policymap

package
v0.0.0-...-c34bea4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 20, 2022 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

+groupName=maps

Index

Constants

View Source 
const (
	// PolicyCallMapName is the name of the map to do tail calls into policy
	// enforcement programs.
	PolicyCallMapName = "cilium_call_policy"

	// PolicyEgressCallMapName is the name of the map to do tail calls into egress policy
	// enforcement programs.
	PolicyEgressCallMapName = "cilium_egresscall_policy"

	// MapName is the prefix for endpoint-specific policy maps which map
	// identity+ports+direction to whether the policy allows communication
	// with that identity on that port for that direction.
	MapName = "cilium_policy_"

	// PolicyCallMaxEntries is the upper limit of entries in the program
	// array for the tail calls to jump into the endpoint specific policy
	// programs. This number *MUST* be identical to the maximum endpoint ID.
	PolicyCallMaxEntries = ^uint16(0)

	// AllPorts is used to ignore the L4 ports in PolicyMap lookups; all ports
	// are allowed. In the datapath, this is represented with the value 0 in the
	// port field of map elements.
	AllPorts = uint16(0)

	// PressureMetricThreshold sets the threshold over which map pressure will
	// be reported for the policy map.
	PressureMetricThreshold = 0.1
)
View Source 
const SizeofPolicyEntry = int(unsafe.Sizeof(PolicyEntry{}))

SizeofPolicyEntry is the size of type PolicyEntry.

View Source 
const SizeofPolicyKey = int(unsafe.Sizeof(PolicyKey{}))

SizeofPolicyKey is the size of type PolicyKey.

Variables

View Source 
var (
	// MaxEntries is the upper limit of entries in the per endpoint policy
	// table ie the maximum number of peer identities that the endpoint could
	// send/receive traffic to/from.. It is set by InitMapInfo(), but unit
	// tests use the initial value below.
	// The default value of this upper limit is 16384.
	MaxEntries = 16384
)

Functions

func CallString 

func CallString(id uint16) string

CallString returns the string which indicates the calls map by index in the ELF, and index into that call map for a specific endpoint.

Derived from __section_tail(CILIUM_MAP_POLICY, NAME) per bpf/lib/tailcall.h.

func Create 

func Create(path string) (bool, error)

Create creates a policy map at the specified path.

func EgressCallString 

func EgressCallString(id uint16) string

EgressCallString returns the string which indicates the calls map by index in the ELF, and index into that call map for a specific endpoint.

Derived from __section_tail(CILIUM_MAP_EGRESSPOLICY, NAME) per bpf/lib/tailcall.h.

func InitCallMaps 

func InitCallMaps(haveEgressCallMap bool) error

InitCallMap creates the policy call maps in the kernel.

func InitMapInfo 

func InitMapInfo(maxEntries int)

InitMapInfo updates the map info defaults for policy maps.

func RemoveGlobalMapping 

func RemoveGlobalMapping(id uint32, haveEgressCallMap bool) error

RemoveGlobalMapping removes the mapping from the specified endpoint ID to the BPF policy program for that endpoint.

Types

type CallKey 

type CallKey struct {
	// contains filtered or unexported fields
}

CallKey is the index into the prog array map. +k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/cilium/cilium/pkg/bpf.MapKey

func (*CallKey) DeepCopy 

func (in *CallKey) DeepCopy() *CallKey

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CallKey.

func (*CallKey) DeepCopyInto 

func (in *CallKey) DeepCopyInto(out *CallKey)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CallKey) DeepCopyMapKey 

func (in *CallKey) DeepCopyMapKey() bpf.MapKey

DeepCopyMapKey is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapKey.

func (*CallKey) GetKeyPtr 

func (k *CallKey) GetKeyPtr() unsafe.Pointer

GetKeyPtr returns the unsafe pointer to the BPF key

func (CallKey) NewValue 

func (k CallKey) NewValue() bpf.MapValue

NewValue returns a new empty instance of the structure representing the BPF map value.

func (*CallKey) String 

func (k *CallKey) String() string

String converts the key into a human readable string format.

type CallValue 

type CallValue struct {
	// contains filtered or unexported fields
}

CallValue is the program ID in the prog array map. +k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/cilium/cilium/pkg/bpf.MapValue

func (*CallValue) DeepCopy 

func (in *CallValue) DeepCopy() *CallValue

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CallValue.

func (*CallValue) DeepCopyInto 

func (in *CallValue) DeepCopyInto(out *CallValue)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CallValue) DeepCopyMapValue 

func (in *CallValue) DeepCopyMapValue() bpf.MapValue

DeepCopyMapValue is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapValue.

func (*CallValue) GetValuePtr 

func (v *CallValue) GetValuePtr() unsafe.Pointer

GetValuePtr returns the unsafe pointer to the BPF value

func (*CallValue) String 

func (v *CallValue) String() string

String converts the value into a human readable string format.

type PlumbingKey 

type PlumbingKey struct {
	// contains filtered or unexported fields
}

+k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/cilium/cilium/pkg/bpf.MapKey

func (*PlumbingKey) DeepCopy 

func (in *PlumbingKey) DeepCopy() *PlumbingKey

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlumbingKey.

func (*PlumbingKey) DeepCopyInto 

func (in *PlumbingKey) DeepCopyInto(out *PlumbingKey)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PlumbingKey) DeepCopyMapKey 

func (in *PlumbingKey) DeepCopyMapKey() bpf.MapKey

DeepCopyMapKey is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapKey.

func (*PlumbingKey) GetKeyPtr 

func (k *PlumbingKey) GetKeyPtr() unsafe.Pointer

func (*PlumbingKey) NewValue 

func (k *PlumbingKey) NewValue() bpf.MapValue

func (*PlumbingKey) String 

func (k *PlumbingKey) String() string

type PlumbingValue 

type PlumbingValue struct {
	// contains filtered or unexported fields
}

+k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/cilium/cilium/pkg/bpf.MapValue

func (*PlumbingValue) DeepCopy 

func (in *PlumbingValue) DeepCopy() *PlumbingValue

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlumbingValue.

func (*PlumbingValue) DeepCopyInto 

func (in *PlumbingValue) DeepCopyInto(out *PlumbingValue)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PlumbingValue) DeepCopyMapValue 

func (in *PlumbingValue) DeepCopyMapValue() bpf.MapValue

DeepCopyMapValue is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapValue.

func (*PlumbingValue) GetValuePtr 

func (v *PlumbingValue) GetValuePtr() unsafe.Pointer

func (*PlumbingValue) String 

func (v *PlumbingValue) String() string

type PolicyEntriesDump 

type PolicyEntriesDump []PolicyEntryDump

PolicyEntriesDump is a wrapper for a slice of PolicyEntryDump

func (PolicyEntriesDump) Less 

func (p PolicyEntriesDump) Less(i, j int) bool

Less is a function used to sort PolicyEntriesDump by Policy Type (Deny / Allow), TrafficDirection (Ingress / Egress) and Identity (ascending order).

func (PolicyEntriesDump) String 

func (p PolicyEntriesDump) String() string

String returns a string representation of PolicyEntriesDump

type PolicyEntry 

type PolicyEntry struct {
	ProxyPort uint16 `align:"proxy_port"` // In network byte-order
	Flags     uint8  `align:"deny"`
	Pad0      uint8  `align:"pad0"`
	Pad1      uint16 `align:"pad1"`
	Pad2      uint16 `align:"pad2"`
	Packets   uint64 `align:"packets"`
	Bytes     uint64 `align:"bytes"`
}

PolicyEntry represents an entry in the BPF policy map for an endpoint. It must match the layout of policy_entry in bpf/lib/common.h. +k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/cilium/cilium/pkg/bpf.MapValue

func (*PolicyEntry) Add 

func (pe *PolicyEntry) Add(oPe PolicyEntry)

func (*PolicyEntry) DeepCopy 

func (in *PolicyEntry) DeepCopy() *PolicyEntry

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyEntry.

func (*PolicyEntry) DeepCopyInto 

func (in *PolicyEntry) DeepCopyInto(out *PolicyEntry)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicyEntry) DeepCopyMapValue 

func (in *PolicyEntry) DeepCopyMapValue() bpf.MapValue

DeepCopyMapValue is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapValue.

func (*PolicyEntry) GetFlags 

func (pe *PolicyEntry) GetFlags() uint8

func (*PolicyEntry) GetValuePtr 

func (pe *PolicyEntry) GetValuePtr() unsafe.Pointer

func (*PolicyEntry) NewValue 

func (pe *PolicyEntry) NewValue() bpf.MapValue

func (*PolicyEntry) SetFlags 

func (pe *PolicyEntry) SetFlags(flags uint8)

func (*PolicyEntry) String 

func (pe *PolicyEntry) String() string

func (*PolicyEntry) ToHost 

func (pe *PolicyEntry) ToHost() PolicyEntry

ToHost returns a copy of entry with fields converted from network byte-order to host-byte-order if necessary.

type PolicyEntryDump 

type PolicyEntryDump struct {
	PolicyEntry
	Key PolicyKey
}

type PolicyEntryFlagParam 

type PolicyEntryFlagParam struct {
	IsDeny bool
}

type PolicyEntryFlags 

type PolicyEntryFlags uint8

PolicyEntryFlags is a new type used to define the flags used in the policy entry.

func NewPolicyEntryFlag 

func NewPolicyEntryFlag(p *PolicyEntryFlagParam) PolicyEntryFlags

NewPolicyEntryFlag returns a PolicyEntryFlags from the PolicyEntryFlagParam.

func (PolicyEntryFlags) IsDeny 

func (pef PolicyEntryFlags) IsDeny() bool

func (PolicyEntryFlags) String 

func (pef PolicyEntryFlags) String() string

String returns the string implementation of PolicyEntryFlags.

func (PolicyEntryFlags) UInt8 

func (pef PolicyEntryFlags) UInt8() uint8

UInt8 returns the UInt8 representation of the PolicyEntryFlags.

type PolicyKey 

type PolicyKey struct {
	Identity         uint32 `align:"sec_label"`
	DestPort         uint16 `align:"dport"` // In network byte-order
	Nexthdr          uint8  `align:"protocol"`
	TrafficDirection uint8  `align:"egress"`
}

PolicyKey represents a key in the BPF policy map for an endpoint. It must match the layout of policy_key in bpf/lib/common.h. +k8s:deepcopy-gen=true +k8s:deepcopy-gen:interfaces=github.com/cilium/cilium/pkg/bpf.MapKey

func (*PolicyKey) DeepCopy 

func (in *PolicyKey) DeepCopy() *PolicyKey

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyKey.

func (*PolicyKey) DeepCopyInto 

func (in *PolicyKey) DeepCopyInto(out *PolicyKey)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicyKey) DeepCopyMapKey 

func (in *PolicyKey) DeepCopyMapKey() bpf.MapKey

DeepCopyMapKey is an autogenerated deepcopy function, copying the receiver, creating a new bpf.MapKey.

func (*PolicyKey) GetKeyPtr 

func (key *PolicyKey) GetKeyPtr() unsafe.Pointer

func (*PolicyKey) NewValue 

func (key *PolicyKey) NewValue() bpf.MapValue

func (*PolicyKey) String 

func (key *PolicyKey) String() string

func (*PolicyKey) ToHost 

func (key *PolicyKey) ToHost() PolicyKey

ToHost returns a copy of key with fields converted from network byte-order to host-byte-order if necessary.

func (*PolicyKey) ToNetwork 

func (key *PolicyKey) ToNetwork() PolicyKey

ToNetwork returns a copy of key with fields converted from host byte-order to network-byte-order if necessary.

type PolicyMap 

type PolicyMap struct {
	*bpf.Map
}

func Open 

func Open(path string) (*PolicyMap, error)

Open opens the policymap at the specified path.

func OpenOrCreate 

func OpenOrCreate(path string) (*PolicyMap, bool, error)

OpenOrCreate opens (or creates) a policy map at the specified path, which is used to govern which peer identities can communicate with the endpoint protected by this map.

func (*PolicyMap) Allow 

func (pm *PolicyMap) Allow(id uint32, dport uint16, proto u8proto.U8proto, trafficDirection trafficdirection.TrafficDirection, proxyPort uint16) error

Allow pushes an entry into the PolicyMap to allow traffic in the given `trafficDirection` for identity `id` with destination port `dport` over protocol `proto`. It is assumed that `dport` and `proxyPort` are in host byte-order.

func (*PolicyMap) AllowKey 

func (pm *PolicyMap) AllowKey(k PolicyKey, proxyPort uint16) error

AllowKey pushes an entry into the PolicyMap for the given PolicyKey k. Returns an error if the update of the PolicyMap fails.

func (*PolicyMap) Delete 

func (pm *PolicyMap) Delete(id uint32, dport uint16, proto u8proto.U8proto, trafficDirection trafficdirection.TrafficDirection) error

Delete removes an entry from the PolicyMap for identity `id` sending traffic in direction `trafficDirection` with destination port `dport` over protocol `proto`. It is assumed that `dport` is in host byte-order. Returns an error if the deletion did not succeed.

func (*PolicyMap) DeleteEntry 

func (pm *PolicyMap) DeleteEntry(entry *PolicyEntryDump) error

DeleteEntry removes an entry from the PolicyMap. It can be used in conjunction with DumpToSlice() to inspect and delete map entries.

func (*PolicyMap) DeleteKey 

func (pm *PolicyMap) DeleteKey(key PolicyKey) error

DeleteKey deletes the key-value pair from the given PolicyMap with PolicyKey k. Returns an error if deletion from the PolicyMap fails.

func (*PolicyMap) Deny 

func (pm *PolicyMap) Deny(id uint32, dport uint16, proto u8proto.U8proto, trafficDirection trafficdirection.TrafficDirection) error

Deny pushes an entry into the PolicyMap to deny traffic in the given `trafficDirection` for identity `id` with destination port `dport` over protocol `proto`. It is assumed that `dport` is in host byte-order.

func (*PolicyMap) DenyKey 

func (pm *PolicyMap) DenyKey(k PolicyKey) error

DenyKey pushes an entry into the PolicyMap for the given PolicyKey k. Returns an error if the update of the PolicyMap fails.

func (*PolicyMap) Dump 

func (pm *PolicyMap) Dump() (string, error)

func (*PolicyMap) DumpToSlice 

func (pm *PolicyMap) DumpToSlice() (PolicyEntriesDump, error)

func (*PolicyMap) Exists 

func (pm *PolicyMap) Exists(id uint32, dport uint16, proto u8proto.U8proto, trafficDirection trafficdirection.TrafficDirection) bool

Exists determines whether PolicyMap currently contains an entry that allows traffic in `trafficDirection` for identity `id` with destination port `dport`over protocol `proto`. It is assumed that `dport` is in host byte-order.

func (*PolicyMap) String 

func (pm *PolicyMap) String() string

String returns a human-readable string representing the policy map.

type PolicyPlumbingMap 

type PolicyPlumbingMap struct {
	*bpf.Map
}

PolicyPlumbingMap maps endpoint IDs to the fd for the program which implements its policy.

func OpenCallMap 

func OpenCallMap(name string) (*PolicyPlumbingMap, error)

OpenCallMap opens the map that maps endpoint IDs to program file descriptors, which allows tail calling into the policy datapath code from other BPF programs.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.