ipsec

package
v1.20.0-pre.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 1, 2026 License: Apache-2.0 Imports: 40 Imported by: 10

Documentation

Overview

Package ipsec provides the Linux datapath specific abstraction and useful helpers to manage IPSec via Linux xfrm. +groupName=maps

Index

Constants

View Source 
const (
	IPSecDirIn types.Direction = 1 << iota
	IPSecDirOut
	IPSecDirFwd

	// The request ID which signifies all Cilium managed policies and states.
	AllReqID = 0

	// DefaultReqID is the default reqid used for all IPSec rules.
	DefaultReqID = ipsec.DefaultReqID
)

Variables

View Source 
var Cell = cell.Module(
	"ipsec-agent",
	"Handles initial key setup and knows the key size",

	cell.Config(defaultUserConfig),
	cell.Provide(newIPsecAgent, newIPsecConfig),
	cell.ProvidePrivate(buildConfigFrom),
)

The IPsec agent handles key-related initialisation tasks for the ipsec subsystem.

View Source 
var OperatorCell = cell.Config(defaultEnableConfig)

Functions

func IPsecDefaultDropPolicy 

func IPsecDefaultDropPolicy(ipv6 bool) error

Installs a catch-all policy for outgoing traffic that has the encryption bit. The goal here is to catch any traffic that may passthrough our encryption while we are replacing XFRM policies & states. Those operations cannot always be performed atomically so we may have brief moments where there is no XFRM policy to encrypt a subset of traffic. This policy ensures we drop such traffic and don't let it flow in plain text.

We do need to match on the mark because there is also traffic flowing through XFRM that we don't want to encrypt (e.g., hostns traffic).

func NewTestIPsecAgent added in v1.19.0 

func NewTestIPsecAgent(tb testing.TB, keys io.Reader) (*agent, error)

NewTestIPsecAgent creates a new IPsec agent for testing purposes. A non-nil keys parameter can be used to load IPsec keys into the agent when using the test agent in tests that require IPsec keys to be loaded and testing from a different package.

func NewXFRMCollector 

func NewXFRMCollector(log *slog.Logger) prometheus.Collector

func NewXfrmStateListCache added in v1.13.17 

func NewXfrmStateListCache(ttl time.Duration, enableCaching bool) *xfrmStateListCache

func ProbeXfrmStateOutputMask 

func ProbeXfrmStateOutputMask() (e error)

ProbeXfrmStateOutputMask probes the kernel to determine if it supports setting the xfrm state output mask (Linux 4.19+). It returns an error if the output mask is not supported or if an error occurred, nil otherwise.

Types

type EnableConfig 

type EnableConfig struct {
	EnableIPsec bool
}

func (EnableConfig) Enabled 

func (c EnableConfig) Enabled() bool

func (EnableConfig) Flags 

func (def EnableConfig) Flags(flags *pflag.FlagSet)

type UserConfig added in v1.19.0 

type UserConfig struct {
	EnableConfig                             `mapstructure:",squash"`
	EnableIPsecKeyWatcher                    bool
	EnableIPsecXfrmStateCaching              bool
	UseCiliumInternalIPForIPsec              bool
	DNSProxyInsecureSkipTransparentModeCheck bool
	IPsecKeyFile                             string
	IPsecKeyRotationDuration                 time.Duration
}

func (UserConfig) Flags added in v1.19.0 

func (def UserConfig) Flags(flags *pflag.FlagSet)

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.