polprog

package

v0.0.0-...-21cfbab Latest Latest Go to latest Published: Apr 10, 2023 License: Apache-2.0, Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/dtest11/calico

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
type Builder
- func NewBuilder(ipSetIDProvider ipSetIDProvider, ipsetMapFD, stateMapFD, jumpMapFD maps.FD, ...) *Builder
- func (p *Builder) EnableIPv6Mode()
- func (p *Builder) Instructions(rules Rules) (Insns, error)
type Option
- func WithPolicyDebugEnabled() Option
type Policy
type Profile
type Rule
type RuleMatchID
type Rules
type Tier
type TierEndAction

Constants ¶

This section is empty.

Variables ¶

View Source

var (

	// Bits in the state flags field.
	FlagDestIsHost uint64 = 1 << 2
	FlagSrcIsHost  uint64 = 1 << 3
)

Functions ¶

This section is empty.

Types ¶

type Builder ¶

type Builder struct {
	// contains filtered or unexported fields
}

func NewBuilder ¶

func NewBuilder(ipSetIDProvider ipSetIDProvider, ipsetMapFD, stateMapFD, jumpMapFD maps.FD, opts ...Option) *Builder

func (*Builder) EnableIPv6Mode ¶

func (p *Builder) EnableIPv6Mode()

func (*Builder) Instructions ¶

func (p *Builder) Instructions(rules Rules) (Insns, error)

type Option ¶

type Option func(b *Builder)

Option is an additional option that can change default behaviour

func WithPolicyDebugEnabled ¶

func WithPolicyDebugEnabled() Option

WithPolicyDebug enabled policy debug.

type Policy ¶

type Policy struct {
	Name  string
	Rules []Rule
}

type Profile ¶

type Profile = Policy

type Rule ¶

type Rule struct {
	*proto.Rule
	MatchID RuleMatchID
}

type RuleMatchID ¶

type RuleMatchID = uint64

type Rules ¶

type Rules struct {
	// Both workload and host interfaces can enforce host endpoint policy (carried here in the
	// Host... fields); in the case of a workload interface, that can only come from the
	// wildcard host endpoint, aka "host-*".
	//
	// However, only a workload interface can have any workload policy (carried here in the
	// Tiers and Profiles fields), and workload interfaces also Deny by default when there is no
	// workload policy at all.  ForHostInterface (with reversed polarity) is the boolean that
	// tells us whether or not to implement workload policy and that default Deny.
	ForHostInterface bool

	// Indicates to suppress normal host policy because it's trumped by the setting of
	// DefaultEndpointToHostAction.
	SuppressNormalHostPolicy bool

	// Workload policy.
	Tiers    []Tier
	Profiles []Profile

	// Host endpoint policy.
	HostPreDnatTiers []Tier
	HostForwardTiers []Tier
	HostNormalTiers  []Tier
	HostProfiles     []Profile

	// True when building a policy program for XDP, as opposed to for TC.  This also means that
	// we are implementing untracked policy (provided in the HostNormalTiers field) and that
	// traffic is allowed to continue if not explicitly allowed or denied.
	ForXDP bool
}

type Tier ¶

type Tier struct {
	Name      string
	EndAction TierEndAction
	Policies  []Policy
}

type TierEndAction ¶

type TierEndAction string

const (
	TierEndUndef TierEndAction = ""
	TierEndDeny  TierEndAction = "deny"
	TierEndPass  TierEndAction = "pass"
)

Source Files ¶

View all Source files

pol_prog_builder.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL