github.com/cilium/cilium@v1.16.2/pkg/datapath/linux/linux_defaults/linux_defaults.go (about) 1 // SPDX-License-Identifier: Apache-2.0 2 // Copyright Authors of Cilium 3 4 package linux_defaults 5 6 import ( 7 "golang.org/x/sys/unix" 8 ) 9 10 // Linux specific constants used in Linux datapath 11 const ( 12 // RouteTableIPSec is the default table ID to use for IPSec routing rules 13 RouteTableIPSec = 200 14 15 // RouteTableVtep is the default table ID to use for VTEP routing rules 16 RouteTableVtep = 202 17 18 // RouteTableToProxy is the default table ID to use routing rules to the proxy. 19 RouteTableToProxy = 2004 20 21 // RouteTableFromProxy is the default table ID to use routing rules from the proxy. 22 RouteTableFromProxy = 2005 23 24 // RouteTableInterfacesOffset is the offset for the per-ENI routing tables. 25 // Each ENI interface will have its own table starting with this offset. It 26 // is 10 because it is highly unlikely to collide with the main routing 27 // table which is between 253-255. See ip-route(8). 28 RouteTableInterfacesOffset = 10 29 30 // MarkProxyToWorld is the default mark to use to indicate that a packet 31 // from proxy needs to be sent to the world. 32 MarkProxyToWorld = 0x800 33 34 // RouteMarkDecrypt is the default route mark to use to indicate datapath 35 // needs to decrypt a packet. 36 RouteMarkDecrypt = 0x0D00 37 38 // RouteMarkDecryptedOverlay is the output mark used for EncryptedOverlay 39 // XFRM policies. 40 // 41 // When this mark is present on a packet it indicates that overlay traffic 42 // was decrypted by XFRM and should be forwarded to a tunnel device for 43 // decapsulation. 44 RouteMarkDecryptedOverlay = 0x1D00 45 46 // RouteMarkEncrypt is the default route mark to use to indicate datapath 47 // needs to encrypt a packet. 48 RouteMarkEncrypt = 0x0E00 49 50 // RouteMarkMask is the mask required for the route mark value 51 RouteMarkMask = 0xF00 52 53 // OutputMarkMask is the mask to use in output-mark of XFRM states. It is 54 // used to clear the node ID and the SPI from the packet mark. 55 OutputMarkMask = 0xFFFFFF00 56 57 // RouteMarkToProxy is the default route mark to use to indicate 58 // datapath needs to send the packet to the proxy. 59 // 60 // Specifically, this is used in the L7 ingress policy tunneling case 61 // where after decryption, the packet is rerouted back into 62 // `cilium_host` with said mark to indicate the destination as the 63 // proxy. 64 RouteMarkToProxy = MagicMarkIsToProxy 65 66 // MarkMultinodeNodeport is used for AWS ENI to mark traffic from 67 // another node, so that it gets routed back through the relevant 68 // interface. 69 MarkMultinodeNodeport = 0x80 70 71 // MaskMultinodeNodeport is the mask associated with the 72 // RouterMarkNodePort 73 MaskMultinodeNodeport = 0x80 74 75 // RTProto is the protocol we install our fib rules and routes with. Use the 76 // kernel proto to make sure systemd-networkd doesn't interfere with these 77 // rules (see networkd config directive ManageForeignRoutingPolicyRules, set 78 // to 'yes' by default). 79 RTProto = unix.RTPROT_KERNEL 80 81 // RulePriorityToProxyIngress is the priority of the routing rule installed by 82 // the proxy package for redirecting inbound packets to the proxy. 83 RulePriorityToProxyIngress = 9 84 85 // RulePriorityFromProxy is the priority of the routing rule installed by 86 // the proxy package for redirecting packets from the proxy. 87 RulePriorityFromProxy = 10 88 89 // RulePriorityIngress is the priority of the rule used for ingress routing 90 // of endpoints. This priority is after encryption and proxy rules, and 91 // before the local table priority. 92 RulePriorityIngress = 20 93 94 // RulePriorityLocalLookup is the priority for the local lookup rule which is 95 // moved on init from 0 96 RulePriorityLocalLookup = 100 97 98 // RulePriorityEgress is the priority of the rule used for egress routing 99 // of endpoints. This priority is after the local table priority. 100 RulePriorityEgress = 110 101 102 // RulePriorityEgress is the v2 of the priority of the rule used for egress 103 // routing of endpoints. This priority is after the local table priority. 104 // 105 // Because of https://github.com/cilium/cilium/issues/14336, we must use a 106 // new priority value to disambiguate which rules are still under the old 107 // scheme. 108 RulePriorityEgressv2 = 111 109 110 // RulePriorityNodeport is the priority of the rule used with AWS ENI to 111 // make sure that lookups for multi-node NodePort traffic are NOT done 112 // from the table for the VPC to which the endpoint's CIDR is 113 // associated, but from the main routing table instead. 114 // This priority is before the egress priority. 115 RulePriorityNodeport = RulePriorityEgress - 1 116 117 // RulePriorityVtep is the priority of the rule used for routing packets to VTEP device 118 RulePriorityVtep = 112 119 120 // IPSec offset value for node rules 121 IPsecMaxKeyVersion = 15 122 123 // IPsecMarkMaskNodeID is the mask used for the node ID. 124 IPsecMarkMaskNodeID = 0xFFFF0000 125 126 // IPsecMarkBitMask is the mask used for the encrypt and decrypt bits. 127 IPsecMarkBitMask = 0x0F00 128 129 // IPsecOldMarkMaskOut is the mask that was previously used. It can be 130 // removed in Cilium v1.15. 131 IPsecOldMarkMaskOut = 0xFF00 132 133 // IPsecMarkMask is the mask required for the IPsec SPI, node ID, and encrypt/decrypt bits 134 IPsecMarkMaskOut = IPsecOldMarkMaskOut | IPsecMarkMaskNodeID 135 136 // IPsecMarkMaskIn is the mask required for the IPsec node ID and encrypt/decrypt bits 137 IPsecMarkMaskIn = IPsecMarkBitMask | IPsecMarkMaskNodeID 138 139 // IPsecFwdPriority is the priority of the fwd rules placed by IPsec 140 IPsecFwdPriority = 0x0B9F 141 142 // IPsecXFRMMarkSPIShift defines how many bits the SPI is shifted when 143 // encoded in a XfrmMark 144 IPsecXFRMMarkSPIShift = 12 145 )