policymap

package
v1.14.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 14, 2023 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

+groupName=maps

Index

Constants

View Source
const (
	// PolicyCallMapName is the name of the map to do tail calls into policy
	// enforcement programs.
	PolicyCallMapName = "cilium_call_policy"

	// PolicyEgressCallMapName is the name of the map to do tail calls into egress policy
	// enforcement programs.
	PolicyEgressCallMapName = "cilium_egresscall_policy"

	// MapName is the prefix for endpoint-specific policy maps which map
	// identity+ports+direction to whether the policy allows communication
	// with that identity on that port for that direction.
	MapName = "cilium_policy_"

	// PolicyCallMaxEntries is the upper limit of entries in the program
	// array for the tail calls to jump into the endpoint specific policy
	// programs. This number *MUST* be identical to the maximum endpoint ID.
	PolicyCallMaxEntries = ^uint16(0)

	// AllPorts is used to ignore the L4 ports in PolicyMap lookups; all ports
	// are allowed. In the datapath, this is represented with the value 0 in the
	// port field of map elements.
	AllPorts = uint16(0)

	// PressureMetricThreshold sets the threshold over which map pressure will
	// be reported for the policy map.
	PressureMetricThreshold = 0.1
)
View Source
const SizeofPolicyEntry = int(unsafe.Sizeof(PolicyEntry{}))

SizeofPolicyEntry is the size of type PolicyEntry.

View Source
const SizeofPolicyKey = int(unsafe.Sizeof(PolicyKey{}))

SizeofPolicyKey is the size of type PolicyKey.

Variables

View Source
var (
	// MaxEntries is the upper limit of entries in the per endpoint policy
	// table ie the maximum number of peer identities that the endpoint could
	// send/receive traffic to/from.. It is set by InitMapInfo(), but unit
	// tests use the initial value below.
	// The default value of this upper limit is 16384.
	MaxEntries = 16384
)

Functions

func CallString added in v1.5.0

func CallString(id uint16) string

CallString returns the string which indicates the calls map by index in the ELF, and index into that call map for a specific endpoint.

Derived from __section_tail(CILIUM_MAP_POLICY, NAME) per bpf/lib/tailcall.h.

func Create added in v1.14.0

func Create(path string) (bool, error)

Create creates a policy map at the specified path.

func EgressCallString added in v1.14.0

func EgressCallString(id uint16) string

EgressCallString returns the string which indicates the calls map by index in the ELF, and index into that call map for a specific endpoint.

Derived from __section_tail(CILIUM_MAP_EGRESSPOLICY, NAME) per bpf/lib/tailcall.h.

func InitCallMaps added in v1.14.0

func InitCallMaps(haveEgressCallMap bool) error

InitCallMap creates the policy call maps in the kernel.

func InitMapInfo added in v1.5.2

func InitMapInfo(maxEntries int)

InitMapInfo updates the map info defaults for policy maps.

func RemoveGlobalMapping added in v1.5.0

func RemoveGlobalMapping(id uint32, haveEgressCallMap bool) error

RemoveGlobalMapping removes the mapping from the specified endpoint ID to the BPF policy program for that endpoint.

Types

type CallKey added in v1.14.0

type CallKey struct {
	// contains filtered or unexported fields
}

CallKey is the index into the prog array map. +k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/go-faster/cilium/pkg/bpf.MapKey

func (*CallKey) DeepCopy added in v1.14.0

func (in *CallKey) DeepCopy() *CallKey

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CallKey.

func (*CallKey) DeepCopyInto added in v1.14.0

func (in *CallKey) DeepCopyInto(out *CallKey)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CallKey) DeepCopyMapKey added in v1.14.0

func (in *CallKey) DeepCopyMapKey() bpf.MapKey

DeepCopyMapKey is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapKey.

func (*CallKey) GetKeyPtr added in v1.14.0

func (k *CallKey) GetKeyPtr() unsafe.Pointer

GetKeyPtr returns the unsafe pointer to the BPF key

func (CallKey) NewValue added in v1.14.0

func (k CallKey) NewValue() bpf.MapValue

NewValue returns a new empty instance of the structure representing the BPF map value.

