polprog

package

v0.0.0-...-21cfbab Latest Latest Go to latest Published: Apr 10, 2023 License: Apache-2.0, Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/dtest11/calico

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
type Builder
- func NewBuilder(ipSetIDProvider ipSetIDProvider, ipsetMapFD, stateMapFD, jumpMapFD maps.FD, ...) *Builder
- func (p *Builder) EnableIPv6Mode()
- func (p *Builder) Instructions(rules Rules) (Insns, error)
type Option
- func WithPolicyDebugEnabled() Option
type Policy
type Profile
type Rule
type RuleMatchID
type Rules
type Tier
type TierEndAction

Constants ¶

This section is empty.

Variables ¶

View Source

var (

	// Bits in the state flags field.
	FlagDestIsHost uint64 = 1 << 2
	FlagSrcIsHost  uint64 = 1 << 3
)

Functions ¶

This section is empty.

Types ¶

type Builder ¶

type Builder struct {
	// contains filtered or unexported fields
}

func NewBuilder ¶

func NewBuilder(ipSetIDProvider ipSetIDProvider, ipsetMapFD, stateMapFD, jumpMapFD maps.FD, opts ...Option) *Builder

func (*Builder) EnableIPv6Mode ¶

func (p *Builder) EnableIPv6Mode()

func (*Builder) Instructions ¶

func (p *Builder) Instructions(rules Rules) (Insns, error)

type Option ¶

type Option func(b *Builder)

Option is an additional option that can change default behaviour

func WithPolicyDebugEnabled ¶

func WithPolicyDebugEnabled() Option

WithPolicyDebug enabled policy debug.

type Policy ¶

type Policy struct {
	Name  string
	Rules []Rule
}

type Profile ¶

type Profile = Policy

type Rule ¶

type Rule struct {
	*proto.Rule
	MatchID RuleMatchID
}

type RuleMatchID ¶

type RuleMatchID = uint64

type Rules ¶

type Rules struct {
	// Both workload and host interfaces can enforce host endpoint policy (carried here in the
	// Host... fields); in the case of a workload interface, that can only come from the
	// wildcard host endpoint, aka "host-*".
	//
	// However, only a workload interface can have any workload policy (carried here in the
	// Tiers and Profiles fields), and workload interfaces also Deny by default when there is no
	// workload policy at all.  ForHostInterface (with reversed polarity) is the boolean that
	// tells us whether or not to implement workload policy and that default Deny.
	ForHostInterface bool

	// Indicates to suppress normal host policy because it's trumped by the setting of
	// DefaultEndpointToHostAction.
	SuppressNormalHostPolicy bool

	// Workload policy.
	Tiers    []Tier
	Profiles []Profile

	// Host endpoint policy.
	HostPreDnatTiers []Tier
	HostForwardTiers []Tier
	HostNormalTiers  []Tier
	HostProfiles     []Profile

	// True when building a policy program for XDP, as opposed to for TC.  This also means that
	// we are implementing untracked policy (provided in the HostNormalTiers field) and that
	// traffic is allowed to continue if not explicitly allowed or denied.
	ForXDP bool
}

type Tier ¶

type Tier struct {
	Name      string
	EndAction TierEndAction
	Policies  []Policy
}

type TierEndAction ¶

type TierEndAction string

const (
	TierEndUndef TierEndAction = ""
	TierEndDeny  TierEndAction = "deny"
	TierEndPass  TierEndAction = "pass"
)

Source Files ¶

View all Source files

pol_prog_builder.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL