapKey is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapKey.

func (*PlumbingKey) GetKeyPtr added in v1.5.1

func (k *PlumbingKey) GetKeyPtr() unsafe.Pointer

func (*PlumbingKey) NewValue added in v1.5.1

func (k *PlumbingKey) NewValue() bpf.MapValue

func (*PlumbingKey) String added in v0.15.7

func (k *PlumbingKey) String() string

type PlumbingValue added in v0.15.7

type PlumbingValue struct {
	// contains filtered or unexported fields
}

+k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/cilium/cilium/pkg/bpf.MapValue

func (*PlumbingValue) DeepCopy added in v1.5.1

func (in *PlumbingValue) DeepCopy() *PlumbingValue

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlumbingValue.

func (*PlumbingValue) DeepCopyInto added in v1.5.1

func (in *PlumbingValue) DeepCopyInto(out *PlumbingValue)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PlumbingValue) DeepCopyMapValue added in v1.5.1

func (in *PlumbingValue) DeepCopyMapValue() bpf.MapValue

DeepCopyMapValue is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapValue.

func (*PlumbingValue) GetValuePtr added in v1.5.1

func (v *PlumbingValue) GetValuePtr() unsafe.Pointer

func (*PlumbingValue) String added in v0.15.7

func (v *PlumbingValue) String() string

type PolicyEntriesDump added in v0.15.7

type PolicyEntriesDump []PolicyEntryDump

PolicyEntriesDump is a wrapper for a slice of PolicyEntryDump

func (PolicyEntriesDump) Less added in v0.15.7

func (p PolicyEntriesDump) Less(i, j int) bool

Less returns true if the element in index `i` has the value of TrafficDirection lower than `j`'s TrafficDirection or if the element in index `i` has the value of TrafficDirection lower and equal than `j`'s TrafficDirection and the identity of element `i` is lower than the Identity of element j.

type PolicyEntry

type PolicyEntry struct {
	ProxyPort uint16 `align:"proxy_port"` // In network byte-order
	Pad0      uint16 `align:"pad0"`
	Pad1      uint16 `align:"pad1"`
	Pad2      uint16 `align:"pad2"`
	Packets   uint64 `align:"packets"`
	Bytes     uint64 `align:"bytes"`
}

PolicyEntry represents an entry in the BPF policy map for an endpoint. It must match the layout of policy_entry in bpf/lib/common.h. +k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/cilium/cilium/pkg/bpf.MapValue

func (*PolicyEntry) Add

func (pe *PolicyEntry) Add(oPe PolicyEntry)

func (*PolicyEntry) DeepCopy added in v1.5.1

func (in *PolicyEntry) DeepCopy() *PolicyEntry

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyEntry.

func (*PolicyEntry) DeepCopyInto added in v1.5.1

func (in *PolicyEntry) DeepCopyInto(out *PolicyEntry)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicyEntry) DeepCopyMapValue added in v1.5.1

func (in *PolicyEntry) DeepCopyMapValue() bpf.MapValue

DeepCopyMapValue is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapValue.

func (*PolicyEntry) GetValuePtr added in v1.5.0

func (pe *PolicyEntry) GetValuePtr() unsafe.Pointer

func (*PolicyEntry) NewValue added in v1.5.0

func (pe *PolicyEntry) NewValue() bpf.MapValue

func (*PolicyEntry) String

func (pe *PolicyEntry) String() string

type PolicyEntryDump

type PolicyEntryDump struct {
	PolicyEntry
	Key PolicyKey
}

type PolicyKey added in v0.15.7

type PolicyKey struct {
	Identity         uint32 `align:"sec_label"`
	DestPort         uint16 `align:"dport"` // In network byte-order
	Nexthdr          uint8  `align:"protocol"`
	TrafficDirection uint8  `align:"egress"`
}

PolicyKey represents a key in the BPF policy map for an endpoint. It must match the layout of policy_key in bpf/lib/common.h. +k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/cilium/cilium/pkg/bpf.MapKey

func (*PolicyKey) DeepCopy added in v1.5.1

func (in *PolicyKey) DeepCopy() *PolicyKey

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyKey.

func (*PolicyKey) DeepCopyInto added in v1.5.1

func (in *PolicyKey) DeepCopyInto(out *PolicyKey)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicyKey) DeepCopyMapKey added in v1.5.1

func (in *PolicyKey) DeepCopyMapKey() bpf.MapKey

DeepCopyMapKey is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapKey.