func (*CallKey) String added in v1.14.0

func (k *CallKey) String() string

String converts the key into a human readable string format.

type CallValue added in v1.14.0

type CallValue struct {
	// contains filtered or unexported fields
}

CallValue is the program ID in the prog array map. +k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/go-faster/cilium/pkg/bpf.MapValue

func (*CallValue) DeepCopy added in v1.14.0

func (in *CallValue) DeepCopy() *CallValue

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CallValue.

func (*CallValue) DeepCopyInto added in v1.14.0

func (in *CallValue) DeepCopyInto(out *CallValue)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CallValue) DeepCopyMapValue added in v1.14.0

func (in *CallValue) DeepCopyMapValue() bpf.MapValue

DeepCopyMapValue is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapValue.

func (*CallValue) GetValuePtr added in v1.14.0

func (v *CallValue) GetValuePtr() unsafe.Pointer

GetValuePtr returns the unsafe pointer to the BPF value

func (*CallValue) String added in v1.14.0

func (v *CallValue) String() string

String converts the value into a human readable string format.

type PlumbingKey added in v1.5.1

type PlumbingKey struct {
	// contains filtered or unexported fields
}

+k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/go-faster/cilium/pkg/bpf.MapKey

func (*PlumbingKey) DeepCopy added in v1.5.1

func (in *PlumbingKey) DeepCopy() *PlumbingKey

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlumbingKey.

func (*PlumbingKey) DeepCopyInto added in v1.5.1

func (in *PlumbingKey) DeepCopyInto(out *PlumbingKey)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PlumbingKey) DeepCopyMapKey added in v1.5.1

func (in *PlumbingKey) DeepCopyMapKey() bpf.MapKey

DeepCopyMapKey is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapKey.

func (*PlumbingKey) GetKeyPtr added in v1.5.1

func (k *PlumbingKey) GetKeyPtr() unsafe.Pointer

func (*PlumbingKey) NewValue added in v1.5.1

func (k *PlumbingKey) NewValue() bpf.MapValue

func (*PlumbingKey) String added in v1.5.1

func (k *PlumbingKey) String() string

type PlumbingValue added in v1.5.1

type PlumbingValue struct {
	// contains filtered or unexported fields
}

+k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/go-faster/cilium/pkg/bpf.MapValue

func (*PlumbingValue) DeepCopy added in v1.5.1

func (in *PlumbingValue) DeepCopy() *PlumbingValue

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlumbingValue.

func (*PlumbingValue) DeepCopyInto added in v1.5.1

func (in *PlumbingValue) DeepCopyInto(out *PlumbingValue)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PlumbingValue) DeepCopyMapValue added in v1.5.1

func (in *PlumbingValue) DeepCopyMapValue() bpf.MapValue

DeepCopyMapValue is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapValue.

func (*PlumbingValue) GetValuePtr added in v1.5.1

func (v *PlumbingValue) GetValuePtr() unsafe.Pointer

func (*PlumbingValue) String added in v1.5.1

func (v *PlumbingValue) String() string

type PolicyEntriesDump added in v1.5.0

type PolicyEntriesDump []PolicyEntryDump

PolicyEntriesDump is a wrapper for a slice of PolicyEntryDump

func (PolicyEntriesDump) Less added in v1.5.0

func (p PolicyEntriesDump) Less(i, j int) bool

Less is a function used to sort PolicyEntriesDump by Policy Type (Deny / Allow), TrafficDirection (Ingress / Egress) and Identity (ascending order).

func (PolicyEntriesDump) String added in v1.14.0

func (p PolicyEntriesDump) String() string

String returns a string representation of PolicyEntriesDump

type PolicyEntry

type PolicyEntry struct {
	ProxyPort uint16 `align:"proxy_port"` // In network byte-order
	Flags     uint8  `align:"deny"`
	AuthType  uint8  `align:"auth_type"`
	Pad1      uint16 `align:"pad1"`
	Pad2      uint16 `align:"pad2"`
	Packets   uint64 `align:"packets"`
	Bytes     uint64 `align:"bytes"`
}

