github.com/cilium/cilium@v1.16.2/api/v1/flow/flow.proto (about) 1 // SPDX-License-Identifier: Apache-2.0 2 // Copyright Authors of Hubble 3 4 syntax = "proto3"; 5 6 import "google/protobuf/any.proto"; 7 import "google/protobuf/wrappers.proto"; 8 import "google/protobuf/timestamp.proto"; 9 10 package flow; 11 12 option go_package = "github.com/cilium/cilium/api/v1/flow"; 13 14 message Flow { 15 google.protobuf.Timestamp time = 1; 16 17 // uuid is a universally unique identifier for this flow. 18 string uuid = 34; 19 20 Verdict verdict = 2; 21 // only applicable to Verdict = DROPPED. 22 // deprecated in favor of drop_reason_desc. 23 uint32 drop_reason = 3 [deprecated=true]; 24 25 // auth_type is the authentication type specified for the flow in Cilium Network Policy. 26 // Only set on policy verdict events. 27 AuthType auth_type = 35; 28 29 // l2 30 Ethernet ethernet = 4; 31 // l3 32 IP IP = 5; 33 // l4 34 Layer4 l4 = 6; 35 36 reserved 7; // removed, do not use 37 38 Endpoint source = 8; 39 Endpoint destination = 9; 40 41 FlowType Type = 10; 42 43 // NodeName is the name of the node from which this Flow was captured. 44 string node_name = 11; 45 // node labels in `foo=bar` format. 46 repeated string node_labels = 37; 47 48 reserved 12; // removed, do not use 49 50 // all names the source IP can have. 51 repeated string source_names = 13; 52 // all names the destination IP can have. 53 repeated string destination_names = 14; 54 55 // L7 information. This field is set if and only if FlowType is L7. 56 Layer7 l7 = 15; 57 58 // Deprecated. This suffers from false negatives due to protobuf not being 59 // able to distinguish between the value being false or it being absent. 60 // Please use is_reply instead. 61 bool reply = 16 [deprecated=true]; 62 63 reserved 17, 18; // removed, do not use 64 65 // EventType of the originating Cilium event 66 CiliumEventType event_type = 19; 67 68 // source_service contains the service name of the source 69 Service source_service = 20; 70 // destination_service contains the service name of the destination 71 Service destination_service = 21; 72 73 // traffic_direction of the connection, e.g. ingress or egress 74 TrafficDirection traffic_direction = 22; 75 76 // policy_match_type is only applicable to the cilium event type PolicyVerdict 77 // https://github.com/cilium/cilium/blob/e831859b5cc336c6d964a6d35bbd34d1840e21b9/pkg/monitor/datapath_policy.go#L50 78 uint32 policy_match_type = 23; 79 80 // Only applicable to cilium trace notifications, blank for other types. 81 TraceObservationPoint trace_observation_point = 24; 82 // Cilium datapath trace reason info. 83 TraceReason trace_reason = 36; 84 85 // only applicable to Verdict = DROPPED. 86 DropReason drop_reason_desc = 25; 87 88 // is_reply indicates that this was a packet (L4) or message (L7) in the 89 // reply direction. May be absent (in which case it is unknown whether it 90 // is a reply or not). 91 google.protobuf.BoolValue is_reply = 26; 92 93 // Only applicable to cilium debug capture events, blank for other types 94 DebugCapturePoint debug_capture_point = 27; 95 96 // interface is the network interface on which this flow was observed 97 NetworkInterface interface = 28; 98 99 // proxy_port indicates the port of the proxy to which the flow was forwarded 100 uint32 proxy_port = 29; 101 102 // trace_context contains information about a trace related to the flow, if 103 // any. 104 TraceContext trace_context = 30; 105 106 // sock_xlate_point is the socket translation point. 107 // Only applicable to TraceSock notifications, blank for other types 108 SocketTranslationPoint sock_xlate_point = 31; 109 110 // socket_cookie is the Linux kernel socket cookie for this flow. 111 // Only applicable to TraceSock notifications, zero for other types 112 uint64 socket_cookie = 32; 113 114 // cgroup_id of the process which emitted this event. 115 // Only applicable to TraceSock notifications, zero for other types 116 uint64 cgroup_id = 33; 117 118 // This is a temporary workaround to support summary field for pb.Flow without 119 // duplicating logic from the old parser. This field will be removed once we 120 // fully migrate to the new parser. 121 string Summary = 100000 [deprecated=true]; 122 123 // extensions can be used to add arbitrary additional metadata to flows. 124 // This can be used to extend functionality for other Hubble compatible 125 // APIs, or experiment with new functionality without needing to change the public API. 126 google.protobuf.Any extensions = 150000; 127 128 // The CiliumNetworkPolicies allowing the egress of the flow. 129 repeated Policy egress_allowed_by = 21001; 130 // The CiliumNetworkPolicies allowing the ingress of the flow. 131 repeated Policy ingress_allowed_by = 21002; 132 133 // The CiliumNetworkPolicies denying the egress of the flow. 134 repeated Policy egress_denied_by = 21004; 135 // The CiliumNetworkPolicies denying the ingress of the flow. 136 repeated Policy ingress_denied_by = 21005; 137 } 138 139 enum FlowType { 140 UNKNOWN_TYPE = 0; 141 L3_L4 = 1; // not sure about the underscore here, but `L34` also reads strange 142 L7 = 2; 143 SOCK = 3; 144 } 145 146 // These types correspond to definitions in pkg/policy/l4.go. 147 enum AuthType { 148 DISABLED = 0; 149 SPIRE = 1; 150 TEST_ALWAYS_FAIL = 2; 151 } 152 153 enum TraceObservationPoint { 154 // Cilium treats 0 as TO_LXC, but its's something we should work to remove. 155 // This is intentionally set as unknown, so proto API can guarantee the 156 // observation point is always going to be present on trace events. 157 UNKNOWN_POINT = 0; 158 159 // TO_PROXY indicates network packets are transmitted towards the l7 proxy. 160 TO_PROXY = 1; 161 // TO_HOST indicates network packets are transmitted towards the host 162 // namespace. 163 TO_HOST = 2; 164 // TO_STACK indicates network packets are transmitted towards the Linux 165 // kernel network stack on host machine. 166 TO_STACK = 3; 167 // TO_OVERLAY indicates network packets are transmitted towards the tunnel 168 // device. 169 TO_OVERLAY = 4; 170 // TO_ENDPOINT indicates network packets are transmitted towards endpoints 171 // (containers). 172 TO_ENDPOINT = 101; 173 // FROM_ENDPOINT indicates network packets were received from endpoints 174 // (containers). 175 FROM_ENDPOINT = 5; 176 // FROM_PROXY indicates network packets were received from the l7 proxy. 177 FROM_PROXY = 6; 178 // FROM_HOST indicates network packets were received from the host 179 // namespace. 180 FROM_HOST = 7; 181 // FROM_STACK indicates network packets were received from the Linux kernel 182 // network stack on host machine. 183 FROM_STACK = 8; 184 // FROM_OVERLAY indicates network packets were received from the tunnel 185 // device. 186 FROM_OVERLAY = 9; 187 // FROM_NETWORK indicates network packets were received from native 188 // devices. 189 FROM_NETWORK = 10; 190 // TO_NETWORK indicates network packets are transmitted towards native 191 // devices. 192 TO_NETWORK = 11; 193 } 194 195 enum TraceReason { 196 TRACE_REASON_UNKNOWN = 0; 197 NEW = 1; 198 ESTABLISHED = 2; 199 REPLY = 3; 200 RELATED = 4; 201 REOPENED = 5 [deprecated=true]; 202 SRV6_ENCAP = 6; 203 SRV6_DECAP = 7; 204 ENCRYPT_OVERLAY = 8; 205 } 206 207 message Layer4 { 208 oneof protocol { 209 TCP TCP = 1; 210 UDP UDP = 2; 211 // ICMP is technically not L4, but mutually exclusive with the above 212 ICMPv4 ICMPv4 = 3; 213 ICMPv6 ICMPv6 = 4; 214 SCTP SCTP = 5; 215 } 216 } 217 218 // This enum corresponds to Cilium's L7 accesslog [FlowType](https://github.com/cilium/cilium/blob/728c79e427438ab6f8d9375b62fccd6fed4ace3a/pkg/proxy/accesslog/record.go#L26): 219 enum L7FlowType { 220 UNKNOWN_L7_TYPE = 0; 221 REQUEST = 1; 222 RESPONSE = 2; 223 SAMPLE = 3; 224 } 225 226 // Message for L7 flow, which roughly corresponds to Cilium's accesslog [LogRecord](https://github.com/cilium/cilium/blob/728c79e427438ab6f8d9375b62fccd6fed4ace3a/pkg/proxy/accesslog/record.go#L141): 227 message Layer7 { 228 L7FlowType type = 1; 229 // Latency of the response 230 uint64 latency_ns = 2; 231 // L7 field. This field is set if and only if FlowType is L7. 232 oneof record { 233 DNS dns = 100; 234 HTTP http = 101; 235 Kafka kafka = 102; 236 } 237 } 238 239 // TraceContext contains trace context propagation data, i.e. information about a 240 // distributed trace. 241 // For more information about trace context, check the [W3C Trace Context specification](https://www.w3.org/TR/trace-context/). 242 message TraceContext { 243 // parent identifies the incoming request in a tracing system. 244 TraceParent parent = 1; 245 } 246 247 // TraceParent identifies the incoming request in a tracing system. 248 message TraceParent { 249 // trace_id is a unique value that identifies a trace. It is a byte array 250 // represented as a hex string. 251 string trace_id = 1; 252 } 253 254 message Endpoint { 255 uint32 ID = 1; 256 uint32 identity = 2; 257 string cluster_name = 7; 258 string namespace = 3; 259 // labels in `foo=bar` format. 260 repeated string labels = 4; 261 string pod_name = 5; 262 repeated Workload workloads = 6; 263 } 264 265 message Workload { 266 string name = 1; 267 string kind = 2; 268 } 269 270 message TCP { 271 uint32 source_port = 1; 272 uint32 destination_port = 2; 273 TCPFlags flags = 3; 274 } 275 276 message IP { 277 string source = 1; 278 // source_xlated is the post translation source IP when the flow was SNATed 279 // (and in that case source is the the original source IP). 280 string source_xlated = 5; 281 string destination = 2; 282 IPVersion ipVersion = 3; 283 // This field indicates whether the TraceReasonEncryptMask is set or not. 284 // https://github.com/cilium/cilium/blob/ba0ed147bd5bb342f67b1794c2ad13c6e99d5236/pkg/monitor/datapath_trace.go#L27 285 bool encrypted = 4; 286 } 287 288 message Ethernet { 289 string source = 1; 290 string destination = 2; 291 } 292 293 message TCPFlags { 294 bool FIN = 1; 295 bool SYN = 2; 296 bool RST = 3; 297 bool PSH = 4; 298 bool ACK = 5; 299 bool URG = 6; 300 bool ECE = 7; 301 bool CWR = 8; 302 bool NS = 9; 303 } 304 305 message UDP { 306 uint32 source_port = 1; 307 uint32 destination_port = 2; 308 } 309 310 message SCTP { 311 uint32 source_port = 1; 312 uint32 destination_port = 2; 313 } 314 315 message ICMPv4 { 316 uint32 type = 1; 317 uint32 code = 2; 318 } 319 320 message ICMPv6 { 321 uint32 type = 1; 322 uint32 code = 2; 323 } 324 325 enum IPVersion { 326 IP_NOT_USED = 0; 327 IPv4 = 1; 328 IPv6 = 2; 329 } 330 331 enum Verdict { 332 // UNKNOWN is used if there is no verdict for this flow event 333 VERDICT_UNKNOWN = 0; 334 // FORWARDED is used for flow events where the trace point has forwarded 335 // this packet or connection to the next processing entity. 336 FORWARDED = 1; 337 // DROPPED is used for flow events where the connection or packet has 338 // been dropped (e.g. due to a malformed packet, it being rejected by a 339 // network policy etc). The exact drop reason may be found in drop_reason_desc. 340 DROPPED = 2; 341 // ERROR is used for flow events where an error occurred during processing 342 ERROR = 3; 343 // AUDIT is used on policy verdict events in policy audit mode, to 344 // denominate flows that would have been dropped by policy if audit mode 345 // was turned off 346 AUDIT = 4; 347 // REDIRECTED is used for flow events which have been redirected to the proxy 348 REDIRECTED = 5; 349 // TRACED is used for flow events which have been observed at a trace point, 350 // but no particular verdict has been reached yet 351 TRACED = 6; 352 // TRANSLATED is used for flow events where an address has been translated 353 TRANSLATED = 7; 354 } 355 356 // These values are shared with pkg/monitor/api/drop.go and bpf/lib/common.h. 357 // Note that non-drop reasons (i.e. values less than api.DropMin) are not used 358 // here. 359 enum DropReason { 360 // non-drop reasons 361 DROP_REASON_UNKNOWN = 0; 362 // drop reasons 363 INVALID_SOURCE_MAC = 130 [deprecated = true]; 364 INVALID_DESTINATION_MAC = 131 [deprecated = true]; 365 INVALID_SOURCE_IP = 132; 366 POLICY_DENIED = 133; 367 INVALID_PACKET_DROPPED = 134; 368 CT_TRUNCATED_OR_INVALID_HEADER = 135; 369 CT_MISSING_TCP_ACK_FLAG = 136; 370 CT_UNKNOWN_L4_PROTOCOL = 137; 371 CT_CANNOT_CREATE_ENTRY_FROM_PACKET = 138 [deprecated = true]; 372 UNSUPPORTED_L3_PROTOCOL = 139; 373 MISSED_TAIL_CALL = 140; 374 ERROR_WRITING_TO_PACKET = 141; 375 UNKNOWN_L4_PROTOCOL = 142; 376 UNKNOWN_ICMPV4_CODE = 143; 377 UNKNOWN_ICMPV4_TYPE = 144; 378 UNKNOWN_ICMPV6_CODE = 145; 379 UNKNOWN_ICMPV6_TYPE = 146; 380 ERROR_RETRIEVING_TUNNEL_KEY = 147; 381 ERROR_RETRIEVING_TUNNEL_OPTIONS = 148 [deprecated = true]; 382 INVALID_GENEVE_OPTION = 149 [deprecated = true]; 383 UNKNOWN_L3_TARGET_ADDRESS = 150; 384 STALE_OR_UNROUTABLE_IP = 151; 385 NO_MATCHING_LOCAL_CONTAINER_FOUND = 152 [deprecated = true]; 386 ERROR_WHILE_CORRECTING_L3_CHECKSUM = 153; 387 ERROR_WHILE_CORRECTING_L4_CHECKSUM = 154; 388 CT_MAP_INSERTION_FAILED = 155; 389 INVALID_IPV6_EXTENSION_HEADER = 156; 390 IP_FRAGMENTATION_NOT_SUPPORTED = 157; 391 SERVICE_BACKEND_NOT_FOUND = 158; 392 NO_TUNNEL_OR_ENCAPSULATION_ENDPOINT = 160; 393 FAILED_TO_INSERT_INTO_PROXYMAP = 161; 394 REACHED_EDT_RATE_LIMITING_DROP_HORIZON = 162; 395 UNKNOWN_CONNECTION_TRACKING_STATE = 163; 396 LOCAL_HOST_IS_UNREACHABLE = 164; 397 NO_CONFIGURATION_AVAILABLE_TO_PERFORM_POLICY_DECISION = 165; 398 UNSUPPORTED_L2_PROTOCOL = 166; 399 NO_MAPPING_FOR_NAT_MASQUERADE = 167; 400 UNSUPPORTED_PROTOCOL_FOR_NAT_MASQUERADE = 168; 401 FIB_LOOKUP_FAILED = 169; 402 ENCAPSULATION_TRAFFIC_IS_PROHIBITED = 170; 403 INVALID_IDENTITY = 171; 404 UNKNOWN_SENDER = 172; 405 NAT_NOT_NEEDED = 173; 406 IS_A_CLUSTERIP = 174; 407 FIRST_LOGICAL_DATAGRAM_FRAGMENT_NOT_FOUND = 175; 408 FORBIDDEN_ICMPV6_MESSAGE = 176; 409 DENIED_BY_LB_SRC_RANGE_CHECK = 177; 410 SOCKET_LOOKUP_FAILED = 178; 411 SOCKET_ASSIGN_FAILED = 179; 412 PROXY_REDIRECTION_NOT_SUPPORTED_FOR_PROTOCOL = 180; 413 POLICY_DENY = 181; 414 VLAN_FILTERED = 182; 415 INVALID_VNI = 183; 416 INVALID_TC_BUFFER = 184; 417 NO_SID = 185; 418 MISSING_SRV6_STATE = 186 [deprecated = true]; 419 NAT46 = 187; 420 NAT64 = 188; 421 AUTH_REQUIRED = 189; 422 CT_NO_MAP_FOUND = 190; 423 SNAT_NO_MAP_FOUND = 191; 424 INVALID_CLUSTER_ID = 192; 425 UNSUPPORTED_PROTOCOL_FOR_DSR_ENCAP = 193; 426 NO_EGRESS_GATEWAY = 194; 427 UNENCRYPTED_TRAFFIC = 195; 428 TTL_EXCEEDED = 196; 429 NO_NODE_ID = 197; 430 DROP_RATE_LIMITED = 198; 431 IGMP_HANDLED = 199; 432 IGMP_SUBSCRIBED = 200; 433 MULTICAST_HANDLED = 201; 434 // A BPF program wants to tail call into bpf_host, but the host datapath 435 // hasn't been loaded yet. 436 DROP_HOST_NOT_READY = 202; 437 // A BPF program wants to tail call some endpoint's policy program in the 438 // POLICY_CALL_MAP, but the program is not available. 439 DROP_EP_NOT_READY = 203; 440 // An Egress Gateway node matched a packet against an Egress Gateway policy 441 // that didn't select a valid Egress IP. 442 DROP_NO_EGRESS_IP = 204; 443 } 444 445 enum TrafficDirection { 446 TRAFFIC_DIRECTION_UNKNOWN = 0; 447 INGRESS = 1; 448 EGRESS = 2; 449 } 450 451 // These values are shared with pkg/monitor/api/datapath_debug.go and bpf/lib/dbg.h. 452 enum DebugCapturePoint { 453 DBG_CAPTURE_POINT_UNKNOWN = 0; 454 reserved 1 to 3; 455 DBG_CAPTURE_DELIVERY = 4; 456 DBG_CAPTURE_FROM_LB = 5; 457 DBG_CAPTURE_AFTER_V46 = 6; 458 DBG_CAPTURE_AFTER_V64 = 7; 459 DBG_CAPTURE_PROXY_PRE = 8; 460 DBG_CAPTURE_PROXY_POST = 9; 461 DBG_CAPTURE_SNAT_PRE = 10; 462 DBG_CAPTURE_SNAT_POST = 11; 463 } 464 465 message Policy { 466 string name = 1; 467 string namespace = 2; 468 repeated string labels = 3; 469 uint64 revision = 4; 470 } 471 472 // EventTypeFilter is a filter describing a particular event type. 473 message EventTypeFilter { 474 // type is the primary flow type as defined by: 475 // github.com/cilium/cilium/pkg/monitor/api.MessageType* 476 int32 type = 1; 477 478 // match_sub_type is set to true when matching on the sub_type should 479 // be done. This flag is required as 0 is a valid sub_type. 480 bool match_sub_type = 2; 481 482 // sub_type is the secondary type, e.g. 483 // - github.com/cilium/cilium/pkg/monitor/api.Trace* 484 int32 sub_type = 3; 485 } 486 487 // CiliumEventType from which the flow originated. 488 message CiliumEventType { 489 // type of event the flow originated from, i.e. 490 // github.com/cilium/cilium/pkg/monitor/api.MessageType* 491 int32 type = 1; 492 // sub_type may indicate more details depending on type, e.g. 493 // - github.com/cilium/cilium/pkg/monitor/api.Trace* 494 // - github.com/cilium/cilium/pkg/monitor/api.Drop* 495 // - github.com/cilium/cilium/pkg/monitor/api.DbgCapture* 496 int32 sub_type = 2; 497 } 498 499 // FlowFilter represent an individual flow filter. All fields are optional. If 500 // multiple fields are set, then all fields must match for the filter to match. 501 message FlowFilter { 502 // uuid filters by a list of flow uuids. 503 repeated string uuid = 29; 504 // source_ip filters by a list of source ips. Each of the source ips can be 505 // specified as an exact match (e.g. "1.1.1.1") or as a CIDR range (e.g. 506 // "1.1.1.0/24"). 507 repeated string source_ip = 1; 508 // source_ip_xlated filters by a list IPs. Each of the IPs can be specified 509 // as an exact match (e.g. "1.1.1.1") or as a CIDR range (e.g. 510 // "1.1.1.0/24"). 511 repeated string source_ip_xlated = 34; 512 // source_pod filters by a list of source pod name prefixes, optionally 513 // within a given namespace (e.g. "xwing", "kube-system/coredns-"). 514 // The pod name can be omitted to only filter by namespace 515 // (e.g. "kube-system/") or the namespace can be omitted to filter for 516 // pods in any namespace (e.g. "/xwing") 517 repeated string source_pod = 2; 518 // source_fqdn filters by a list of source fully qualified domain names 519 repeated string source_fqdn = 7; 520 // source_labels filters on a list of source label selectors. Selectors 521 // support the full Kubernetes label selector syntax. 522 repeated string source_label = 10; 523 // source_service filters on a list of source service names. This field 524 // supports the same syntax as the source_pod field. 525 repeated string source_service = 16; 526 // source_workload filters by a list of source workload. 527 repeated Workload source_workload = 26; 528 529 // destination_ip filters by a list of destination ips. Each of the 530 // destination ips can be specified as an exact match (e.g. "1.1.1.1") or 531 // as a CIDR range (e.g. "1.1.1.0/24"). 532 repeated string destination_ip = 3; 533 // destination_pod filters by a list of destination pod names 534 repeated string destination_pod = 4; 535 // destination_fqdn filters by a list of destination fully qualified domain names 536 repeated string destination_fqdn = 8; 537 // destination_label filters on a list of destination label selectors 538 repeated string destination_label = 11; 539 // destination_service filters on a list of destination service names 540 repeated string destination_service = 17; 541 // destination_workload filters by a list of destination workload. 542 repeated Workload destination_workload = 27; 543 544 // traffic_direction filters flow by direction of the connection, e.g. 545 // ingress or egress. 546 repeated TrafficDirection traffic_direction = 30; 547 // only return Flows that were classified with a particular verdict. 548 repeated Verdict verdict = 5; 549 // only applicable to Verdict = DROPPED (e.g. "POLICY_DENIED", "UNSUPPORTED_L3_PROTOCOL") 550 repeated DropReason drop_reason_desc = 33; 551 // interface is the network interface on which this flow was observed. 552 repeated NetworkInterface interface = 35; 553 // event_type is the list of event types to filter on 554 repeated EventTypeFilter event_type = 6; 555 // http_status_code is a list of string prefixes (e.g. "4+", "404", "5+") 556 // to filter on the HTTP status code 557 repeated string http_status_code = 9; 558 559 // protocol filters flows by L4 or L7 protocol, e.g. (e.g. "tcp", "http") 560 repeated string protocol = 12; 561 562 // source_port filters flows by L4 source port 563 repeated string source_port = 13; 564 // destination_port filters flows by L4 destination port 565 repeated string destination_port = 14; 566 // reply filters flows based on the direction of the flow. 567 repeated bool reply = 15; 568 // dns_query filters L7 DNS flows by query patterns (RE2 regex), e.g. 'kube.*local'. 569 repeated string dns_query = 18; 570 // source_identity filters by the security identity of the source endpoint. 571 repeated uint32 source_identity = 19; 572 // destination_identity filters by the security identity of the destination endpoint. 573 repeated uint32 destination_identity = 20; 574 575 // GET, POST, PUT, etc. methods. This type of field is well suited for an 576 // enum but every single existing place is using a string already. 577 repeated string http_method = 21; 578 // http_path is a list of regular expressions to filter on the HTTP path. 579 repeated string http_path = 22; 580 // http_url is a list of regular expressions to filter on the HTTP URL. 581 repeated string http_url = 31; 582 // http_header is a list of key:value pairs to filter on the HTTP headers. 583 repeated HTTPHeader http_header = 32; 584 585 // tcp_flags filters flows based on TCP header flags 586 repeated TCPFlags tcp_flags = 23; 587 588 // node_name is a list of patterns to filter on the node name, e.g. "k8s*", 589 // "test-cluster/*.domain.com", "cluster-name/" etc. 590 repeated string node_name = 24; 591 // node_labels filters on a list of node label selectors. Selectors support 592 // the full Kubernetes label selector syntax. 593 repeated string node_labels = 36; 594 595 // filter based on IP version (ipv4 or ipv6) 596 repeated IPVersion ip_version = 25; 597 598 // trace_id filters flows by trace ID 599 repeated string trace_id = 28; 600 601 // Experimental contains filters that are not stable yet. Support for 602 // experimental features is always optional and subject to change. 603 message Experimental { 604 // cel_expression takes a common expression language (CEL) expression 605 // returning a boolean to determine if the filter matched or not. 606 // You can use the `_flow` variable to access fields on the flow using 607 // the flow.Flow protobuf field names. 608 // See https://github.com/google/cel-spec/blob/v0.14.0/doc/intro.md#introduction 609 // for more details on CEL and accessing the protobuf fields in CEL. 610 // Using CEL has performance cost compared to other filters, so prefer 611 // using non-CEL filters when possible, and try to specify CEL filters 612 // last in the list of FlowFilters. 613 repeated string cel_expression = 1; 614 } 615 // experimental contains filters that are not stable yet. Support for 616 // experimental features is always optional and subject to change. 617 Experimental experimental = 999; 618 } 619 620 // EventType are constants are based on the ones from <linux/perf_event.h>. 621 enum EventType { 622 UNKNOWN = 0; 623 // EventSample is equivalent to PERF_RECORD_SAMPLE. 624 EventSample = 9; 625 // RecordLost is equivalent to PERF_RECORD_LOST. 626 RecordLost = 2; 627 } 628 629 // DNS flow. This is basically directly mapped from Cilium's [LogRecordDNS](https://github.com/cilium/cilium/blob/04f3889d627774f79e56d14ddbc165b3169e2d01/pkg/proxy/accesslog/record.go#L264): 630 message DNS { 631 // DNS name that's being looked up: e.g. "isovalent.com." 632 string query = 1; 633 // List of IP addresses in the DNS response. 634 repeated string ips = 2; 635 // TTL in the DNS response. 636 uint32 ttl = 3; 637 // List of CNames in the DNS response. 