ctmap

package
v1.19.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 3, 2026 License: Apache-2.0 Imports: 28 Imported by: 97

Documentation

Overview

+groupName=maps

Index

Constants

View Source 
const (

	// Map names for TCP CT tables are retained from Cilium 1.0 naming
	// scheme to minimize disruption of ongoing connections during upgrade.
	MapNamePrefix     = "cilium_ct"
	MapNameTCP6       = MapNamePrefix + "6_"
	MapNameTCP4       = MapNamePrefix + "4_"
	MapNameTCP6Global = MapNameTCP6 + "global"
	MapNameTCP4Global = MapNameTCP4 + "global"

	// Map names for "any" protocols indicate CT for non-TCP protocols.
	MapNameAny6       = MapNamePrefix + "_any6_"
	MapNameAny4       = MapNamePrefix + "_any4_"
	MapNameAny6Global = MapNameAny6 + "global"
	MapNameAny4Global = MapNameAny4 + "global"

	TUPLE_F_OUT     = 0
	TUPLE_F_IN      = 1
	TUPLE_F_RELATED = 2
	TUPLE_F_SERVICE = 4

	// MaxTime specifies the last possible time for GCFilter.Time
	MaxTime = math.MaxUint32
)
View Source 
const (
	RxClosing = 1 << iota
	TxClosing
	Nat64
	LBLoopback
	SeenNonSyn
	NodePort
	ProxyRedirect
	DSRInternal
	FromL7LB
	Reserved1
	FromTunnel
	MaxFlags
)
View Source 
const SizeofCtEntry = int(unsafe.Sizeof(CtEntry{}))
View Source 
const SizeofCtKey6Global = int(unsafe.Sizeof(CtKey6Global{}))

Variables

View Source 
var Cell = cell.Module(
	"ct-map",
	"eBPF map which manages connection tracking",

	cell.Provide(newCTMaps),
)

Cell provides the ctmap.Map which contains the connection tracking state.

View Source 
var ClusterOuterMapName = clusterOuterMapName

ClusterOuterMapName returns the name of the outer per-cluster CT map for the given type. It can be overwritten for testing purposes.

Functions

func CleanupPerClusterCTMaps added in v0.15.7 

func CleanupPerClusterCTMaps(ipv4, ipv6 bool) error

CleanupPerClusterCTMaps deletes the per-cluster CT maps, including the inner ones.

func ClusterInnerMapName added in v0.15.7 

func ClusterInnerMapName(typ mapType, clusterID uint32) string

ClusterInnerMapName returns the name of the inner per-cluster NAT map for the given IP family and cluster ID.

func ClusterOuterMapNameTestOverride added in v0.15.7 

func ClusterOuterMapNameTestOverride(prefix string)

func DumpEntriesWithTimeDiff added in v0.15.7 

func DumpEntriesWithTimeDiff(m CtMap, clockSource *models.ClockSource) (string, error)

DumpEntriesWithTimeDiff iterates through Map m and writes the values of the ct entries in m to a string. If clockSource is not nil, it uses it to compute the time difference of each entry from now and prints that too.

func InitMapInfo added in v0.15.7 

func InitMapInfo(nat4 nat.NatMap4, nat6 nat.NatMap6)

InitMapInfo builds the information about different CT maps for the combination of L3/L4 protocols.

func NatMapNext4 added in v1.17.0 

func NatMapNext4(event GCEvent)

func NatMapNext6 added in v1.17.0 

func NatMapNext6(event GCEvent)

func NewPerClusterCTMaps added in v0.15.7 

func NewPerClusterCTMaps(ipv4, ipv6 bool) *perClusterCTMaps

NewPerClusterCTMaps returns a new instance of the per-cluster CT maps manager.

func OpenCTMap added in v1.16.0 

func OpenCTMap(m CtMap) (path string, err error)

OpenCTMap is a convenience function to open CT maps. It is the responsibility of the caller to ensure that m.Close() is called after this function.

Types

type CTMaps added in v1.19.0 

type CTMaps interface {
	// ActiveMaps returns a slice of global CT maps that are used, depending
	// on whether IPv4 and/or IPv6 is configured.
	ActiveMaps() []*Map
}

CTMaps provides access to the active connection tracking BPF maps.

type CtEntry 

type CtEntry struct {
	Union0   [2]uint64 `align:"$union0"`
	Packets  uint64    `align:"packets"`
	Bytes    uint64    `align:"bytes"`
	Lifetime uint32    `align:"lifetime"`
	Flags    uint16    `align:"rx_closing"`
	// RevNAT is in network byte order
	RevNAT uint16 `align:"rev_nat_index"`
	// NatPort is in network byte order
	NatPort          uint16 `align:"nat_port"`
	TxFlagsSeen      uint8  `align:"tx_flags_seen"`
	RxFlagsSeen      uint8  `align:"rx_flags_seen"`
	SourceSecurityID uint32 `align:"src_sec_id"`
	LastTxReport     uint32 `align:"last_tx_report"`
	LastRxReport     uint32 `align:"last_rx_report"`
}

CtEntry represents an entry in the connection tracking table.

func (*CtEntry) New added in v0.15.7 

func (c *CtEntry) New() bpf.MapValue

func (*CtEntry) String added in v0.15.7 

func (c *CtEntry) String() string

String returns the readable format

func (*CtEntry) StringWithTimeDiff added in v0.15.7 

func (c *CtEntry) StringWithTimeDiff(toRemSecs func(uint32) string) string

type CtKey 

type CtKey interface {
	bpf.MapKey

	// ToNetwork converts fields to network byte order.
	ToNetwork() CtKey

	// ToHost converts fields to host byte order.
	ToHost() CtKey

	// Dump contents of key to sb. Returns true if successful.
	Dump(sb *strings.Builder, reverse bool) bool

	// GetFlags flags containing the direction of the CtKey.
	GetFlags() uint8

	GetTupleKey() tuple.TupleKey
}

type CtKey4Global added in v0.9.0 

type CtKey4Global struct {
	tuple.TupleKey4Global
}

func (*CtKey4Global) Dump added in v0.9.0 

func (k *CtKey4Global) Dump(sb *strings.Builder, reverse bool) bool

Dump writes the contents of key to sb and returns true if the value for next header in the key is nonzero.

func (*CtKey4Global) GetFlags added in v0.15.7 

func (k *CtKey4Global) GetFlags() uint8

GetFlags returns the tuple's flags.

func (*CtKey4Global) GetTupleKey added in v0.15.7 

func (k *CtKey4Global) GetTupleKey() tuple.TupleKey

func (*CtKey4Global) New added in v0.15.7 

func (k *CtKey4Global) New() bpf.MapKey

func (*CtKey4Global) String added in v0.9.0 

func (k *CtKey4Global) String() string

func (*CtKey4Global) ToHost added in v0.10.0 

func (k *CtKey4Global) ToHost() CtKey

ToHost converts ports to host byte order.

This is necessary to prevent callers from implicitly converting the CtKey4Global type here into a local key type in the nested TupleKey4Global field.

func (*CtKey4Global) ToNetwork added in v0.10.0 

func (k *CtKey4Global) ToNetwork() CtKey

ToNetwork converts ports to network byte order.

This is necessary to prevent callers from implicitly converting the CtKey4Global type here into a local key type in the nested TupleKey4Global field.

type CtKey6Global added in v0.9.0 

type CtKey6Global struct {
	tuple.TupleKey6Global
}

CtKey6Global is needed to provide CtEntry type to Lookup values

func (*CtKey6Global) Dump added in v0.9.0 

func (k *CtKey6Global) Dump(sb *strings.Builder, reverse bool) bool

Dump writes the contents of key to sb and returns true if the value for next header in the key is nonzero.

func (*CtKey6Global) GetFlags added in v0.15.7 

func (k *CtKey6Global) GetFlags() uint8

GetFlags returns the tuple's flags.

func (*CtKey6Global) GetTupleKey added in v0.15.7 

func (k *CtKey6Global) GetTupleKey() tuple.TupleKey

func (*CtKey6Global) New added in v0.15.7 

func (k *CtKey6Global) New() bpf.MapKey

func (*CtKey6Global) String added in v0.9.0 

func (k *CtKey6Global) String() string

func (*CtKey6Global) ToHost added in v0.10.0 

func (k *CtKey6Global) ToHost() CtKey

ToHost converts ports to host byte order.

This is necessary to prevent callers from implicitly converting the CtKey6Global type here into a local key type in the nested TupleKey6Global field.

func (*CtKey6Global) ToNetwork added in v0.10.0 

func (k *CtKey6Global) ToNetwork() CtKey

ToNetwork converts ports to network byte order.