PolicyEntry represents an entry in the BPF policy map for an endpoint. It must match the layout of policy_entry in bpf/lib/common.h. +k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/go-faster/cilium/pkg/bpf.MapValue

func (*PolicyEntry) Add

func (pe *PolicyEntry) Add(oPe PolicyEntry)

func (*PolicyEntry) DeepCopy added in v1.5.1

func (in *PolicyEntry) DeepCopy() *PolicyEntry

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyEntry.

func (*PolicyEntry) DeepCopyInto added in v1.5.1

func (in *PolicyEntry) DeepCopyInto(out *PolicyEntry)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicyEntry) DeepCopyMapValue added in v1.5.1

func (in *PolicyEntry) DeepCopyMapValue() bpf.MapValue

DeepCopyMapValue is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapValue.

func (*PolicyEntry) GetFlags added in v1.14.0

func (pe *PolicyEntry) GetFlags() uint8

func (*PolicyEntry) GetValuePtr added in v1.5.0

func (pe *PolicyEntry) GetValuePtr() unsafe.Pointer

func (*PolicyEntry) NewValue added in v1.5.0

func (pe *PolicyEntry) NewValue() bpf.MapValue

func (*PolicyEntry) SetFlags added in v1.14.0

func (pe *PolicyEntry) SetFlags(flags uint8)

func (*PolicyEntry) String

func (pe *PolicyEntry) String() string

func (*PolicyEntry) ToHost added in v1.14.0

func (pe *PolicyEntry) ToHost() PolicyEntry

ToHost returns a copy of entry with fields converted from network byte-order to host-byte-order if necessary.

type PolicyEntryDump

type PolicyEntryDump struct {
	PolicyEntry
	Key PolicyKey
}

type PolicyEntryFlagParam added in v1.14.0

type PolicyEntryFlagParam struct {
	IsDeny bool
}

type PolicyEntryFlags added in v1.14.0

type PolicyEntryFlags uint8

PolicyEntryFlags is a new type used to define the flags used in the policy entry.

func NewPolicyEntryFlag added in v1.14.0

func NewPolicyEntryFlag(p *PolicyEntryFlagParam) PolicyEntryFlags

NewPolicyEntryFlag returns a PolicyEntryFlags from the PolicyEntryFlagParam.

func (PolicyEntryFlags) IsDeny added in v1.14.0

func (pef PolicyEntryFlags) IsDeny() bool

func (PolicyEntryFlags) String added in v1.14.0

func (pef PolicyEntryFlags) String() string

String returns the string implementation of PolicyEntryFlags.

func (PolicyEntryFlags) UInt8 added in v1.14.0

func (pef PolicyEntryFlags) UInt8() uint8

UInt8 returns the UInt8 representation of the PolicyEntryFlags.

type PolicyKey added in v1.5.0

type PolicyKey struct {
	Identity         uint32 `align:"sec_label"`
	DestPort         uint16 `align:"dport"` // In network byte-order
	Nexthdr          uint8  `align:"protocol"`
	TrafficDirection uint8  `align:"egress"`
}

PolicyKey represents a key in the BPF policy map for an endpoint. It must match the layout of policy_key in bpf/lib/common.h. +k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/go-faster/cilium/pkg/bpf.MapKey

func (*PolicyKey) DeepCopy added in v1.5.1

func (in *PolicyKey) DeepCopy() *PolicyKey

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyKey.

func (*PolicyKey) DeepCopyInto added in v1.5.1

func (in *PolicyKey) DeepCopyInto(out *PolicyKey)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicyKey) DeepCopyMapKey added in v1.5.1

func (in *PolicyKey) DeepCopyMapKey() bpf.MapKey

DeepCopyMapKey is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapKey.

func (*PolicyKey) GetKeyPtr added in v1.5.0

func (key *PolicyKey) GetKeyPtr() unsafe.Pointer

func (*PolicyKey) NewValue added in v1.5.0

func (key *PolicyKey) NewValue() bpf.MapValue

func (*PolicyKey) String added in v1.5.0

func (key *PolicyKey) String() string

func (*PolicyKey) ToHost added in v1.5.0

func (key *PolicyKey) ToHost() PolicyKey

ToHost returns a copy of key with fields converted from network byte-order to host-byte-order if necessary.

