policymap

package
v1.5.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 11, 2019 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// CallMapName is the name of the map to do tail calls into policy
	// enforcement programs
	CallMapName = "cilium_policy"

	// MapName is the prefix for endpoint-specific policy maps which map
	// identity+ports+direction to whether the policy allows communication
	// with that identity on that port for that direction.
	MapName = CallMapName + "_"

	// ProgArrayMaxEntries is the upper limit of entries in the program
	// array for the tail calls to jump into the endpoint specific policy
	// programs. This number *MUST* be identical to the maximum endponit ID.
	ProgArrayMaxEntries = ^uint16(0)

	// AllPorts is used to ignore the L4 ports in PolicyMap lookups; all ports
	// are allowed. In the datapath, this is represented with the value 0 in the
	// port field of map elements.
	AllPorts = uint16(0)
)

Variables

View Source 
var (

	// MaxEntries is the upper limit of entries in the per endpoint policy
	// table
	MaxEntries = 16384
)

Functions

func CallString added in v1.5.0 

func CallString(id uint16) string

CallString returns the string which indicates the calls map by index in the ELF, and index into that call map for a specific endpoint.

Derived from __section_tail(CILIUM_MAP_CALLS, NAME) per bpf/lib/tailcall.h.

func InitMapInfo added in v1.5.2 

func InitMapInfo(maxEntries int)

InitMapInfo updates the map info defaults for policy maps.

func RemoveGlobalMapping added in v1.5.0 

func RemoveGlobalMapping(id uint32) error

RemoveGlobalMapping removes the mapping from the specified endpoint ID to the BPF policy program for that endpoint.

Types

type PolicyEntriesDump added in v1.5.0 

type PolicyEntriesDump []PolicyEntryDump

PolicyEntriesDump is a wrapper for a slice of PolicyEntryDump

func (PolicyEntriesDump) Less added in v1.5.0 

func (p PolicyEntriesDump) Less(i, j int) bool

Less returns true if the element in index `i` has the value of TrafficDirection lower than `j`'s TrafficDirection or if the element in index `i` has the value of TrafficDirection lower and equal than `j`'s TrafficDirection and the identity of element `i` is lower than the Identity of element j.

type PolicyEntry 

type PolicyEntry struct {
	ProxyPort uint16 // In network byte-order
	Pad0      uint16
	Pad1      uint16
	Pad2      uint16
	Packets   uint64
	Bytes     uint64
}

PolicyEntry represents an entry in the BPF policy map for an endpoint. It must match the layout of policy_entry in bpf/lib/common.h.

func (*PolicyEntry) Add 

func (pe *PolicyEntry) Add(oPe PolicyEntry)

func (*PolicyEntry) GetValuePtr added in v1.5.0 

func (pe *PolicyEntry) GetValuePtr() unsafe.Pointer

func (*PolicyEntry) NewValue added in v1.5.0 

func (pe *PolicyEntry) NewValue() bpf.MapValue

func (*PolicyEntry) String 

func (pe *PolicyEntry) String() string

type PolicyEntryDump 

type PolicyEntryDump struct {
	PolicyEntry
	Key PolicyKey
}

type PolicyKey added in v1.5.0 

type PolicyKey struct {
	Identity         uint32
	DestPort         uint16 // In network byte-order
	Nexthdr          uint8
	TrafficDirection uint8
}

PolicyKey represents a key in the BPF policy map for an endpoint. It must match the layout of policy_key in bpf/lib/common.h.

func (*PolicyKey) GetKeyPtr added in v1.5.0 

func (key *PolicyKey) GetKeyPtr() unsafe.Pointer

func (*PolicyKey) NewValue added in v1.5.0 

func (key *PolicyKey) NewValue() bpf.MapValue

func (*PolicyKey) String added in v1.5.0 

func (key *PolicyKey) String() string

func (*PolicyKey) ToHost added in v1.5.0 

func (key *PolicyKey) ToHost() PolicyKey

ToHost returns a copy of key with fields converted from network byte-order to host-byte-order if necessary.

func (*PolicyKey) ToNetwork added in v1.5.0 

func (key *PolicyKey) ToNetwork() PolicyKey

ToNetwork returns a copy of key with fields converted from host byte-order to network-byte-order if necessary.

type PolicyMap 

type PolicyMap struct {
	*bpf.Map
}

func Open added in v1.5.0 

func Open(path string) (*PolicyMap, error)

Open opens the policymap at the specified path.

func OpenOrCreate added in v1.5.0 

func OpenOrCreate(path string) (*PolicyMap, bool, error)

OpenOrCreate opens (or creates) a policy map at the specified path, which is used to govern which peer identities can communicate with the endpoint protected by this map.

func (*PolicyMap) Allow added in v1.5.0 

func (pm *PolicyMap) Allow(id uint32, dport uint16, proto u8proto.U8proto, trafficDirection trafficdirection.TrafficDirection, proxyPort uint16) error

Allow pushes an entry into the PolicyMap to allow traffic in the given `trafficDirection` for identity `id` with destination port `dport` over protocol `proto`. It is assumed that `dport` and `proxyPort` are in host byte-order.

func (*PolicyMap) AllowKey added in v1.5.0 

func (pm *PolicyMap) AllowKey(k PolicyKey, proxyPort uint16) error

AllowKey pushes an entry into the PolicyMap for the given PolicyKey k. Returns an error if the update of the PolicyMap fails.

func (*PolicyMap) Delete added in v1.5.0 

func (pm *PolicyMap) Delete(id uint32, dport uint16, proto u8proto.U8proto, trafficDirection trafficdirection.TrafficDirection) error

Delete removes an entry from the PolicyMap for identity `id` sending traffic in direction `trafficDirection` with destination port `dport` over protocol `proto`. It is assumed that `dport` is in host byte-order. Returns an error if the deletion did not succeed.

func (*PolicyMap) DeleteEntry added in v1.5.0 

func (pm *PolicyMap) DeleteEntry(entry *PolicyEntryDump) error

DeleteEntry removes an entry from the PolicyMap. It can be used in conjunction with DumpToSlice() to inspect and delete map entries.

func (*PolicyMap) DeleteKey added in v1.5.0 

func (pm *PolicyMap) DeleteKey(key PolicyKey) error

DeleteKey deletes the key-value pair from the given PolicyMap with PolicyKey k. Returns an error if deletion from the PolicyMap fails.

func (*PolicyMap) Dump 

func (pm *PolicyMap) Dump() (string, error)

func (*PolicyMap) DumpToSlice 

func (pm *PolicyMap) DumpToSlice() (PolicyEntriesDump, error)

func (*PolicyMap) Exists added in v1.5.0 

func (pm *PolicyMap) Exists(id uint32, dport uint16, proto u8proto.U8proto, trafficDirection trafficdirection.TrafficDirection) bool

Exists determines whether PolicyMap currently contains an entry that allows traffic in `trafficDirection` for identity `id` with destination port `dport`over protocol `proto`. It is assumed that `dport` is in host byte-order.

func (*PolicyMap) String 

func (pm *PolicyMap) String() string

String returns a human-readable string representing the policy map.

type PolicyPlumbingMap added in v1.5.0 

type PolicyPlumbingMap struct {
	*bpf.Map
}

PolicyPlumbingMap maps endpoint IDs to the fd for the program which implements its policy.

func OpenCallMap added in v1.5.0 

func OpenCallMap() (*PolicyPlumbingMap, error)

OpenCallMap opens the map that maps endpoint IDs to program file descriptors, which allows tail calling into the policy datapath code from other BPF programs.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.