Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var ( // Bits in the state flags field. FlagDestIsHost uint64 = 1 << 2 FlagSrcIsHost uint64 = 1 << 3 FlagLogPacket uint64 = 1 << 10 )
Functions ¶
func SubProgramJumpIdx ¶
Types ¶
type Builder ¶
type Builder struct {
// contains filtered or unexported fields
}
func NewBuilder ¶
func (*Builder) Instructions ¶
type Option ¶
type Option func(b *Builder)
Option is an additional option that can change default behaviour
func WithAllowDenyJumps ¶
func WithPolicyDebugEnabled ¶
func WithPolicyDebugEnabled() Option
WithPolicyDebug enables policy debug.
func WithPolicyMapIndexAndStride ¶
WithPolicyMapIndexAndStride tells the builder the "shape" of the policy jump map, allowing it to split the program if it gets too large. entryPointIdx is the jump map key for the first "entry point" program. stride is the number of indexes to skip to get to the next sub-program. If WithPolicyMapIndexAndStride is not provided, program-splitting is disabled.
type Rule ¶
type Rule struct { *proto.Rule MatchID RuleMatchID }
type RuleMatchID ¶
type RuleMatchID = uint64
type Rules ¶
type Rules struct { // Both workload and host interfaces can enforce host endpoint policy (carried here in the // Host... fields); in the case of a workload interface, that can only come from the // wildcard host endpoint, aka "host-*". // // However, only a workload interface can have any workload policy (carried here in the // Tiers and Profiles fields), and workload interfaces also Deny by default when there is no // workload policy at all. ForHostInterface (with reversed polarity) is the boolean that // tells us whether or not to implement workload policy and that default Deny. ForHostInterface bool // Indicates to suppress normal host policy because it's trumped by the setting of // DefaultEndpointToHostAction. SuppressNormalHostPolicy bool // Workload policy. Tiers []Tier Profiles []Profile // Host endpoint policy. HostPreDnatTiers []Tier HostForwardTiers []Tier HostNormalTiers []Tier HostProfiles []Profile // True when building a policy program for XDP, as opposed to for TC. This also means that // we are implementing untracked policy (provided in the HostNormalTiers field) and that // traffic is allowed to continue if not explicitly allowed or denied. ForXDP bool }
type Tier ¶
type Tier struct { Name string EndAction TierEndAction Policies []Policy }
type TierEndAction ¶
type TierEndAction string
const ( TierEndUndef TierEndAction = "" TierEndDeny TierEndAction = "deny" TierEndPass TierEndAction = "pass" )
Click to show internal directories.
Click to hide internal directories.