Documentation ¶
Overview ¶
Package linux_defaults provides the Linux datapath defaults
Index ¶
Constants ¶
const ( // RouteTableIPSec is the default table ID to use for IPSec routing rules RouteTableIPSec = 200 // RouteMarkDecrypt is the default route mark to use to indicate datapath // needs to decrypt a packet. RouteMarkDecrypt = 0x0D00 // RouteMarkEncrypt is the default route mark to use to indicate datapath // needs to encrypt a packet. RouteMarkEncrypt = 0x0E00 // RouteMarkMask is the mask required for the route mark value RouteMarkMask = 0xF00 // IPSecProtocolID IP protocol ID for IPSec defined in RFC4303 RouteProtocolIPSec = 50 // TunnelDeviceName the default name of the tunnel device when using vxlan TunnelDeviceName = "cilium_vxlan" // IPSec offset value for node rules IPsecMaxKeyVersion = 16 // IPsecMarkMask is the mask required for the IPsec SPI and encrypt/decrypt bits IPsecMarkMask = 0xFF00 // IPsecMarkMaskIn is the mask required for IPsec to lookup encrypt/decrypt bits IPsecMarkMaskIn = 0x0F00 // IPsecKeyDeleteDelay is the time to wait before removing old keys when // the IPsec key is changing. IPsecKeyDeleteDelay = 5 * time.Minute )
Linux specific constants used in Linux datapath
const ( // MagicMarkHostMask can be used to fetch the host/proxy-relevant magic // bits from a mark. MagicMarkHostMask int = 0x0F00 // MagicMarkProxyMask can be used to fetch the proxy-relevant magic // bits from a mark. MagicMarkProxyMask int = 0x0E00 // MagicMarkProxyNoIDMask can be used to fetch the proxy-relevant magic // bits from a mark for proxy reply traffic. MagicMarkProxyNoIDMask int = 0xFFFFFEFF // MagicMarkIsProxy can be used in conjunction with MagicMarkProxyMask // to determine whether the mark is indicating that traffic is sourced // from a proxy. MagicMarkIsProxy int = 0x0A00 // MagicMarkIsToProxy can be used in conjunction with MagicMarkHostMask // to determine whether the mark is indicating that traffic is destined // to a proxy. MagicMarkIsToProxy uint32 = 0x0200 // MagicMarkIngress determines that the traffic is sourced from the // proxy which is applying Ingress policy MagicMarkIngress int = 0x0A00 // MagicMarkEgress determines that the traffic is sourced from the // proxy which is applying Egress policy MagicMarkEgress int = 0x0B00 // MagicMarkHost determines that the traffic is sourced from the local // host and not from a proxy. MagicMarkHost int = 0x0C00 // MagicMarkIdentity determines that the traffic carries a security // identity in the skb->mark MagicMarkIdentity int = 0x0F00 // MagicMarkK8sMasq determines that the traffic should be masqueraded // by kube-proxy in kubernetes environments. MagicMarkK8sMasq int = 0x4000 // MagicMarkK8sDrop determines that the traffic should be dropped in // kubernetes environments. MagicMarkK8sDrop int = 0x8000 )
The skb mark is used to transmit both identity and special markers to identify traffic from and to proxies. The mark field is being used in the following way:
1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2
+-------------------------------+-------+-------+---------------+ |L L L L L L L L L L L L L L L L|R R R R|M M M M|U U U U U U U U| +-------------------------------+-------+-------+---------------+
identity k8s mark identity
Identity (24 bits): +-----------------------------------------------+ |U U U U U U U U|L L L L L L L L L L L L L L L L| +-----------------------------------------------+
1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4
Kubernetes Mark (4 bits): R R R R 0 1 0 0 Masquerade 1 0 0 0 Drop
Cilium Mark (4 bits): M M M M (see MARK_MAGIC_* in bpf/lib/common.h)
Variables ¶
This section is empty.
Functions ¶
func GetMagicProxyMark ¶ added in v1.6.0
getMagicMark returns the magic marker with which each packet must be marked. The mark is different depending on whether the proxy is injected at ingress or egress.
Types ¶
This section is empty.