github.com/imran-kn/cilium-fork@v1.6.9/pkg/policy/api/l4.go (about) 1 // Copyright 2016-2019 Authors of Cilium 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package api 16 17 // L4Proto is a layer 4 protocol name 18 type L4Proto string 19 20 const ( 21 // Keep pkg/u8proto up-to-date with any additions here 22 23 ProtoTCP L4Proto = "TCP" 24 ProtoUDP L4Proto = "UDP" 25 ProtoAny L4Proto = "ANY" 26 27 PortProtocolAny = "0/ANY" 28 ) 29 30 // PortProtocol specifies an L4 port with an optional transport protocol 31 type PortProtocol struct { 32 // Port is an L4 port number. For now the string will be strictly 33 // parsed as a single uint16. In the future, this field may support 34 // ranges in the form "1024-2048 35 Port string `json:"port"` 36 37 // Protocol is the L4 protocol. If omitted or empty, any protocol 38 // matches. Accepted values: "TCP", "UDP", ""/"ANY" 39 // 40 // Matching on ICMP is not supported. 41 // 42 // +optional 43 Protocol L4Proto `json:"protocol,omitempty"` 44 } 45 46 // Covers returns true if the ports and protocol specified in the received 47 // PortProtocol are equal to or a superset of the ports and protocol in 'other'. 48 func (p PortProtocol) Covers(other PortProtocol) bool { 49 if p.Port != other.Port { 50 return false 51 } 52 if p.Protocol != other.Protocol { 53 return p.Protocol == "" || p.Protocol == ProtoAny 54 } 55 return true 56 } 57 58 // PortRule is a list of ports/protocol combinations with optional Layer 7 59 // rules which must be met. 60 type PortRule struct { 61 // Ports is a list of L4 port/protocol 62 // 63 // If omitted or empty but RedirectPort is set, then all ports of the 64 // endpoint subject to either the ingress or egress rule are being 65 // redirected. 66 // 67 // +optional 68 Ports []PortProtocol `json:"ports,omitempty"` 69 70 // Rules is a list of additional port level rules which must be met in 71 // order for the PortRule to allow the traffic. If omitted or empty, 72 // no layer 7 rules are enforced. 73 // 74 // +optional 75 Rules *L7Rules `json:"rules,omitempty"` 76 } 77 78 // L7Rules is a union of port level rule types. Mixing of different port 79 // level rule types is disallowed, so exactly one of the following must be set. 80 // If none are specified, then no additional port level rules are applied. 81 type L7Rules struct { 82 // HTTP specific rules. 83 // 84 // +optional 85 HTTP []PortRuleHTTP `json:"http,omitempty"` 86 87 // Kafka-specific rules. 88 // 89 // +optional 90 Kafka []PortRuleKafka `json:"kafka,omitempty"` 91 92 // DNS-specific rules. 93 // 94 // +optional 95 DNS []PortRuleDNS `json:"dns,omitempty"` 96 97 // Name of the L7 protocol for which the Key-value pair rules apply 98 // 99 // +optional 100 L7Proto string `json:"l7proto,omitempty"` 101 102 // Key-value pair rules 103 // 104 // +optional 105 L7 []PortRuleL7 `json:"l7,omitempty"` 106 } 107 108 // Len returns the total number of rules inside `L7Rules`. 109 // Returns 0 if nil. 110 func (rules *L7Rules) Len() int { 111 if rules == nil { 112 return 0 113 } 114 return len(rules.HTTP) + len(rules.Kafka) + len(rules.DNS) + len(rules.L7) 115 } 116 117 // IsEmpty returns whether the `L7Rules` is nil or contains nil rules. 118 func (rules *L7Rules) IsEmpty() bool { 119 return rules == nil || (rules.HTTP == nil && rules.Kafka == nil && rules.DNS == nil && rules.L7 == nil) 120 }