github.com/cilium/cilium@v1.16.2/pkg/datapath/linux/linux_defaults/mark.go (about)

     1  // SPDX-License-Identifier: Apache-2.0
     2  // Copyright Authors of Cilium
     3  
     4  package linux_defaults
     5  
     6  // The skb mark is used to transmit both identity and special markers to
     7  // identify traffic from and to proxies. The mark field is being used in the
     8  // following way:
     9  //
    10  //	 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2
    11  //	+-------------------------------+-------+-------+---------------+
    12  //	|L L L L L L L L L L L L L L L L|R R R R|M M M M|U U U U U U U U|
    13  //	+-------------------------------+-------+-------+---------------+
    14  //	 identity                        k8s     mark    identity
    15  //
    16  // Identity (24 bits):
    17  //
    18  //	+-----------------------------------------------+
    19  //	|U U U U U U U U|L L L L L L L L L L L L L L L L|
    20  //	+-----------------------------------------------+
    21  //	 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4
    22  //
    23  // Kubernetes Mark (4 bits; see MagicMarkWireGuardEncrypted for usage of some of
    24  // K8s mark space):
    25  // R R R R
    26  // 0 1 0 0  Masquerade
    27  // 1 0 0 0  Drop
    28  //
    29  // Cilium Mark (4 bits):
    30  // M M M M
    31  // (see MARK_MAGIC_* in bpf/lib/common.h)
    32  const (
    33  	// MagicMarkHostMask can be used to fetch the host/proxy-relevant magic
    34  	// bits from a mark.
    35  	MagicMarkHostMask int = 0x0F00
    36  	// MagicMarkProxyMask can be used to fetch the proxy-relevant magic
    37  	// bits from a mark.
    38  	MagicMarkProxyMask int = 0x0E00
    39  	// MagicMarkProxyNoIDMask can be used to fetch the proxy-relevant magic
    40  	// bits from a mark for proxy reply traffic.
    41  	MagicMarkProxyNoIDMask int = 0xFFFFFEFF
    42  	// MagicMarkIsProxyEPID can be used in conjunction with
    43  	// MagicMarkProxyMask to determine whether the mark is indicating that
    44  	// traffic is sourced from a proxy prior to endpoint policy enforcement.
    45  	MagicMarkIsProxyEPID int = 0x0800
    46  	// MagicMarkIsProxy can be used in conjunction with MagicMarkProxyMask
    47  	// to determine whether the mark is indicating that traffic is sourced
    48  	// from a proxy.
    49  	MagicMarkIsProxy int = 0x0A00
    50  	// MagicMarkIsToProxy can be used in conjunction with MagicMarkHostMask
    51  	// to determine whether the mark is indicating that traffic is destined
    52  	// to a proxy.
    53  	MagicMarkIsToProxy uint32 = 0x0200
    54  
    55  	MagicMarkSNATDone int = 0x0300
    56  
    57  	// MagicMarkOverlay is set by the to-overlay program, and can be used
    58  	// to identify cilium-managed overlay traffic.
    59  	MagicMarkOverlay int = 0x0400
    60  
    61  	// MagicMarkProxyEgressEPID determines that the traffic is sourced from
    62  	// the proxy which is capturing traffic before it is subject to egress
    63  	// policy enforcement that must be done after the proxy. The identity
    64  	// stored in the mark is source Endpoint ID.
    65  	//
    66  	// Note that this is not used from Go code, but is included here to
    67  	// document this pattern. This must match the definition of
    68  	// MARK_MAGIC_PROXY_EGRESS_EPID in the datapath, and the Envoy code in
    69  	// cilium/proxy/cilium/bpf_metadata.cc
    70  	MagicMarkProxyEgressEPID int = 0x0900
    71  
    72  	// MagicMarkIngress determines that the traffic is sourced from the
    73  	// proxy which is applying Ingress policy
    74  	MagicMarkIngress int = 0x0A00
    75  	// MagicMarkEgress determines that the traffic is sourced from the
    76  	// proxy which is applying Egress policy
    77  	MagicMarkEgress int = 0x0B00
    78  
    79  	// MagicMarkHost determines that the traffic is sourced from the local
    80  	// host and not from a proxy.
    81  	MagicMarkHost int = 0x0C00
    82  
    83  	// MagicMarkIdentity determines that the traffic carries a security
    84  	// identity in the skb->mark
    85  	MagicMarkIdentity int = 0x0F00
    86  
    87  	// MagicMarkK8sMasq determines that the traffic should be masqueraded
    88  	// by kube-proxy in kubernetes environments.
    89  	MagicMarkK8sMasq int = 0x4000
    90  	// MagicMarkK8sDrop determines that the traffic should be dropped in
    91  	// kubernetes environments.
    92  	MagicMarkK8sDrop int = 0x8000
    93  
    94  	// MagicMarkWireGuardEncrypted is set by the WireGuard tunnel device
    95  	// in order to indicate that a packet has been encrypted, and that there
    96  	// is no need to forward it again to the WG tunnel netdev.
    97  	//
    98  	// The mark invades the K8s mark space described above. This is because
    99  	// some packets might carry a security identity which is indicated with
   100  	// MagicMarkIdentity which takes all 4 bits. The LSB bit which we take
   101  	// from the K8s space is not used, so this is fine). I.e., the LSB bit is
   102  	// 0x1000, and the K8s marks are 0x4000 and 0x8000. So both are not
   103  	// interfering with that bit.
   104  	MagicMarkWireGuardEncrypted int = 0x1E00
   105  )
   106  
   107  // getMagicMark returns the magic marker with which each packet must be marked.
   108  // The mark is different depending on whether the proxy is injected at ingress
   109  // or egress.
   110  func GetMagicProxyMark(isIngress bool, identity int) int {
   111  	var mark int
   112  
   113  	if isIngress {
   114  		mark = MagicMarkIngress
   115  	} else {
   116  		mark = MagicMarkEgress
   117  	}
   118  
   119  	if identity != 0 {
   120  		mark |= (identity >> 16) & 0xFF
   121  		mark |= (identity & 0xFFFF) << 16
   122  	}
   123  
   124  	return mark
   125  }