func (*PolicyKey) ToNetwork added in v1.5.0

func (key *PolicyKey) ToNetwork() PolicyKey

ToNetwork returns a copy of key with fields converted from host byte-order to network-byte-order if necessary.

type PolicyMap

type PolicyMap struct {
	*bpf.Map
}

func Open added in v1.5.0

func Open(path string) (*PolicyMap, error)

Open opens the policymap at the specified path.

func OpenOrCreate added in v1.5.0

func OpenOrCreate(path string) (*PolicyMap, bool, error)

OpenOrCreate opens (or creates) a policy map at the specified path, which is used to govern which peer identities can communicate with the endpoint protected by this map.

func (*PolicyMap) Allow added in v1.5.0

func (pm *PolicyMap) Allow(id uint32, dport uint16, proto u8proto.U8proto, trafficDirection trafficdirection.TrafficDirection, authType uint8, proxyPort uint16) error

Allow pushes an entry into the PolicyMap to allow traffic in the given `trafficDirection` for identity `id` with destination port `dport` over protocol `proto`. It is assumed that `dport` and `proxyPort` are in host byte-order.

func (*PolicyMap) AllowKey added in v1.5.0

func (pm *PolicyMap) AllowKey(k PolicyKey, authType uint8, proxyPort uint16) error

AllowKey pushes an entry into the PolicyMap for the given PolicyKey k. Returns an error if the update of the PolicyMap fails.

func (*PolicyMap) Delete added in v1.5.0

func (pm *PolicyMap) Delete(id uint32, dport uint16, proto u8proto.U8proto, trafficDirection trafficdirection.TrafficDirection) error

Delete removes an entry from the PolicyMap for identity `id` sending traffic in direction `trafficDirection` with destination port `dport` over protocol `proto`. It is assumed that `dport` is in host byte-order. Returns an error if the deletion did not succeed.

func (*PolicyMap) DeleteEntry added in v1.5.0

func (pm *PolicyMap) DeleteEntry(entry *PolicyEntryDump) error

DeleteEntry removes an entry from the PolicyMap. It can be used in conjunction with DumpToSlice() to inspect and delete map entries.

func (*PolicyMap) DeleteKey added in v1.5.0

func (pm *PolicyMap) DeleteKey(key PolicyKey) error

DeleteKey deletes the key-value pair from the given PolicyMap with PolicyKey k. Returns an error if deletion from the PolicyMap fails.

func (*PolicyMap) Deny added in v1.14.0

func (pm *PolicyMap) Deny(id uint32, dport uint16, proto u8proto.U8proto, trafficDirection trafficdirection.TrafficDirection) error

Deny pushes an entry into the PolicyMap to deny traffic in the given `trafficDirection` for identity `id` with destination port `dport` over protocol `proto`. It is assumed that `dport` is in host byte-order.

func (*PolicyMap) DenyKey added in v1.14.0

func (pm *PolicyMap) DenyKey(k PolicyKey) error

DenyKey pushes an entry into the PolicyMap for the given PolicyKey k. Returns an error if the update of the PolicyMap fails.

func (*PolicyMap) Dump

func (pm *PolicyMap) Dump() (string, error)

func (*PolicyMap) DumpToSlice

func (pm *PolicyMap) DumpToSlice() (PolicyEntriesDump, error)

func (*PolicyMap) Exists added in v1.5.0

func (pm *PolicyMap) Exists(id uint32, dport uint16, proto u8proto.U8proto, trafficDirection trafficdirection.TrafficDirection) bool

Exists determines whether PolicyMap currently contains an entry that allows traffic in `trafficDirection` for identity `id` with destination port `dport`over protocol `proto`. It is assumed that `dport` is in host byte-order.

func (*PolicyMap) String

func (pm *PolicyMap) String() string

String returns a human-readable string representing the policy map.

type PolicyPlumbingMap added in v1.5.0

type PolicyPlumbingMap struct {
	*bpf.Map
}

PolicyPlumbingMap maps endpoint IDs to the fd for the program which implements its policy.

func OpenCallMap added in v1.5.0

func OpenCallMap(name string) (*PolicyPlumbingMap, error)

OpenCallMap opens the map that maps endpoint IDs to program file descriptors, which allows tail calling into the policy datapath code from other BPF programs.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL