nodefwloader

package
v0.0.0-...-1e43b4c Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 11, 2024 License: Apache-2.0 Imports: 33 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func LoadBpf 

func LoadBpf() (*ebpf.CollectionSpec, error)

LoadBpf returns the embedded CollectionSpec for Bpf.

func LoadBpfObjects 

func LoadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error

LoadBpfObjects loads Bpf and converts it into a struct.

The following types are suitable as obj argument: 

*BpfObjects
*BpfPrograms
*BpfMaps

See ebpf.CollectionSpec.LoadAndAssign documentation for details.

Types

type BpfEventHdrSt 

type BpfEventHdrSt struct {
	IfId      uint16
	RuleId    uint16
	Action    uint8
	Pad       uint8
	PktLength uint16
}

type BpfLpmIpKeySt 

type BpfLpmIpKeySt struct {
	PrefixLen      uint32
	IngressIfindex uint32
	IpData         [16]uint8
}

func BuildEBPFKey 

func BuildEBPFKey(ifID uint32, cidr string) (BpfLpmIpKeySt, error)

BuildEBPFKey builds a key object from an ifID and a cidr.

type BpfMapSpecs 

type BpfMapSpecs struct {
	IngressNodeFirewallDbgMap        *ebpf.MapSpec `ebpf:"ingress_node_firewall_dbg_map"`
	IngressNodeFirewallEventsMap     *ebpf.MapSpec `ebpf:"ingress_node_firewall_events_map"`
	IngressNodeFirewallStatisticsMap *ebpf.MapSpec `ebpf:"ingress_node_firewall_statistics_map"`
	IngressNodeFirewallTableMap      *ebpf.MapSpec `ebpf:"ingress_node_firewall_table_map"`
}

BpfMapSpecs contains maps before they are loaded into the kernel.

It can be passed ebpf.CollectionSpec.Assign.

type BpfMaps 

type BpfMaps struct {
	IngressNodeFirewallDbgMap        *ebpf.Map `ebpf:"ingress_node_firewall_dbg_map"`
	IngressNodeFirewallEventsMap     *ebpf.Map `ebpf:"ingress_node_firewall_events_map"`
	IngressNodeFirewallStatisticsMap *ebpf.Map `ebpf:"ingress_node_firewall_statistics_map"`
	IngressNodeFirewallTableMap      *ebpf.Map `ebpf:"ingress_node_firewall_table_map"`
}

BpfMaps contains all maps after they have been loaded into the kernel.

It can be passed to LoadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.

func (*BpfMaps) Close 

func (m *BpfMaps) Close() error

type BpfObjects 

type BpfObjects struct {
	BpfPrograms
	BpfMaps
}

BpfObjects contains all objects after they have been loaded into the kernel.

It can be passed to LoadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.

func (*BpfObjects) Close 

func (o *BpfObjects) Close() error

type BpfProgramSpecs 

type BpfProgramSpecs struct {
	TcxIngressNodeFirewallProcess *ebpf.ProgramSpec `ebpf:"tcx_ingress_node_firewall_process"`
	XdpIngressNodeFirewallProcess *ebpf.ProgramSpec `ebpf:"xdp_ingress_node_firewall_process"`
}

BpfSpecs contains programs before they are loaded into the kernel.

It can be passed ebpf.CollectionSpec.Assign.

type BpfPrograms 

type BpfPrograms struct {
	TcxIngressNodeFirewallProcess *ebpf.Program `ebpf:"tcx_ingress_node_firewall_process"`
	XdpIngressNodeFirewallProcess *ebpf.Program `ebpf:"xdp_ingress_node_firewall_process"`
}

BpfPrograms contains all programs after they have been loaded into the kernel.

It can be passed to LoadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.

func (*BpfPrograms) Close 

func (p *BpfPrograms) Close() error

type BpfRuleStatisticsSt 

type BpfRuleStatisticsSt struct {
	AllowStats struct {
		Packets uint64
		Bytes   uint64
	}
	DenyStats struct {
		Packets uint64
		Bytes   uint64
	}
}

type BpfRuleTypeSt 

type BpfRuleTypeSt struct {
	RuleId       uint32
	Protocol     uint8
	DstPortStart uint16
	DstPortEnd   uint16
	IcmpType     uint8
	IcmpCode     uint8
	Action       uint8
}

type BpfRulesValSt 

type BpfRulesValSt struct{ Rules [100]BpfRuleTypeSt }

type BpfSpecs 

type BpfSpecs struct {
	BpfProgramSpecs
	BpfMapSpecs
}

BpfSpecs contains maps and programs before they are loaded into the kernel.

It can be passed ebpf.CollectionSpec.Assign.

type IngNodeFwController 

type IngNodeFwController struct {

	// UseBpfManager indicates whether the eBPF program manager (e.g., bpfman) is used
	// for managing eBPF programs. If true, bpfman manages the programs; if false,
	// the system uses the default eBPF program management.
	UseBpfManager bool
	// contains filtered or unexported fields
}

IngNodeFwController structure is the object hold controls for starting ingress node firewall resource

func NewIngNodeFwController 

func NewIngNodeFwController() (*IngNodeFwController, error)

NewIngNodeFwController creates new IngressNodeFirewall controller object.

func (*IngNodeFwController) Close 

func (infc *IngNodeFwController) Close() error

Close closes the current objs and removes all interface pins and the ebpf table map.

func (*IngNodeFwController) GetBPFMapContentForTest 

func (infc *IngNodeFwController) GetBPFMapContentForTest() (map[BpfLpmIpKeySt]BpfRulesValSt, error)

GetBPFMapContentForTest lists all existing keys and rules inside the map. Used for unit testing.

func (*IngNodeFwController) GetStatisticsMap 

func (infc *IngNodeFwController) GetStatisticsMap() *ebpf.Map

GetStatisticsMap returns the statistics map of the object.

func (*IngNodeFwController) IngressNodeFwAttach 

func (infc *IngNodeFwController) IngressNodeFwAttach(ifacesName ...string) error

IngressNodeFwAttach attaches the eBPF program to a given list of interfaces and pins them to different pinDirs. For each provided interface name: i) Look up the network interface by name. ii) Attach the program to the interface. iii) Pin the XDP program.

func (*IngNodeFwController) IngressNodeFwDetach 

func (infc *IngNodeFwController) IngressNodeFwDetach(interfaceNames ...string) error

IngressNodeFwDetach detaches the eBPF program from the list of interfaces and cleans up the interfaces. Additionally, it unloads all firewall rules that are associated to the interfaces.

func (*IngNodeFwController) IngressNodeFwRulesLoader 

func (infc *IngNodeFwController) IngressNodeFwRulesLoader(
	ifaceIngressRules map[string][]v1alpha1.IngressNodeFirewallRules) error

IngressNodeFwRulesLoader adds/updates/deletes ingress node firewall rules to the eBPF LPM MAP in an idempotent way. IngressNodeFwRulesLoader executes the following actions in order: i) Get eBPF objs to create/update eBPF maps and get map info. ii) Build a map of valid ebpfKeys pointing to the ebpfRules that should be associated to them (built from 

ifaceIngressRules).

iii) Get stale keys (= keys inside the eBPF map but not inside the currently desired ruleset). iv) Purge all stale keys from the eBPF map. v) Add/update all keys. This is an idempotent action and non-existing keys are added whereas existing keys 

are updated.

vi) Generate ingress node firewall events. In the context of this method, stale keys are keys that figure inside the eBPF map but that are not generated during step ii) from the provided ingressRules slice.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.