This is necessary to prevent callers from implicitly converting the CtKey6Global type here into a local key type in the nested TupleKey6Global field.

type CtMap 

type CtMap interface {
	Open() error
	Close() error
	Path() (string, error)
	DumpEntriesWithTimeDiff(clockSource *models.ClockSource) (string, error)
	DumpWithCallback(bpf.DumpCallback) error
	Count(context.Context) (int, error)
	Update(key bpf.MapKey, value bpf.MapValue) error
}

CtMap interface represents a CT map, and can be reused to implement mock maps for unit tests.

type CtMapRecord added in v0.15.7 

type CtMapRecord struct {
	Key   CtKey
	Value CtEntry
}

A "Record" designates a map entry (key + value), but avoid "entry" because of possible confusion with "CtEntry" (actually the value part). This type is used for JSON dump and mock maps.

type EmitCTEntryCBFunc added in v0.15.7 

type EmitCTEntryCBFunc func(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, nextHdr, flags uint8, entry *CtEntry)

EmitCTEntryCBFunc is the type used for the EmitCTEntryCB callback in GCFilter

type GCEvent added in v1.17.0 

type GCEvent struct {
	Key    CtKey
	Entry  *CtEntry
	NatMap *nat.Map
}

type GCFilter added in v0.10.0 

type GCFilter struct {
	// RemoveExpired enables removal of all entries that have expired
	RemoveExpired bool

	// Time is the reference timestamp to remove expired entries. If
	// RemoveExpired is true and lifetime is lesser than Time, the entry is
	// removed
	Time uint32

	// MatchIPs is the list of IPs to remove from the conntrack table
	MatchIPs map[netip.Addr]struct{}

	// EmitCTEntry is called, when non-nil, if filtering by ValidIPs and MatchIPs
	// passes. It has no impact on CT GC, but can be used to iterate over valid
	// CT entries.
	EmitCTEntryCB EmitCTEntryCBFunc
}

GCFilter contains the necessary fields to filter the CT maps.

type GCRunner added in v1.17.0 

type GCRunner interface {
	// Run runs the oneshot connection tracking garbage collection.
	Run(filter GCFilter) (int, error)

	// Observe4 allows external consumers to observe ongoing GC iterations over CT maps for IPv4 entries.
	Observe4() stream.Observable[GCEvent]

	// Observe6 allows external consumers to observe ongoing GC iterations over CT maps for IPv6 entries.
	Observe6() stream.Observable[GCEvent]
}

func NewFakeGCRunner added in v1.17.0 

func NewFakeGCRunner() GCRunner

type Map added in v0.15.7 

type Map struct {
	bpf.Map
	// contains filtered or unexported fields
}

Map represents an instance of a BPF connection tracking map. It also implements the CtMap interface.

func GetClusterCTMaps added in v0.15.7 

func GetClusterCTMaps(clusterID uint32, ipv4, ipv6 bool) ([]*Map, error)

GetClusterCTMaps returns the per-cluster maps for the given cluster ID. The returned maps need to be opened by the caller, and are not guaranteed to exist.

func Maps added in v1.19.0 

func Maps(ipv4, ipv6 bool) []*Map

Maps returns a slice of all CT maps that are used. If ipv4 or ipv6 are false, the maps for that protocol will not be returned.

The returned maps are not yet opened.

This should only be used from components which aren't capable of using hive - mainly the Cilium CLI.

func (*Map) Count added in v1.16.0 

func (m *Map) Count(ctx context.Context) (count int, err error)

Count batch dumps the Map m and returns the count of the entries.

func (*Map) DumpEntriesWithTimeDiff added in v1.19.0 

func (m *Map) DumpEntriesWithTimeDiff(clockSource *models.ClockSource) (string, error)

DumpEntriesWithTimeDiff iterates through Map m and writes the values of the ct entries in m to a string.

func (*Map) Flush added in v0.15.7 

func (m *Map) Flush(next4, next6 func(GCEvent)) int

Flush runs garbage collection for map m with the name mapType, deleting all entries. The specified map must be already opened using bpf.OpenMap().

func (*Map) GC added in v1.19.0 

func (m *Map) GC(filter GCFilter, next4, next6 func(GCEvent)) (int, error)

GC runs garbage collection for map m with name mapType with the given filter. It returns how many items were deleted from m.

type NatGCStats added in v0.15.7 

type NatGCStats struct {
	*bpf.DumpStats

	// family is the address family
	Family    gcFamily
	ClusterID uint32

	IngressAlive   uint32
	IngressDeleted uint32
	EgressDeleted  uint32
	EgressAlive    uint32
}

func PurgeOrphanNATEntries added in v0.15.7 

func PurgeOrphanNATEntries(ctMapTCP, ctMapAny *Map) *NatGCStats

PurgeOrphanNATEntries removes orphan SNAT entries. We call an SNAT entry orphan if it does not have a corresponding CT entry.

Typically NAT entries should get removed along with their owning CT entry, as part of purgeCtEntry(). But stale NAT entries can get left behind if the CT entry disappears for other reasons - for instance by LRU eviction, or when the datapath re-purposes the CT entry.

PurgeOrphanNATEntries() is triggered by the datapath via the GC signaling mechanism. When the datapath SNAT fails to find free mapping after SNAT_SIGNAL_THRES attempts, it sends the signal via the perf ring buffer. The consumer of the buffer invokes the function.

The SNAT is being used for the following cases:

  1. By NodePort BPF on an intermediate node before fwd'ing request from outside to a destination node.
  2. A packet from local endpoint sent to outside (BPF-masq).
  3. A packet from a host local application (i.e. running in the host netns) This is needed to prevent SNAT from hijacking such connections.
  4. By DSR on a backend node to SNAT responses with service IP+port before sending to a client.

In all 4 cases we create a CT_EGRESS CT entry. This allows the CT GC to remove corresponding SNAT entries. See the unit test TestPrivilegedOrphanNatGC for more examples.

type PerClusterCTMap added in v0.15.7 

type PerClusterCTMap struct {
	*bpf.Map
	// contains filtered or unexported fields
}

PerClusterCTMap is a special conntrack map created when we enable cluster-aware addressing. As the name says, it is per-cluster and tracks the connection from/to specific remote clusters. It is implemented as an array-of-maps which its index is a ClusterID.

Why can't we use global CT maps? That's because we currently don't have a good way of extending CT map's key without breaking user's connection. Thus, instead of extending existing CT map key with ClusterID, we chose to create CT map per-cluster. When we have a good way of extending global CT maps in the future, we should retire this entire file.

type PerClusterCTMapKey added in v0.15.7 

type PerClusterCTMapKey struct {
	ClusterID uint32
}

func (*PerClusterCTMapKey) New added in v0.15.7 

func (k *PerClusterCTMapKey) New() bpf.MapKey

func (*PerClusterCTMapKey) String added in v0.15.7 

func (k *PerClusterCTMapKey) String() string

type PerClusterCTMapVal added in v0.15.7 

type PerClusterCTMapVal struct {
	Fd uint32
}

func (*PerClusterCTMapVal) New added in v0.15.7 

func (v *PerClusterCTMapVal) New() bpf.MapValue

func (*PerClusterCTMapVal) String added in v0.15.7 

func (v *PerClusterCTMapVal) String() string

type PerClusterCTMapper added in v0.15.7 

type PerClusterCTMapper interface {
	// Create enforces the presence of the outer per-cluster CT maps.
	OpenOrCreate() error
	// Close closes the outer per-cluster CT maps handlers.
	Close() error

	// CreateClusterNATMaps enforces the presence of the inner maps for
	// the given cluster ID. It must be called after that OpenOrCreate()
	// has returned successfully.
	CreateClusterCTMaps(clusterID uint32) error
	// DeleteClusterNATMaps deletes the inner maps for the given cluster ID.
	// It must be called after that OpenOrCreate() has returned successfully.
	DeleteClusterCTMaps(clusterID uint32) error

	// GetClusterCTMaps returns the per-cluster maps for each known cluster ID.
	// The returned maps need to be opened by the caller.
	GetAllClusterCTMaps() []*Map
}

An interface to manage the per-cluster CT maps.

type PurgeHook added in v1.17.0 

type PurgeHook interface {
	CountFailed4(uint16, uint32)
	CountFailed6(uint16, uint32)
}

TODO: GH-33557: Remove this hack once ctmap is migrated to a cell. 

var ACT PurgeHook

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.