...

Source file src/github.com/Microsoft/hcsshim/hcn/hcnpolicy.go

Documentation: github.com/Microsoft/hcsshim/hcn 

     1  //go:build windows
     2  
     3  package hcn
     4  
     5  import (
     6  	"encoding/json"
     7  )
     8  
     9  // EndpointPolicyType are the potential Policies that apply to Endpoints.
    10  type EndpointPolicyType string
    11  
    12  // EndpointPolicyType const
    13  const (
    14  	PortMapping   EndpointPolicyType = "PortMapping"
    15  	ACL           EndpointPolicyType = "ACL"
    16  	QOS           EndpointPolicyType = "QOS"
    17  	L2Driver      EndpointPolicyType = "L2Driver"
    18  	OutBoundNAT   EndpointPolicyType = "OutBoundNAT"
    19  	SDNRoute      EndpointPolicyType = "SDNRoute"
    20  	L4Proxy       EndpointPolicyType = "L4Proxy"
    21  	L4WFPPROXY    EndpointPolicyType = "L4WFPPROXY"
    22  	PortName      EndpointPolicyType = "PortName"
    23  	EncapOverhead EndpointPolicyType = "EncapOverhead"
    24  	IOV           EndpointPolicyType = "Iov"
    25  	// Endpoint and Network have InterfaceConstraint and ProviderAddress
    26  	NetworkProviderAddress     EndpointPolicyType = "ProviderAddress"
    27  	NetworkInterfaceConstraint EndpointPolicyType = "InterfaceConstraint"
    28  	TierAcl                    EndpointPolicyType = "TierAcl"
    29  )
    30  
    31  // EndpointPolicy is a collection of Policy settings for an Endpoint.
    32  type EndpointPolicy struct {
    33  	Type     EndpointPolicyType `json:""`
    34  	Settings json.RawMessage    `json:",omitempty"`
    35  }
    36  
    37  // NetworkPolicyType are the potential Policies that apply to Networks.
    38  type NetworkPolicyType string
    39  
    40  // NetworkPolicyType const
    41  const (
    42  	SourceMacAddress    NetworkPolicyType = "SourceMacAddress"
    43  	NetAdapterName      NetworkPolicyType = "NetAdapterName"
    44  	VSwitchExtension    NetworkPolicyType = "VSwitchExtension"
    45  	DrMacAddress        NetworkPolicyType = "DrMacAddress"
    46  	AutomaticDNS        NetworkPolicyType = "AutomaticDNS"
    47  	InterfaceConstraint NetworkPolicyType = "InterfaceConstraint"
    48  	ProviderAddress     NetworkPolicyType = "ProviderAddress"
    49  	RemoteSubnetRoute   NetworkPolicyType = "RemoteSubnetRoute"
    50  	VxlanPort           NetworkPolicyType = "VxlanPort"
    51  	HostRoute           NetworkPolicyType = "HostRoute"
    52  	SetPolicy           NetworkPolicyType = "SetPolicy"
    53  	NetworkL4Proxy      NetworkPolicyType = "L4Proxy"
    54  	LayerConstraint     NetworkPolicyType = "LayerConstraint"
    55  	NetworkACL          NetworkPolicyType = "NetworkACL"
    56  )
    57  
    58  // NetworkPolicy is a collection of Policy settings for a Network.
    59  type NetworkPolicy struct {
    60  	Type     NetworkPolicyType `json:""`
    61  	Settings json.RawMessage   `json:",omitempty"`
    62  }
    63  
    64  // SubnetPolicyType are the potential Policies that apply to Subnets.
    65  type SubnetPolicyType string
    66  
    67  // SubnetPolicyType const
    68  const (
    69  	VLAN SubnetPolicyType = "VLAN"
    70  	VSID SubnetPolicyType = "VSID"
    71  )
    72  
    73  // SubnetPolicy is a collection of Policy settings for a Subnet.
    74  type SubnetPolicy struct {
    75  	Type     SubnetPolicyType `json:""`
    76  	Settings json.RawMessage  `json:",omitempty"`
    77  }
    78  
    79  // NatFlags are flags for portmappings.
    80  type NatFlags uint32
    81  
    82  const (
    83  	NatFlagsNone NatFlags = iota
    84  	NatFlagsLocalRoutedVip
    85  	NatFlagsIPv6
    86  )
    87  
    88  /// Endpoint Policy objects
    89  
    90  // PortMappingPolicySetting defines Port Mapping (NAT)
    91  type PortMappingPolicySetting struct {
    92  	Protocol     uint32   `json:",omitempty"` // EX: TCP = 6, UDP = 17
    93  	InternalPort uint16   `json:",omitempty"`
    94  	ExternalPort uint16   `json:",omitempty"`
    95  	VIP          string   `json:",omitempty"`
    96  	Flags        NatFlags `json:",omitempty"`
    97  }
    98  
    99  // ActionType associated with ACLs. Value is either Allow or Block.
   100  type ActionType string
   101  
   102  // DirectionType associated with ACLs. Value is either In or Out.
   103  type DirectionType string
   104  
   105  // RuleType associated with ACLs. Value is either Host (WFP) or Switch (VFP).
   106  type RuleType string
   107  
   108  const (
   109  	// Allow traffic
   110  	ActionTypeAllow ActionType = "Allow"
   111  	// Block traffic
   112  	ActionTypeBlock ActionType = "Block"
   113  	// Pass traffic
   114  	ActionTypePass ActionType = "Pass"
   115  
   116  	// In is traffic coming to the Endpoint
   117  	DirectionTypeIn DirectionType = "In"
   118  	// Out is traffic leaving the Endpoint
   119  	DirectionTypeOut DirectionType = "Out"
   120  
   121  	// Host creates WFP (Windows Firewall) rules
   122  	RuleTypeHost RuleType = "Host"
   123  	// Switch creates VFP (Virtual Filter Platform) rules
   124  	RuleTypeSwitch RuleType = "Switch"
   125  )
   126  
   127  // AclPolicySetting creates firewall rules on an endpoint
   128  type AclPolicySetting struct {
   129  	Protocols       string        `json:",omitempty"` // EX: 6 (TCP), 17 (UDP), 1 (ICMPv4), 58 (ICMPv6), 2 (IGMP)
   130  	Action          ActionType    `json:","`
   131  	Direction       DirectionType `json:","`
   132  	LocalAddresses  string        `json:",omitempty"`
   133  	RemoteAddresses string        `json:",omitempty"`
   134  	LocalPorts      string        `json:",omitempty"`
   135  	RemotePorts     string        `json:",omitempty"`
   136  	RuleType        RuleType      `json:",omitempty"`
   137  	Priority        uint16        `json:",omitempty"`
   138  }
   139  
   140  // QosPolicySetting sets Quality of Service bandwidth caps on an Endpoint.
   141  type QosPolicySetting struct {
   142  	MaximumOutgoingBandwidthInBytes uint64
   143  }
   144  
   145  // OutboundNatPolicySetting sets outbound Network Address Translation on an Endpoint.
   146  type OutboundNatPolicySetting struct {
   147  	VirtualIP    string   `json:",omitempty"`
   148  	Exceptions   []string `json:",omitempty"`
   149  	Destinations []string `json:",omitempty"`
   150  	Flags        NatFlags `json:",omitempty"`
   151  }
   152  
   153  // SDNRoutePolicySetting sets SDN Route on an Endpoint.
   154  type SDNRoutePolicySetting struct {
   155  	DestinationPrefix string `json:",omitempty"`
   156  	NextHop           string `json:",omitempty"`
   157  	NeedEncap         bool   `json:",omitempty"`
   158  }
   159  
   160  // NetworkACLPolicySetting creates ACL rules on a network
   161  type NetworkACLPolicySetting struct {
   162  	Protocols       string        `json:",omitempty"` // EX: 6 (TCP), 17 (UDP), 1 (ICMPv4), 58 (ICMPv6), 2 (IGMP)
   163  	Action          ActionType    `json:","`
   164  	Direction       DirectionType `json:","`
   165  	LocalAddresses  string        `json:",omitempty"`
   166  	RemoteAddresses string        `json:",omitempty"`
   167  	LocalPorts      string        `json:",omitempty"`
   168  	RemotePorts     string        `json:",omitempty"`
   169  	RuleType        RuleType      `json:",omitempty"`
   170  	Priority        uint16        `json:",omitempty"`
   171  }
   172  
   173  // FiveTuple is nested in L4ProxyPolicySetting  for WFP support.