638 repeated string cnames = 4; 639 // Corresponds to DNSDataSource defined in: 640 // https://github.com/cilium/cilium/blob/04f3889d627774f79e56d14ddbc165b3169e2d01/pkg/proxy/accesslog/record.go#L253 641 string observation_source = 5; 642 // Return code of the DNS request defined in: 643 // https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6 644 uint32 rcode = 6; 645 // String representation of qtypes defined in: 646 // https://tools.ietf.org/html/rfc1035#section-3.2.3 647 repeated string qtypes = 7; 648 // String representation of rrtypes defined in: 649 // https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4 650 repeated string rrtypes = 8; 651 } 652 653 message HTTPHeader { 654 string key = 1; 655 string value = 2; 656 } 657 658 // L7 information for HTTP flows. It corresponds to Cilium's [accesslog.LogRecordHTTP](https://github.com/cilium/cilium/blob/728c79e427438ab6f8d9375b62fccd6fed4ace3a/pkg/proxy/accesslog/record.go#L206) type. 659 message HTTP { 660 uint32 code = 1; 661 string method = 2; 662 string url = 3; 663 string protocol = 4; 664 repeated HTTPHeader headers = 5; 665 } 666 667 // L7 information for Kafka flows. It corresponds to Cilium's [accesslog.LogRecordKafka](https://github.com/cilium/cilium/blob/728c79e427438ab6f8d9375b62fccd6fed4ace3a/pkg/proxy/accesslog/record.go#L229) type. 668 message Kafka { 669 int32 error_code = 1; 670 int32 api_version = 2; 671 string api_key = 3; 672 int32 correlation_id = 4; 673 string topic = 5; 674 } 675 676 message Service { 677 string name = 1; 678 string namespace = 2; 679 } 680 681 enum LostEventSource { 682 UNKNOWN_LOST_EVENT_SOURCE = 0; 683 // PERF_EVENT_RING_BUFFER indicates that events were dropped in the BPF 684 // perf event ring buffer, indicating that userspace agent did not keep up 685 // with the events produced by the datapath. 686 PERF_EVENT_RING_BUFFER = 1; 687 // OBSERVER_EVENTS_QUEUE indicates that events were dropped because the 688 // Hubble events queue was full, indicating that the Hubble observer did 689 // not keep up. 690 OBSERVER_EVENTS_QUEUE = 2; 691 692 // HUBBLE_RING_BUFFER indicates that the event was dropped because it could 693 // not be read from Hubble's ring buffer in time before being overwritten. 694 HUBBLE_RING_BUFFER = 3; 695 } 696 697 // LostEvent is a message which notifies consumers about a loss of events 698 // that happened before the events were captured by Hubble. 699 message LostEvent { 700 // source is the location where events got lost. 701 LostEventSource source = 1; 702 // num_events_lost is the number of events that haven been lost at source. 703 uint64 num_events_lost = 2; 704 // cpu on which the event was lost if the source of lost events is 705 // PERF_EVENT_RING_BUFFER. 706 google.protobuf.Int32Value cpu = 3; 707 } 708 709 // AgentEventType is the type of agent event. These values are shared with type 710 // AgentNotification in pkg/monitor/api/types.go. 711 enum AgentEventType { 712 AGENT_EVENT_UNKNOWN = 0; 713 // used for AGENT_EVENT_GENERIC in monitor API, but there are currently no 714 // such events; 715 reserved 1; 716 AGENT_STARTED = 2; 717 POLICY_UPDATED = 3; 718 POLICY_DELETED = 4; 719 ENDPOINT_REGENERATE_SUCCESS = 5; 720 ENDPOINT_REGENERATE_FAILURE = 6; 721 ENDPOINT_CREATED = 7; 722 ENDPOINT_DELETED = 8; 723 IPCACHE_UPSERTED = 9; 724 IPCACHE_DELETED = 10; 725 SERVICE_UPSERTED = 11; 726 SERVICE_DELETED = 12; 727 } 728 729 message AgentEvent { 730 AgentEventType type = 1; 731 oneof notification { 732 AgentEventUnknown unknown = 100; 733 TimeNotification agent_start = 101; 734 // used for POLICY_UPDATED and POLICY_DELETED 735 PolicyUpdateNotification policy_update = 102; 736 // used for ENDPOINT_REGENERATE_SUCCESS and ENDPOINT_REGENERATE_FAILURE 737 EndpointRegenNotification endpoint_regenerate = 103; 738 // used for ENDPOINT_CREATED and ENDPOINT_DELETED 739 EndpointUpdateNotification endpoint_update = 104; 740 // used for IPCACHE_UPSERTED and IPCACHE_DELETED 741 IPCacheNotification ipcache_update = 105; 742 ServiceUpsertNotification service_upsert = 106; 743 ServiceDeleteNotification service_delete = 107; 744 } 745 } 746 747 message AgentEventUnknown { 748 string type = 1; 749 string notification = 2; 750 } 751 752 message TimeNotification { 753 google.protobuf.Timestamp time = 1; 754 } 755 756 message PolicyUpdateNotification { 757 repeated string labels = 1; 758 uint64 revision = 2; 759 int64 rule_count = 3; 760 } 761 762 message EndpointRegenNotification { 763 uint64 id = 1; 764 repeated string labels = 2; 765 string error = 3; 766 } 767 768 message EndpointUpdateNotification { 769 uint64 id = 1; 770 repeated string labels = 2; 771 string error = 3; 772 string pod_name = 4; 773 string namespace = 5; 774 } 775 776 message IPCacheNotification { 777 string cidr = 1; 778 uint32 identity = 2; 779 google.protobuf.UInt32Value old_identity = 3; 780 string host_ip = 4; 781 string old_host_ip = 5; 782 uint32 encrypt_key = 6; 783 string namespace = 7; 784 string pod_name = 8; 785 } 786 787 message ServiceUpsertNotificationAddr { 788 string ip = 1; 789 uint32 port = 2; 790 } 791 792 message ServiceUpsertNotification { 793 uint32 id = 1; 794 ServiceUpsertNotificationAddr frontend_address = 2; 795 repeated ServiceUpsertNotificationAddr backend_addresses = 3; 796 string type = 4; 797 string traffic_policy = 5 [deprecated = true]; 798 string name = 6; 799 string namespace = 7; 800 string ext_traffic_policy = 8; 801 string int_traffic_policy = 9; 802 } 803 804 message ServiceDeleteNotification { 805 uint32 id = 1; 806 } 807 808 message NetworkInterface { 809 uint32 index = 1; 810 string name = 2; 811 } 812 813 // This mirrors enum xlate_point in bpf/lib/trace_sock.h 814 enum SocketTranslationPoint { 815 SOCK_XLATE_POINT_UNKNOWN = 0; 816 SOCK_XLATE_POINT_PRE_DIRECTION_FWD = 1; // Pre service translation 817 SOCK_XLATE_POINT_POST_DIRECTION_FWD = 2; // Post service translation 818 SOCK_XLATE_POINT_PRE_DIRECTION_REV = 3; // Pre reverse service translation 819 SOCK_XLATE_POINT_POST_DIRECTION_REV = 4; // Post reverse service translation 820 } 821 822 message DebugEvent { 823 DebugEventType type = 1; 824 Endpoint source = 2; 825 google.protobuf.UInt32Value hash = 3; 826 google.protobuf.UInt32Value arg1 = 4; 827 google.protobuf.UInt32Value arg2 = 5; 828 google.protobuf.UInt32Value arg3 = 6; 829 string message = 7; 830 google.protobuf.Int32Value cpu = 8; 831 } 832 833 // These values are shared with pkg/monitor/api/datapath_debug.go and bpf/lib/dbg.h. 834 enum DebugEventType { 835 DBG_EVENT_UNKNOWN = 0; 836 DBG_GENERIC = 1; 837 DBG_LOCAL_DELIVERY = 2; 838 DBG_ENCAP = 3; 839 DBG_LXC_FOUND = 4; 840 DBG_POLICY_DENIED = 5; 841 DBG_CT_LOOKUP = 6; 842 DBG_CT_LOOKUP_REV = 7; 843 DBG_CT_MATCH = 8; 844 DBG_CT_CREATED = 9; 845 DBG_CT_CREATED2 = 10; 846 DBG_ICMP6_HANDLE = 11; 847 DBG_ICMP6_REQUEST = 12; 848 DBG_ICMP6_NS = 13; 849 DBG_ICMP6_TIME_EXCEEDED = 14; 850 DBG_CT_VERDICT = 15; 851 DBG_DECAP = 16; 852 DBG_PORT_MAP = 17; 853 DBG_ERROR_RET = 18; 854 DBG_TO_HOST = 19; 855 DBG_TO_STACK = 20; 856 DBG_PKT_HASH = 21; 857 DBG_LB6_LOOKUP_FRONTEND = 22; 858 DBG_LB6_LOOKUP_FRONTEND_FAIL = 23; 859 DBG_LB6_LOOKUP_BACKEND_SLOT = 24; 860 DBG_LB6_LOOKUP_BACKEND_SLOT_SUCCESS = 25; 861 DBG_LB6_LOOKUP_BACKEND_SLOT_V2_FAIL = 26; 862 DBG_LB6_LOOKUP_BACKEND_FAIL = 27; 863 DBG_LB6_REVERSE_NAT_LOOKUP = 28; 864 DBG_LB6_REVERSE_NAT = 29; 865 DBG_LB4_LOOKUP_FRONTEND = 30; 866 DBG_LB4_LOOKUP_FRONTEND_FAIL = 31; 867 DBG_LB4_LOOKUP_BACKEND_SLOT = 32; 868 DBG_LB4_LOOKUP_BACKEND_SLOT_SUCCESS = 33; 869 DBG_LB4_LOOKUP_BACKEND_SLOT_V2_FAIL = 34; 870 DBG_LB4_LOOKUP_BACKEND_FAIL = 35; 871 DBG_LB4_REVERSE_NAT_LOOKUP = 36; 872 DBG_LB4_REVERSE_NAT = 37; 873 DBG_LB4_LOOPBACK_SNAT = 38; 874 DBG_LB4_LOOPBACK_SNAT_REV = 39; 875 DBG_CT_LOOKUP4 = 40; 876 DBG_RR_BACKEND_SLOT_SEL = 41; 877 DBG_REV_PROXY_LOOKUP = 42; 878 DBG_REV_PROXY_FOUND = 43; 879 DBG_REV_PROXY_UPDATE = 44; 880 DBG_L4_POLICY = 45; 881 DBG_NETDEV_IN_CLUSTER = 46; 882 DBG_NETDEV_ENCAP4 = 47; 883 DBG_CT_LOOKUP4_1 = 48; 884 DBG_CT_LOOKUP4_2 = 49; 885 DBG_CT_CREATED4 = 50; 886 DBG_CT_LOOKUP6_1 = 51; 887 DBG_CT_LOOKUP6_2 = 52; 888 DBG_CT_CREATED6 = 53; 889 DBG_SKIP_PROXY = 54; 890 DBG_L4_CREATE = 55; 891 DBG_IP_ID_MAP_FAILED4 = 56; 892 DBG_IP_ID_MAP_FAILED6 = 57; 893 DBG_IP_ID_MAP_SUCCEED4 = 58; 894 DBG_IP_ID_MAP_SUCCEED6 = 59; 895 DBG_LB_STALE_CT = 60; 896 DBG_INHERIT_IDENTITY = 61; 897 DBG_SK_LOOKUP4 = 62; 898 DBG_SK_LOOKUP6 = 63; 899 DBG_SK_ASSIGN = 64; 900 DBG_L7_LB = 65; 901 DBG_SKIP_POLICY = 66; 902 }