func (*PolicyKey) GetKeyPtr added in v1.5.0

func (key *PolicyKey) GetKeyPtr() unsafe.Pointer

func (*PolicyKey) NewValue added in v1.5.0

func (key *PolicyKey) NewValue() bpf.MapValue

func (*PolicyKey) String added in v0.15.7

func (key *PolicyKey) String() string

func (*PolicyKey) ToHost added in v1.5.0

func (key *PolicyKey) ToHost() PolicyKey

ToHost returns a copy of key with fields converted from network byte-order to host-byte-order if necessary.

func (*PolicyKey) ToNetwork added in v1.5.0

func (key *PolicyKey) ToNetwork() PolicyKey

ToNetwork returns a copy of key with fields converted from host byte-order to network-byte-order if necessary.

type PolicyMap

type PolicyMap struct {
	*bpf.Map
}

func Open added in v0.15.7

func Open(path string) (*PolicyMap, error)

Open opens the policymap at the specified path.

func OpenOrCreate added in v0.15.7

func OpenOrCreate(path string) (*PolicyMap, bool, error)

OpenOrCreate opens (or creates) a policy map at the specified path, which is used to govern which peer identities can communicate with the endpoint protected by this map.

func (*PolicyMap) Allow added in v0.15.7

func (pm *PolicyMap) Allow(id uint32, dport uint16, proto u8proto.U8proto, trafficDirection trafficdirection.TrafficDirection, proxyPort uint16) error

Allow pushes an entry into the PolicyMap to allow traffic in the given `trafficDirection` for identity `id` with destination port `dport` over protocol `proto`. It is assumed that `dport` and `proxyPort` are in host byte-order.

func (*PolicyMap) AllowKey added in v0.15.7

func (pm *PolicyMap) AllowKey(k PolicyKey, proxyPort uint16) error

AllowKey pushes an entry into the PolicyMap for the given PolicyKey k. Returns an error if the update of the PolicyMap fails.

func (*PolicyMap) Delete added in v0.15.7

func (pm *PolicyMap) Delete(id uint32, dport uint16, proto u8proto.U8proto, trafficDirection trafficdirection.TrafficDirection) error

Delete removes an entry from the PolicyMap for identity `id` sending traffic in direction `trafficDirection` with destination port `dport` over protocol `proto`. It is assumed that `dport` is in host byte-order. Returns an error if the deletion did not succeed.

func (*PolicyMap) DeleteEntry added in v0.15.7

func (pm *PolicyMap) DeleteEntry(entry *PolicyEntryDump) error

DeleteEntry removes an entry from the PolicyMap. It can be used in conjunction with DumpToSlice() to inspect and delete map entries.

func (*PolicyMap) DeleteKeyWithErrno added in v1.6.0

func (pm *PolicyMap) DeleteKeyWithErrno(key PolicyKey) (error, syscall.Errno)

DeleteKey deletes the key-value pair from the given PolicyMap with PolicyKey k. Returns an error if deletion from the PolicyMap fails.

func (*PolicyMap) Dump

func (pm *PolicyMap) Dump() (string, error)

func (*PolicyMap) DumpToSlice

func (pm *PolicyMap) DumpToSlice() (PolicyEntriesDump, error)

func (*PolicyMap) Exists added in v0.15.7

func (pm *PolicyMap) Exists(id uint32, dport uint16, proto u8proto.U8proto, trafficDirection trafficdirection.TrafficDirection) bool

Exists determines whether PolicyMap currently contains an entry that allows traffic in `trafficDirection` for identity `id` with destination port `dport`over protocol `proto`. It is assumed that `dport` is in host byte-order.

func (*PolicyMap) String

func (pm *PolicyMap) String() string

String returns a human-readable string representing the policy map.

type PolicyPlumbingMap added in v0.15.7

type PolicyPlumbingMap struct {
	*bpf.Map
}

PolicyPlumbingMap maps endpoint IDs to the fd for the program which implements its policy.

func OpenCallMap added in v0.15.7

func OpenCallMap() (*PolicyPlumbingMap, error)

OpenCallMap opens the map that maps endpoint IDs to program file descriptors, which allows tail calling into the policy datapath code from other BPF programs.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL