linux_defaults

package
v1.14.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 14, 2023 License: Apache-2.0 Imports: 1 Imported by: 0

Documentation

Overview

Package linux_defaults provides the Linux datapath defaults

Index

Constants

View Source 
const (
	// RouteTableIPSec is the default table ID to use for IPSec routing rules
	RouteTableIPSec = 200

	// RouteTableWireguard is the default table ID to use for Wireguard routing
	// rules
	RouteTableWireguard = 201

	// RouteTableVtep is the default table ID to use for VTEP routing rules
	RouteTableVtep = 202

	// RouteTableEgressGatewayInterfacesOffset is the offset for the per-ENI
	// egress gateway routing tables.
	// Each ENI interface will have its own table starting with this offset. It
	// is 300 because it is highly unlikely to collide with the main routing
	// table which is between 253-255. See ip-route(8).
	RouteTableEgressGatewayInterfacesOffset = 300

	// RouteTableInterfacesOffset is the offset for the per-ENI routing tables.
	// Each ENI interface will have its own table starting with this offset. It
	// is 10 because it is highly unlikely to collide with the main routing
	// table which is between 253-255. See ip-route(8).
	RouteTableInterfacesOffset = 10

	// RouteMarkDecrypt is the default route mark to use to indicate datapath
	// needs to decrypt a packet.
	RouteMarkDecrypt = 0x0D00

	// RouteMarkEncrypt is the default route mark to use to indicate datapath
	// needs to encrypt a packet.
	RouteMarkEncrypt = 0x0E00

	// RouteMarkMask is the mask required for the route mark value
	RouteMarkMask = 0xF00

	// RouteMarkToProxy is the default route mark to use to indicate
	// datapath needs to send the packet to the proxy.
	//
	// Specifically, this is used in the L7 ingress policy tunneling case
	// where after decryption, the packet is rerouted back into
	// `cilium_host` with said mark to indicate the destination as the
	// proxy.
	RouteMarkToProxy = MagicMarkIsToProxy

	// MarkMultinodeNodeport is used for AWS ENI to mark traffic from
	// another node, so that it gets routed back through the relevant
	// interface.
	MarkMultinodeNodeport = 0x80

	// MaskMultinodeNodeport is the mask associated with the
	// RouterMarkNodePort
	MaskMultinodeNodeport = 0x80

	// IPSecProtocolID IP protocol ID for IPSec defined in RFC4303
	RouteProtocolIPSec = 50

	// RulePriorityWireguard is the priority of the rule used for routing packets to Wireguard device for encryption
	RulePriorityWireguard = 1

	// RulePriorityEgressGateway is the priority used in IP routes added by the manager.
	// This value was picked as it's lower than the ones used by Cilium
	// (RulePriorityEgressv2 = 111) or the AWS CNI (10) to install the IP
	// rules for routing EP traffic to the correct ENI interface
	RulePriorityEgressGateway = 8

	// RulePriorityIngress is the priority of the rule used for ingress routing
	// of endpoints. This priority is after encryption and proxy rules, and
	// before the local table priority.
	RulePriorityIngress = 20

	// RulePriorityEgress is the priority of the rule used for egress routing
	// of endpoints. This priority is after the local table priority.
	RulePriorityEgress = 110

	// RulePriorityEgress is the v2 of the priority of the rule used for egress
	// routing of endpoints. This priority is after the local table priority.
	//
	// Because of https://github.com/go-faster/cilium/issues/14336, we must use a
	// new priority value to disambiguate which rules are still under the old
	// scheme.
	RulePriorityEgressv2 = 111

	// RulePriorityNodeport is the priority of the rule used with AWS ENI to
	// make sure that lookups for multi-node NodePort traffic are NOT done
	// from the table for the VPC to which the endpoint's CIDR is
	// associated, but from the main routing table instead.
	// This priority is before the egress priority.
	RulePriorityNodeport = RulePriorityEgress - 1

	// RulePriorityVtep is the priority of the rule used for routing packets to VTEP device
	RulePriorityVtep = 112

	// IPSec offset value for node rules
	IPsecMaxKeyVersion = 15

	// IPsecMarkMaskNodeID is the mask used for the node ID.
	IPsecMarkMaskNodeID = 0xFFFF0000

	// IPsecMarkMask is the mask required for the IPsec SPI, node ID, and encrypt/decrypt bits
	IPsecMarkMaskOut = 0xFF00 | IPsecMarkMaskNodeID

	// IPsecMarkMaskIn is the mask required for IPsec to lookup encrypt/decrypt bits
	IPsecMarkMaskIn = 0x0F00

	// IPsecFwdPriority is the priority of the fwd rules placed by IPsec
	IPsecFwdPriority = 0x0B9F

	// IPsecKeyDeleteDelay is the time to wait before removing old keys when
	// the IPsec key is changing.
	IPsecKeyDeleteDelay = 5 * time.Minute
)

Linux specific constants used in Linux datapath

View Source 
const (
	// MagicMarkHostMask can be used to fetch the host/proxy-relevant magic
	// bits from a mark.
	MagicMarkHostMask int = 0x0F00
	// MagicMarkProxyMask can be used to fetch the proxy-relevant magic
	// bits from a mark.
	MagicMarkProxyMask int = 0x0E00
	// MagicMarkProxyNoIDMask can be used to fetch the proxy-relevant magic
	// bits from a mark for proxy reply traffic.
	MagicMarkProxyNoIDMask int = 0xFFFFFEFF
	// MagicMarkIsProxyEPID can be used in conjunction with
	// MagicMarkProxyMask to determine whether the mark is indicating that
	// traffic is sourced from a proxy prior to endpoint policy enforcement.
	MagicMarkIsProxyEPID int = 0x0800
	// MagicMarkIsProxy can be used in conjunction with MagicMarkProxyMask
	// to determine whether the mark is indicating that traffic is sourced
	// from a proxy.
	MagicMarkIsProxy int = 0x0A00
	// MagicMarkIsToProxy can be used in conjunction with MagicMarkHostMask
	// to determine whether the mark is indicating that traffic is destined
	// to a proxy.
	MagicMarkIsToProxy uint32 = 0x0200

	// MagicMarkProxyEgressEPID determines that the traffic is sourced from
	// the proxy which is capturing traffic before it is subject to egress
	// policy enforcement that must be done after the proxy. The identity
	// stored in the mark is source Endpoint ID.
	//
	// Note that this is not used from Go code, but is included here to
	// document this pattern. This must match the definition of
	// MARK_MAGIC_PROXY_EGRESS_EPID in the datapath, and the Envoy code in
	// cilium/proxy/cilium/bpf_metadata.cc
	MagicMarkProxyEgressEPID int = 0x0900

	// MagicMarkIngress determines that the traffic is sourced from the
	// proxy which is applying Ingress policy
	MagicMarkIngress int = 0x0A00
	// MagicMarkEgress determines that the traffic is sourced from the
	// proxy which is applying Egress policy
	MagicMarkEgress int = 0x0B00

	// MagicMarkHost determines that the traffic is sourced from the local
	// host and not from a proxy.
	MagicMarkHost int = 0x0C00

	// MagicMarkIdentity determines that the traffic carries a security
	// identity in the skb->mark
	MagicMarkIdentity int = 0x0F00

	// MagicMarkK8sMasq determines that the traffic should be masqueraded
	// by kube-proxy in kubernetes environments.
	MagicMarkK8sMasq int = 0x4000
	// MagicMarkK8sDrop determines that the traffic should be dropped in
	// kubernetes environments.
	MagicMarkK8sDrop int = 0x8000

	// MagicMarkWireGuardEncrypted is set by the WireGuard tunnel device
	// in order to indicate that a packet has been encrypted, and that there
	// is no need to forward it again to the WG tunnel netdev.
	//
	// The mark invades the K8s mark space described above. This is because
	// some packets might carry a security identity which is indicated with
	// MagicMarkIdentity which takes all 4 bits. The LSB bit which we take
	// from the K8s space is not used, so this is fine). I.e., the LSB bit is
	// 0x1000, and the K8s marks are 0x4000 and 0x8000. So both are not
	// interfering with that bit.
	MagicMarkWireGuardEncrypted int = 0x1E00
)

The skb mark is used to transmit both identity and special markers to identify traffic from and to proxies. The mark field is being used in the following way: 

 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2
+-------------------------------+-------+-------+---------------+
|L L L L L L L L L L L L L L L L|R R R R|M M M M|U U U U U U U U|
+-------------------------------+-------+-------+---------------+
 identity                        k8s     mark    identity

Identity (24 bits): 

+-----------------------------------------------+
|U U U U U U U U|L L L L L L L L L L L L L L L L|
+-----------------------------------------------+
 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4

Kubernetes Mark (4 bits; see MagicMarkWireGuardEncrypted for usage of some of K8s mark space): R R R R 0 1 0 0 Masquerade 1 0 0 0 Drop

Cilium Mark (4 bits): M M M M (see MARK_MAGIC_* in bpf/lib/common.h)

Variables

This section is empty.

Functions

func GetMagicProxyMark added in v1.6.0 

func GetMagicProxyMark(isIngress bool, identity int) int

getMagicMark returns the magic marker with which each packet must be marked. The mark is different depending on whether the proxy is injected at ingress or egress.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.