policymap

package
v1.19.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 17, 2026 License: Apache-2.0 Imports: 22 Imported by: 97

Documentation

Overview

+groupName=maps

Index

Constants

View Source 
const (
	PolicyMapMaxName      = "bpf-policy-map-max"
	PolicyStatsMapMaxName = "bpf-policy-stats-map-max"
)
View Source 
const (
	// PolicyCallMapName is the name of the map to do tail calls into policy
	// enforcement programs.
	PolicyCallMapName = "cilium_call_policy"

	// PolicyEgressCallMapName is the name of the map to do tail calls into egress policy
	// enforcement programs.
	PolicyEgressCallMapName = "cilium_egresscall_policy"

	// MapName is the prefix for endpoint-specific policy maps which map
	// identity+ports+direction to whether the policy allows communication
	// with that identity on that port for that direction.
	MapName = "cilium_policy_v2_"

	// PolicyCallMaxEntries is the upper limit of entries in the program
	// array for the tail calls to jump into the endpoint specific policy
	// programs. This number *MUST* be identical to the maximum endpoint ID.
	PolicyCallMaxEntries = ^uint16(0)

	// AllPorts is used to ignore the L4 ports in PolicyMap lookups; all ports
	// are allowed. In the datapath, this is represented with the value 0 in the
	// port field of map elements.
	AllPorts = uint16(0)

	// SinglePortPrefixLen represents the mask argument required to lookup or
	// insert a single port key into the bpf map.
	SinglePortPrefixLen = uint8(16)
)
View Source 
const (
	NexthdrBits    = uint8(sizeofNexthdr) * 8
	DestPortBits   = uint8(sizeofDestPort) * 8
	FullPrefixBits = NexthdrBits + DestPortBits

	StaticPrefixBits = uint32(sizeofPolicyKey-sizeofPrefixlen)*8 - uint32(FullPrefixBits)
)
View Source 
const (
	// Name is the canonical name for the policy stats map on the filesystem.
	// Note: There is no underscore between 'policy' and 'stats' as that would confuse tools
	// trying to parse an endpoint ID from 'stats'.
	StatsMapName = "cilium_policystats"

	StatNotAvailable = uint64(math.MaxUint64)
)

Variables

View Source 
var Cell = cell.Module(
	"policymap",
	"Policymap provides access to the datapath policy maps",
	cell.Config(DefaultPolicyConfig),
	cell.Provide(createFactory),
)
View Source 
var DefaultPolicyConfig = PolicyConfig{
	BpfPolicyMapMax:      16384,
	BpfPolicyStatsMapMax: 1 << 16,
}

Functions

func RemoveGlobalMapping added in v0.15.7 

func RemoveGlobalMapping(logger *slog.Logger, id uint32) error

RemoveGlobalMapping removes the mapping from the specified endpoint ID to the BPF policy program for that endpoint.

Types

type CallKey added in v0.15.7 

type CallKey struct {
	Index uint32
}

CallKey is the index into the prog array map.

func (*CallKey) New added in v0.15.7 

func (k *CallKey) New() bpf.MapKey

func (*CallKey) String added in v0.15.7 

func (k *CallKey) String() string

String converts the key into a human readable string format.

type CallValue added in v0.15.7 

type CallValue struct {
	ProgID uint32
}

CallValue is the program ID in the prog array map.

func (*CallValue) New added in v0.15.7 

func (v *CallValue) New() bpf.MapValue

func (*CallValue) String added in v0.15.7 

func (v *CallValue) String() string

String converts the value into a human readable string format.

type Factory added in v1.18.0 

type Factory interface {
	OpenEndpoint(id uint16) (*PolicyMap, error)
	RemoveEndpoint(id uint16) error

	PolicyMaxEntries() int
	StatsMaxEntries() int
}

type PlumbingKey added in v0.15.7 

type PlumbingKey struct {
	Key uint32
}

func (*PlumbingKey) New added in v0.15.7 

func (k *PlumbingKey) New() bpf.MapKey

func (*PlumbingKey) String added in v0.15.7 

func (k *PlumbingKey) String() string

type PlumbingValue added in v0.15.7 

type PlumbingValue struct {
	Fd uint32
}

func (*PlumbingValue) New added in v0.15.7 

func (k *PlumbingValue) New() bpf.MapValue

func (*PlumbingValue) String added in v0.15.7 

func (v *PlumbingValue) String() string

type PolicyConfig added in v1.18.0 

type PolicyConfig struct {
	// BpfPolicyMapMax is the maximum number of peer identities that an
	// endpoint may allow traffic to exchange traffic with.
	BpfPolicyMapMax int

	// PolicyStatsMapMax is the maximum number of entries allowed in a BPF policy map.
	BpfPolicyStatsMapMax int
}

func (PolicyConfig) Flags added in v1.18.0 

func (def PolicyConfig) Flags(flags *pflag.FlagSet)

type PolicyEntriesDump added in v0.15.7 

type PolicyEntriesDump []PolicyEntryDump

PolicyEntriesDump is a wrapper for a slice of PolicyEntryDump

func (PolicyEntriesDump) Less added in v0.15.7 

func (p PolicyEntriesDump) Less(i, j int) bool

Less is a function used to sort PolicyEntriesDump by Policy Type (Deny / Allow), TrafficDirection (Ingress / Egress) and Identity (ascending order).

func (PolicyEntriesDump) String added in v0.15.7 

func (p PolicyEntriesDump) String() string

String returns a string representation of PolicyEntriesDump

type PolicyEntry 

type PolicyEntry struct {
	ProxyPortNetwork uint16                      `align:"proxy_port"` // In network byte-order
	Flags            policyEntryFlags            `align:"deny"`
	AuthRequirement  policyTypes.AuthRequirement `align:"auth_type"`
	Precedence       policyTypes.Precedence      `align:"precedence"`
	Cookie           uint32                      `align:"cookie"`
}

PolicyEntry represents an entry in the BPF policy map for an endpoint.

Must be in sync with struct policy_entry in <bpf/lib/policy.h>

func NewEntryFromPolicyEntry added in v1.18.0 

func NewEntryFromPolicyEntry(key PolicyKey, pe policyTypes.MapStateEntry) PolicyEntry

NewEntryFromPolicyEntry converts a policy MapState entry to a PolicyMap entry.

func (*PolicyEntry) GetPrefixLen added in v1.16.4 

func (pe *PolicyEntry) GetPrefixLen() uint8

GetPrefixLen returns the prefix length for the protocol / destination port (0 to 24 bits, 8 bits for unwildcarded protocol + 0 - 16 bits for the port)

func (*PolicyEntry) GetProxyPort added in v0.15.7 

func (pe *PolicyEntry) GetProxyPort() uint16

GetProxyPort returns the ProxyPortNetwork in host byte order

func (PolicyEntry) IsDeny added in v0.15.7 

func (pe PolicyEntry) IsDeny() bool

func (*PolicyEntry) IsValid added in v1.17.0 

func (v *PolicyEntry) IsValid(k *PolicyKey) bool

func (*PolicyEntry) New added in v0.15.7 

func (pe *PolicyEntry) New() bpf.MapValue

func (*PolicyEntry) String 

func (pe *PolicyEntry) String() string

type PolicyEntryDump 

type PolicyEntryDump struct {
	PolicyEntry
	StatsValue
	Key PolicyKey
}

type PolicyKey added in v0.15.7 

type PolicyKey struct {
	Prefixlen        uint32 `align:"lpm_key"`
	Identity         uint32 `align:"sec_label"`
	TrafficDirection uint8  `align:"egress"`
	Nexthdr          uint8  `align:"protocol"`
	DestPortNetwork  uint16 `align:"dport"` // In network byte-order
}

PolicyKey represents a key in the BPF policy map for an endpoint.

Must be in sync with struct policy_key in <bpf/lib/policy.h>

func NewKeyFromPolicyKey added in v1.18.0 

func NewKeyFromPolicyKey(pk policyTypes.Key) PolicyKey

NewKeyFromPolicyKey converts a policy MapState key to a bpf PolicyMap key.

func (*PolicyKey) GetDestPort added in v0.15.7 

func (k *PolicyKey) GetDestPort() uint16

GetDestPort returns the DestPortNetwork in host byte order

func (*PolicyKey) GetPortMask added in v1.16.0 

func (k *PolicyKey) GetPortMask() uint16

GetPortMask returns the port mask of the key

func (*PolicyKey) GetPortPrefixLen added in v1.17.0 

func (k *PolicyKey) GetPortPrefixLen() uint8

GetPortPrefixLen returns the prefix length applicable to the port in the key

func (*PolicyKey) GetPrefixLen added in v1.18.0 

func (k *PolicyKey) GetPrefixLen() uint8

GetPrefixLen returns the prefix length applicable to the protocol and port in the key

func (*PolicyKey) New added in v0.15.7 

func (key *PolicyKey) New() bpf.MapKey

func (*PolicyKey) PortProtoString added in v0.15.7 

func (key *PolicyKey) PortProtoString() string

func (*PolicyKey) String added in v0.15.7 

func (key *PolicyKey) String() string

type PolicyMap 

type PolicyMap struct {
	*bpf.Map
	// contains filtered or unexported fields
}

func OpenPolicyMap added in v1.18.0 

func OpenPolicyMap(logger *slog.Logger, path string) (*PolicyMap, error)

OpenPolicyMap opens the policymap at the specified path. This is only used from the 'cilium-dbg bpf policy' tool.

func (*PolicyMap) DeleteEntry added in v0.15.7 

func (pm *PolicyMap) DeleteEntry(entry *PolicyEntryDump) error

DeleteEntry removes an entry from the PolicyMap. It can be used in conjunction with DumpToSlice() to inspect and delete map entries.

func (*PolicyMap) DeleteKey added in v0.15.7 

func (pm *PolicyMap) DeleteKey(key PolicyKey) error

DeleteKey deletes the key-value pair from the given PolicyMap with PolicyKey k. Returns an error if deletion from the PolicyMap fails.

func (*PolicyMap) Dump 

func (pm *PolicyMap) Dump() (string, error)

func (*PolicyMap) DumpToMapStateMap added in v1.18.0 

func (pm *PolicyMap) DumpToMapStateMap() (policyTypes.MapStateMap, error)

func (*PolicyMap) DumpToSlice 

func (pm *PolicyMap) DumpToSlice() (PolicyEntriesDump, error)

func (*PolicyMap) String 

func (pm *PolicyMap) String() string

String returns a human-readable string representing the policy map.

func (*PolicyMap) Update added in v1.18.0 

func (pm *PolicyMap) Update(key *PolicyKey, entry *PolicyEntry) error

Update pushes an 'entry' into the PolicyMap for the given PolicyKey 'key'. Clears the associated policy stat entry, if in debug mode. Returns an error if the update of the PolicyMap fails.

type PolicyPlumbingMap added in v0.15.7 

type PolicyPlumbingMap struct {
	*bpf.Map
}

PolicyPlumbingMap maps endpoint IDs to the fd for the program which implements its policy.

func OpenCallMap added in v0.15.7 

func OpenCallMap(logger *slog.Logger, name string) (*PolicyPlumbingMap, error)

OpenCallMap opens the map that maps endpoint IDs to program file descriptors, which allows tail calling into the policy datapath code from other BPF programs.

type StatsKey added in v1.18.0 

type StatsKey struct {
	EpID             uint16 `align:"endpoint_id"`
	Pad1             uint8  `align:"pad1"`
	PrefixLen        uint8  `align:"prefix_len"`
	Identity         uint32 `align:"sec_label"`
	TrafficDirection uint8  `align:"egress"`
	Nexthdr          uint8  `align:"protocol"`
	DestPortNetwork  uint16 `align:"dport"` // In network byte-order
}

type StatsMap added in v1.18.0 

type StatsMap struct {
	*ebpf.Map
	// contains filtered or unexported fields
}

PolicyStatsMap maps endpoint IDs to the fd for the program which implements its policy.

func OpenStatsMap added in v1.18.0 

func OpenStatsMap(logger *slog.Logger) (*StatsMap, error)

OpenStatsMap opens the existing global policy stats map. Should only be called from cilium-dbg

func (*StatsMap) ClearStat added in v1.18.0 

func (m *StatsMap) ClearStat(epID uint16, k PolicyKey) error

ClearStat removes stats for the given endpoint and policy key

func (*StatsMap) GetStat added in v1.18.0 

func (m *StatsMap) GetStat(epID uint16, k PolicyKey) (packets, bytes uint64)

GetStat looks up stats for the given endpoint and policy key

func (*StatsMap) ZeroStat added in v1.18.0 

func (m *StatsMap) ZeroStat(epID uint16, k PolicyKey) error

ZeroStat updates stats to "0,0" for the given endpoint and policy key

type StatsValue added in v1.18.0 

type StatsValue struct {
	Packets uint64 `align:"packets"`
	Bytes   uint64 `align:"bytes"`
}

func (*StatsValue) String added in v1.18.0 

func (v *StatsValue) String() string

type StatsValues added in v1.18.0 

type StatsValues []StatsValue

StatsMap is a per-CPU map, so the value is a slice

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.