Documentation ¶
Overview ¶
+groupName=maps
Index ¶
- Constants
- Variables
- func CallString(id uint16) string
- func Create(path string) (bool, error)
- func EgressCallString(id uint16) string
- func InitCallMaps(haveEgressCallMap bool) error
- func InitMapInfo(maxEntries int)
- func RemoveGlobalMapping(id uint32, haveEgressCallMap bool) error
- type CallKey
- type CallValue
- type PlumbingKey
- type PlumbingValue
- type PolicyEntriesDump
- type PolicyEntry
- func (pe *PolicyEntry) Add(oPe PolicyEntry)
- func (in *PolicyEntry) DeepCopy() *PolicyEntry
- func (in *PolicyEntry) DeepCopyInto(out *PolicyEntry)
- func (in *PolicyEntry) DeepCopyMapValue() bpf.MapValue
- func (pe *PolicyEntry) GetFlags() uint8
- func (pe *PolicyEntry) GetValuePtr() unsafe.Pointer
- func (pe *PolicyEntry) NewValue() bpf.MapValue
- func (pe *PolicyEntry) SetFlags(flags uint8)
- func (pe *PolicyEntry) String() string
- func (pe *PolicyEntry) ToHost() PolicyEntry
- type PolicyEntryDump
- type PolicyEntryFlagParam
- type PolicyEntryFlags
- type PolicyKey
- func (in *PolicyKey) DeepCopy() *PolicyKey
- func (in *PolicyKey) DeepCopyInto(out *PolicyKey)
- func (in *PolicyKey) DeepCopyMapKey() bpf.MapKey
- func (key *PolicyKey) GetKeyPtr() unsafe.Pointer
- func (key *PolicyKey) NewValue() bpf.MapValue
- func (key *PolicyKey) String() string
- func (key *PolicyKey) ToHost() PolicyKey
- func (key *PolicyKey) ToNetwork() PolicyKey
- type PolicyMap
- func (pm *PolicyMap) Allow(id uint32, dport uint16, proto u8proto.U8proto, ...) error
- func (pm *PolicyMap) AllowKey(k PolicyKey, authType uint8, proxyPort uint16) error
- func (pm *PolicyMap) Delete(id uint32, dport uint16, proto u8proto.U8proto, ...) error
- func (pm *PolicyMap) DeleteEntry(entry *PolicyEntryDump) error
- func (pm *PolicyMap) DeleteKey(key PolicyKey) error
- func (pm *PolicyMap) Deny(id uint32, dport uint16, proto u8proto.U8proto, ...) error
- func (pm *PolicyMap) DenyKey(k PolicyKey) error
- func (pm *PolicyMap) Dump() (string, error)
- func (pm *PolicyMap) DumpToSlice() (PolicyEntriesDump, error)
- func (pm *PolicyMap) Exists(id uint32, dport uint16, proto u8proto.U8proto, ...) bool
- func (pm *PolicyMap) String() string
- type PolicyPlumbingMap
Constants ¶
const ( // PolicyCallMapName is the name of the map to do tail calls into policy // enforcement programs. PolicyCallMapName = "cilium_call_policy" // PolicyEgressCallMapName is the name of the map to do tail calls into egress policy // enforcement programs. PolicyEgressCallMapName = "cilium_egresscall_policy" // MapName is the prefix for endpoint-specific policy maps which map // identity+ports+direction to whether the policy allows communication // with that identity on that port for that direction. MapName = "cilium_policy_" // PolicyCallMaxEntries is the upper limit of entries in the program // array for the tail calls to jump into the endpoint specific policy // programs. This number *MUST* be identical to the maximum endpoint ID. PolicyCallMaxEntries = ^uint16(0) // AllPorts is used to ignore the L4 ports in PolicyMap lookups; all ports // are allowed. In the datapath, this is represented with the value 0 in the // port field of map elements. AllPorts = uint16(0) // PressureMetricThreshold sets the threshold over which map pressure will // be reported for the policy map. PressureMetricThreshold = 0.1 )
const SizeofPolicyEntry = int(unsafe.Sizeof(PolicyEntry{}))
SizeofPolicyEntry is the size of type PolicyEntry.
const SizeofPolicyKey = int(unsafe.Sizeof(PolicyKey{}))
SizeofPolicyKey is the size of type PolicyKey.
Variables ¶
var ( // MaxEntries is the upper limit of entries in the per endpoint policy // table ie the maximum number of peer identities that the endpoint could // send/receive traffic to/from.. It is set by InitMapInfo(), but unit // tests use the initial value below. // The default value of this upper limit is 16384. MaxEntries = 16384 )
Functions ¶
func CallString ¶ added in v1.5.0
CallString returns the string which indicates the calls map by index in the ELF, and index into that call map for a specific endpoint.
Derived from __section_tail(CILIUM_MAP_POLICY, NAME) per bpf/lib/tailcall.h.
func EgressCallString ¶ added in v1.14.0
EgressCallString returns the string which indicates the calls map by index in the ELF, and index into that call map for a specific endpoint.
Derived from __section_tail(CILIUM_MAP_EGRESSPOLICY, NAME) per bpf/lib/tailcall.h.
func InitCallMaps ¶ added in v1.14.0
InitCallMap creates the policy call maps in the kernel.
func InitMapInfo ¶ added in v1.5.2
func InitMapInfo(maxEntries int)
InitMapInfo updates the map info defaults for policy maps.
func RemoveGlobalMapping ¶ added in v1.5.0
RemoveGlobalMapping removes the mapping from the specified endpoint ID to the BPF policy program for that endpoint.
Types ¶
type CallKey ¶ added in v1.14.0
type CallKey struct {
// contains filtered or unexported fields
}
CallKey is the index into the prog array map. +k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/go-faster/cilium/pkg/bpf.MapKey
func (*CallKey) DeepCopy ¶ added in v1.14.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CallKey.
func (*CallKey) DeepCopyInto ¶ added in v1.14.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CallKey) DeepCopyMapKey ¶ added in v1.14.0
DeepCopyMapKey is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapKey.
type CallValue ¶ added in v1.14.0
type CallValue struct {
// contains filtered or unexported fields
}
CallValue is the program ID in the prog array map. +k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/go-faster/cilium/pkg/bpf.MapValue
func (*CallValue) DeepCopy ¶ added in v1.14.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CallValue.
func (*CallValue) DeepCopyInto ¶ added in v1.14.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CallValue) DeepCopyMapValue ¶ added in v1.14.0
DeepCopyMapValue is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapValue.
func (*CallValue) GetValuePtr ¶ added in v1.14.0
GetValuePtr returns the unsafe pointer to the BPF value
type PlumbingKey ¶ added in v1.5.1
type PlumbingKey struct {
// contains filtered or unexported fields
}
+k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/go-faster/cilium/pkg/bpf.MapKey
func (*PlumbingKey) DeepCopy ¶ added in v1.5.1
func (in *PlumbingKey) DeepCopy() *PlumbingKey
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlumbingKey.
func (*PlumbingKey) DeepCopyInto ¶ added in v1.5.1
func (in *PlumbingKey) DeepCopyInto(out *PlumbingKey)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PlumbingKey) DeepCopyMapKey ¶ added in v1.5.1
func (in *PlumbingKey) DeepCopyMapKey() bpf.MapKey
DeepCopyMapKey is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapKey.
func (*PlumbingKey) GetKeyPtr ¶ added in v1.5.1
func (k *PlumbingKey) GetKeyPtr() unsafe.Pointer
func (*PlumbingKey) NewValue ¶ added in v1.5.1
func (k *PlumbingKey) NewValue() bpf.MapValue
func (*PlumbingKey) String ¶ added in v1.5.1
func (k *PlumbingKey) String() string
type PlumbingValue ¶ added in v1.5.1
type PlumbingValue struct {
// contains filtered or unexported fields
}
+k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/go-faster/cilium/pkg/bpf.MapValue
func (*PlumbingValue) DeepCopy ¶ added in v1.5.1
func (in *PlumbingValue) DeepCopy() *PlumbingValue
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlumbingValue.
func (*PlumbingValue) DeepCopyInto ¶ added in v1.5.1
func (in *PlumbingValue) DeepCopyInto(out *PlumbingValue)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PlumbingValue) DeepCopyMapValue ¶ added in v1.5.1
func (in *PlumbingValue) DeepCopyMapValue() bpf.MapValue
DeepCopyMapValue is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapValue.
func (*PlumbingValue) GetValuePtr ¶ added in v1.5.1
func (v *PlumbingValue) GetValuePtr() unsafe.Pointer
func (*PlumbingValue) String ¶ added in v1.5.1
func (v *PlumbingValue) String() string
type PolicyEntriesDump ¶ added in v1.5.0
type PolicyEntriesDump []PolicyEntryDump
PolicyEntriesDump is a wrapper for a slice of PolicyEntryDump
func (PolicyEntriesDump) Less ¶ added in v1.5.0
func (p PolicyEntriesDump) Less(i, j int) bool
Less is a function used to sort PolicyEntriesDump by Policy Type (Deny / Allow), TrafficDirection (Ingress / Egress) and Identity (ascending order).
func (PolicyEntriesDump) String ¶ added in v1.14.0
func (p PolicyEntriesDump) String() string
String returns a string representation of PolicyEntriesDump
type PolicyEntry ¶
type PolicyEntry struct { ProxyPort uint16 `align:"proxy_port"` // In network byte-order Flags uint8 `align:"deny"` AuthType uint8 `align:"auth_type"` Pad1 uint16 `align:"pad1"` Pad2 uint16 `align:"pad2"` Packets uint64 `align:"packets"` Bytes uint64 `align:"bytes"` }
PolicyEntry represents an entry in the BPF policy map for an endpoint. It must match the layout of policy_entry in bpf/lib/common.h. +k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/go-faster/cilium/pkg/bpf.MapValue
func (*PolicyEntry) Add ¶
func (pe *PolicyEntry) Add(oPe PolicyEntry)
func (*PolicyEntry) DeepCopy ¶ added in v1.5.1
func (in *PolicyEntry) DeepCopy() *PolicyEntry
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyEntry.
func (*PolicyEntry) DeepCopyInto ¶ added in v1.5.1
func (in *PolicyEntry) DeepCopyInto(out *PolicyEntry)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PolicyEntry) DeepCopyMapValue ¶ added in v1.5.1
func (in *PolicyEntry) DeepCopyMapValue() bpf.MapValue
DeepCopyMapValue is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapValue.
func (*PolicyEntry) GetFlags ¶ added in v1.14.0
func (pe *PolicyEntry) GetFlags() uint8
func (*PolicyEntry) GetValuePtr ¶ added in v1.5.0
func (pe *PolicyEntry) GetValuePtr() unsafe.Pointer
func (*PolicyEntry) NewValue ¶ added in v1.5.0
func (pe *PolicyEntry) NewValue() bpf.MapValue
func (*PolicyEntry) SetFlags ¶ added in v1.14.0
func (pe *PolicyEntry) SetFlags(flags uint8)
func (*PolicyEntry) String ¶
func (pe *PolicyEntry) String() string
func (*PolicyEntry) ToHost ¶ added in v1.14.0
func (pe *PolicyEntry) ToHost() PolicyEntry
ToHost returns a copy of entry with fields converted from network byte-order to host-byte-order if necessary.
type PolicyEntryDump ¶
type PolicyEntryDump struct { PolicyEntry Key PolicyKey }
type PolicyEntryFlagParam ¶ added in v1.14.0
type PolicyEntryFlagParam struct {
IsDeny bool
}
type PolicyEntryFlags ¶ added in v1.14.0
type PolicyEntryFlags uint8
PolicyEntryFlags is a new type used to define the flags used in the policy entry.
func NewPolicyEntryFlag ¶ added in v1.14.0
func NewPolicyEntryFlag(p *PolicyEntryFlagParam) PolicyEntryFlags
NewPolicyEntryFlag returns a PolicyEntryFlags from the PolicyEntryFlagParam.
func (PolicyEntryFlags) IsDeny ¶ added in v1.14.0
func (pef PolicyEntryFlags) IsDeny() bool
func (PolicyEntryFlags) String ¶ added in v1.14.0
func (pef PolicyEntryFlags) String() string
String returns the string implementation of PolicyEntryFlags.
func (PolicyEntryFlags) UInt8 ¶ added in v1.14.0
func (pef PolicyEntryFlags) UInt8() uint8
UInt8 returns the UInt8 representation of the PolicyEntryFlags.
type PolicyKey ¶ added in v1.5.0
type PolicyKey struct { Identity uint32 `align:"sec_label"` DestPort uint16 `align:"dport"` // In network byte-order Nexthdr uint8 `align:"protocol"` TrafficDirection uint8 `align:"egress"` }
PolicyKey represents a key in the BPF policy map for an endpoint. It must match the layout of policy_key in bpf/lib/common.h. +k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/go-faster/cilium/pkg/bpf.MapKey
func (*PolicyKey) DeepCopy ¶ added in v1.5.1
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyKey.
func (*PolicyKey) DeepCopyInto ¶ added in v1.5.1
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PolicyKey) DeepCopyMapKey ¶ added in v1.5.1
DeepCopyMapKey is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapKey.
type PolicyMap ¶
func OpenOrCreate ¶ added in v1.5.0
OpenOrCreate opens (or creates) a policy map at the specified path, which is used to govern which peer identities can communicate with the endpoint protected by this map.
func (*PolicyMap) Allow ¶ added in v1.5.0
func (pm *PolicyMap) Allow(id uint32, dport uint16, proto u8proto.U8proto, trafficDirection trafficdirection.TrafficDirection, authType uint8, proxyPort uint16) error
Allow pushes an entry into the PolicyMap to allow traffic in the given `trafficDirection` for identity `id` with destination port `dport` over protocol `proto`. It is assumed that `dport` and `proxyPort` are in host byte-order.
func (*PolicyMap) AllowKey ¶ added in v1.5.0
AllowKey pushes an entry into the PolicyMap for the given PolicyKey k. Returns an error if the update of the PolicyMap fails.
func (*PolicyMap) Delete ¶ added in v1.5.0
func (pm *PolicyMap) Delete(id uint32, dport uint16, proto u8proto.U8proto, trafficDirection trafficdirection.TrafficDirection) error
Delete removes an entry from the PolicyMap for identity `id` sending traffic in direction `trafficDirection` with destination port `dport` over protocol `proto`. It is assumed that `dport` is in host byte-order. Returns an error if the deletion did not succeed.
func (*PolicyMap) DeleteEntry ¶ added in v1.5.0
func (pm *PolicyMap) DeleteEntry(entry *PolicyEntryDump) error
DeleteEntry removes an entry from the PolicyMap. It can be used in conjunction with DumpToSlice() to inspect and delete map entries.
func (*PolicyMap) DeleteKey ¶ added in v1.5.0
DeleteKey deletes the key-value pair from the given PolicyMap with PolicyKey k. Returns an error if deletion from the PolicyMap fails.
func (*PolicyMap) Deny ¶ added in v1.14.0
func (pm *PolicyMap) Deny(id uint32, dport uint16, proto u8proto.U8proto, trafficDirection trafficdirection.TrafficDirection) error
Deny pushes an entry into the PolicyMap to deny traffic in the given `trafficDirection` for identity `id` with destination port `dport` over protocol `proto`. It is assumed that `dport` is in host byte-order.
func (*PolicyMap) DenyKey ¶ added in v1.14.0
DenyKey pushes an entry into the PolicyMap for the given PolicyKey k. Returns an error if the update of the PolicyMap fails.
func (*PolicyMap) DumpToSlice ¶
func (pm *PolicyMap) DumpToSlice() (PolicyEntriesDump, error)
func (*PolicyMap) Exists ¶ added in v1.5.0
func (pm *PolicyMap) Exists(id uint32, dport uint16, proto u8proto.U8proto, trafficDirection trafficdirection.TrafficDirection) bool
Exists determines whether PolicyMap currently contains an entry that allows traffic in `trafficDirection` for identity `id` with destination port `dport`over protocol `proto`. It is assumed that `dport` is in host byte-order.
type PolicyPlumbingMap ¶ added in v1.5.0
PolicyPlumbingMap maps endpoint IDs to the fd for the program which implements its policy.
func OpenCallMap ¶ added in v1.5.0
func OpenCallMap(name string) (*PolicyPlumbingMap, error)
OpenCallMap opens the map that maps endpoint IDs to program file descriptors, which allows tail calling into the policy datapath code from other BPF programs.