github.com/elfadel/cilium@v1.6.12/pkg/datapath/linux/linux_defaults/mark.go (about) 1 // Copyright 2016-2018 Authors of Cilium 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package linux_defaults 16 17 // The skb mark is used to transmit both identity and special markers to 18 // identify traffic from and to proxies. The mark field is being used in the 19 // following way: 20 // 21 // 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 22 // +-------------------------------+-------+-------+---------------+ 23 // |L L L L L L L L L L L L L L L L|R R R R|M M M M|U U U U U U U U| 24 // +-------------------------------+-------+-------+---------------+ 25 // identity k8s mark identity 26 // 27 // Identity (24 bits): 28 // +-----------------------------------------------+ 29 // |U U U U U U U U|L L L L L L L L L L L L L L L L| 30 // +-----------------------------------------------+ 31 // 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 32 // 33 // Kubernetes Mark (4 bits): 34 // R R R R 35 // 0 1 0 0 Masquerade 36 // 1 0 0 0 Drop 37 // 38 // Cilium Mark (4 bits): 39 // M M M M 40 // (see MARK_MAGIC_* in bpf/lib/common.h) 41 const ( 42 // MagicMarkHostMask can be used to fetch the host/proxy-relevant magic 43 // bits from a mark. 44 MagicMarkHostMask int = 0x0F00 45 // MagicMarkProxyMask can be used to fetch the proxy-relevant magic 46 // bits from a mark. 47 MagicMarkProxyMask int = 0x0E00 48 // MagicMarkProxyNoIDMask can be used to fetch the proxy-relevant magic 49 // bits from a mark for proxy reply traffic. 50 MagicMarkProxyNoIDMask int = 0xFFFFFEFF 51 // MagicMarkIsProxy can be used in conjunction with MagicMarkProxyMask 52 // to determine whether the mark is indicating that traffic is sourced 53 // from a proxy. 54 MagicMarkIsProxy int = 0x0A00 55 // MagicMarkIsToProxy can be used in conjunction with MagicMarkHostMask 56 // to determine whether the mark is indicating that traffic is destined 57 // to a proxy. 58 MagicMarkIsToProxy uint32 = 0x0200 59 60 // MagicMarkIngress determines that the traffic is sourced from the 61 // proxy which is applying Ingress policy 62 MagicMarkIngress int = 0x0A00 63 // MagicMarkEgress determines that the traffic is sourced from the 64 // proxy which is applying Egress policy 65 MagicMarkEgress int = 0x0B00 66 67 // MagicMarkHost determines that the traffic is sourced from the local 68 // host and not from a proxy. 69 MagicMarkHost int = 0x0C00 70 71 // MagicMarkIdentity determines that the traffic carries a security 72 // identity in the skb->mark 73 MagicMarkIdentity int = 0x0F00 74 75 // MagicMarkK8sMasq determines that the traffic should be masqueraded 76 // by kube-proxy in kubernetes environments. 77 MagicMarkK8sMasq int = 0x4000 78 // MagicMarkK8sDrop determines that the traffic should be dropped in 79 // kubernetes environments. 80 MagicMarkK8sDrop int = 0x8000 81 ) 82 83 // getMagicMark returns the magic marker with which each packet must be marked. 84 // The mark is different depending on whether the proxy is injected at ingress 85 // or egress. 86 func GetMagicProxyMark(isIngress bool, identity int) int { 87 var mark int 88 89 if isIngress { 90 mark = MagicMarkIngress 91 } else { 92 mark = MagicMarkEgress 93 } 94 95 if identity != 0 { 96 mark |= (identity >> 16) & 0xFF 97 mark |= (identity & 0xFFFF) << 16 98 } 99 100 return mark 101 }