   174  type FiveTuple struct {
   175  	Protocols       string `json:",omitempty"`
   176  	LocalAddresses  string `json:",omitempty"`
   177  	RemoteAddresses string `json:",omitempty"`
   178  	LocalPorts      string `json:",omitempty"`
   179  	RemotePorts     string `json:",omitempty"`
   180  	Priority        uint16 `json:",omitempty"`
   181  }
   182  
   183  // ProxyExceptions exempts traffic to IpAddresses and Ports
   184  type ProxyExceptions struct {
   185  	IpAddressExceptions []string `json:",omitempty"`
   186  	PortExceptions      []string `json:",omitempty"`
   187  }
   188  
   189  // L4WfpProxyPolicySetting sets Layer-4 Proxy on an endpoint.
   190  type L4WfpProxyPolicySetting struct {
   191  	InboundProxyPort   string          `json:",omitempty"`
   192  	OutboundProxyPort  string          `json:",omitempty"`
   193  	FilterTuple        FiveTuple       `json:",omitempty"`
   194  	UserSID            string          `json:",omitempty"`
   195  	InboundExceptions  ProxyExceptions `json:",omitempty"`
   196  	OutboundExceptions ProxyExceptions `json:",omitempty"`
   197  }
   198  
   199  // PortnameEndpointPolicySetting sets the port name for an endpoint.
   200  type PortnameEndpointPolicySetting struct {
   201  	Name string `json:",omitempty"`
   202  }
   203  
   204  // EncapOverheadEndpointPolicySetting sets the encap overhead for an endpoint.
   205  type EncapOverheadEndpointPolicySetting struct {
   206  	Overhead uint16 `json:",omitempty"`
   207  }
   208  
   209  // IovPolicySetting sets the Iov settings for an endpoint.
   210  type IovPolicySetting struct {
   211  	IovOffloadWeight    uint32 `json:",omitempty"`
   212  	QueuePairsRequested uint32 `json:",omitempty"`
   213  	InterruptModeration uint32 `json:",omitempty"`
   214  }
   215  
   216  /// Endpoint and Network Policy objects
   217  
   218  // ProviderAddressEndpointPolicySetting sets the PA for an endpoint.
   219  type ProviderAddressEndpointPolicySetting struct {
   220  	ProviderAddress string `json:",omitempty"`
   221  }
   222  
   223  // InterfaceConstraintPolicySetting limits an Endpoint or Network to a specific Nic.
   224  type InterfaceConstraintPolicySetting struct {
   225  	InterfaceGuid        string `json:",omitempty"`
   226  	InterfaceLuid        uint64 `json:",omitempty"`
   227  	InterfaceIndex       uint32 `json:",omitempty"`
   228  	InterfaceMediaType   uint32 `json:",omitempty"`
   229  	InterfaceAlias       string `json:",omitempty"`
   230  	InterfaceDescription string `json:",omitempty"`
   231  }
   232  
   233  /// Network Policy objects
   234  
   235  // SourceMacAddressNetworkPolicySetting sets source MAC for a network.
   236  type SourceMacAddressNetworkPolicySetting struct {
   237  	SourceMacAddress string `json:",omitempty"`
   238  }
   239  
   240  // NetAdapterNameNetworkPolicySetting sets network adapter of a network.
   241  type NetAdapterNameNetworkPolicySetting struct {
   242  	NetworkAdapterName string `json:",omitempty"`
   243  }
   244  
   245  // VSwitchExtensionNetworkPolicySetting enables/disabled VSwitch extensions for a network.
   246  type VSwitchExtensionNetworkPolicySetting struct {
   247  	ExtensionID string `json:",omitempty"`
   248  	Enable      bool   `json:",omitempty"`
   249  }
   250  
   251  // DrMacAddressNetworkPolicySetting sets the DR MAC for a network.
   252  type DrMacAddressNetworkPolicySetting struct {
   253  	Address string `json:",omitempty"`
   254  }
   255  
   256  // AutomaticDNSNetworkPolicySetting enables/disables automatic DNS on a network.
   257  type AutomaticDNSNetworkPolicySetting struct {
   258  	Enable bool `json:",omitempty"`
   259  }
   260  
   261  type LayerConstraintNetworkPolicySetting struct {
   262  	LayerId string `json:",omitempty"`
   263  }
   264  
   265  /// Subnet Policy objects
   266  
   267  // VlanPolicySetting isolates a subnet with VLAN tagging.
   268  type VlanPolicySetting struct {
   269  	IsolationId uint32 `json:","`
   270  }
   271  
   272  // VsidPolicySetting isolates a subnet with VSID tagging.
   273  type VsidPolicySetting struct {
   274  	IsolationId uint32 `json:","`
   275  }
   276  
   277  // RemoteSubnetRoutePolicySetting creates remote subnet route rules on a network
   278  type RemoteSubnetRoutePolicySetting struct {
   279  	DestinationPrefix           string
   280  	IsolationId                 uint16
   281  	ProviderAddress             string
   282  	DistributedRouterMacAddress string
   283  }
   284  
   285  // SetPolicyTypes associated with SetPolicy. Value is IPSET.
   286  type SetPolicyType string
   287  
   288  const (
   289  	SetPolicyTypeIpSet       SetPolicyType = "IPSET"
   290  	SetPolicyTypeNestedIpSet SetPolicyType = "NESTEDIPSET"
   291  )
   292  
   293  // SetPolicySetting creates IPSets on network
   294  type SetPolicySetting struct {
   295  	Id     string
   296  	Name   string
   297  	Type   SetPolicyType `json:"PolicyType"`
   298  	Values string
   299  }
   300  
   301  // VxlanPortPolicySetting allows configuring the VXLAN TCP port
   302  type VxlanPortPolicySetting struct {
   303  	Port uint16
   304  }
   305  
   306  // ProtocolType associated with L4ProxyPolicy
   307  type ProtocolType uint32
   308  
   309  const (
   310  	ProtocolTypeUnknown ProtocolType = 0
   311  	ProtocolTypeICMPv4  ProtocolType = 1
   312  	ProtocolTypeIGMP    ProtocolType = 2
   313  	ProtocolTypeTCP     ProtocolType = 6
   314  	ProtocolTypeUDP     ProtocolType = 17
   315  	ProtocolTypeICMPv6  ProtocolType = 58
   316  )
   317  
   318  // L4ProxyPolicySetting applies proxy policy on network/endpoint
   319  type L4ProxyPolicySetting struct {
   320  	IP          string       `json:",omitempty"`
   321  	Port        string       `json:",omitempty"`
   322  	Protocol    ProtocolType `json:",omitempty"`
   323  	Exceptions  []string     `json:",omitempty"`
   324  	Destination string
   325  	OutboundNAT bool `json:",omitempty"`
   326  }
   327  
   328  // TierAclRule represents an ACL within TierAclPolicySetting
   329  type TierAclRule struct {
   330  	Id                string     `json:",omitempty"`
   331  	Protocols         string     `json:",omitempty"`
   332  	TierAclRuleAction ActionType `json:","`
   333  	LocalAddresses    string     `json:",omitempty"`
   334  	RemoteAddresses   string     `json:",omitempty"`
   335  	LocalPorts        string     `json:",omitempty"`
   336  	RemotePorts       string     `json:",omitempty"`
   337  	Priority          uint16     `json:",omitempty"`
   338  }
   339  
   340  // TierAclPolicySetting represents a Tier containing ACLs
   341  type TierAclPolicySetting struct {
   342  	Name         string        `json:","`
   343  	Direction    DirectionType `json:","`
   344  	Order        uint16        `json:""`
   345  	TierAclRules []TierAclRule `json:",omitempty"`
   346  }
   347  

View as plain text