linux_defaults

const (
	// RouteTableIPSec is the default table ID to use for IPSec routing rules
	RouteTableIPSec = 200

	// RouteTableWireguard is the default table ID to use for WireGuard routing
	// rules
	RouteTableWireguard = 201

	// RouteTableVtep is the default table ID to use for VTEP routing rules
	RouteTableVtep = 202

	// RouteTableToProxy is the default table ID to use routing rules to the proxy.
	RouteTableToProxy = 2004

	// RouteTableFromProxy is the default table ID to use routing rules from the proxy.
	RouteTableFromProxy = 2005

	// RouteTableInterfacesOffset is the offset for the per-ENI routing tables.
	// Each ENI interface will have its own table starting with this offset. It
	// is 10 because it is highly unlikely to collide with the main routing
	// table which is between 253-255. See ip-route(8).
	RouteTableInterfacesOffset = 10

	// RouteMarkDecrypt is the default route mark to use to indicate datapath
	// needs to decrypt a packet.
	RouteMarkDecrypt = 0x0D00

	// RouteMarkEncrypt is the default route mark to use to indicate datapath
	// needs to encrypt a packet.
	RouteMarkEncrypt = 0x0E00

	// RouteMarkMask is the mask required for the route mark value
	RouteMarkMask = 0xF00

	// OutputMarkMask is the mask to use in output-mark of XFRM states. It is
	// used to clear the node ID and the SPI from the packet mark.
	OutputMarkMask = 0xFFFFFF00

	// RouteMarkToProxy is the default route mark to use to indicate
	// datapath needs to send the packet to the proxy.
	//
	// Specifically, this is used in the L7 ingress policy tunneling case
	// where after decryption, the packet is rerouted back into
	// `cilium_host` with said mark to indicate the destination as the
	// proxy.
	RouteMarkToProxy = MagicMarkIsToProxy

	// MarkMultinodeNodeport is used for AWS ENI to mark traffic from
	// another node, so that it gets routed back through the relevant
	// interface.
	MarkMultinodeNodeport = 0x80

	// MaskMultinodeNodeport is the mask associated with the
	// RouterMarkNodePort
	MaskMultinodeNodeport = 0x80

	// RTProto is the protocol we install our fib rules and routes with. Use the
	// kernel proto to make sure systemd-networkd doesn't interfere with these
	// rules (see networkd config directive ManageForeignRoutingPolicyRules, set
	// to 'yes' by default).
	RTProto = unix.RTPROT_KERNEL

	// RulePriorityWireguard is the priority of the rule used for routing packets to WireGuard device for encryption
	RulePriorityWireguard = 1

	// RulePriorityToProxyIngress is the priority of the routing rule installed by
	// the proxy package for redirecting inbound packets to the proxy.
	RulePriorityToProxyIngress = 9

	// RulePriorityFromProxyIngress is the priority of the routing rule installed by
	// the proxy package for redirecting inbound packets from the proxy.
	RulePriorityFromProxyIngress = 10

	// RulePriorityIngress is the priority of the rule used for ingress routing
	// of endpoints. This priority is after encryption and proxy rules, and
	// before the local table priority.
	RulePriorityIngress = 20

	// RulePriorityLocalLookup is the priority for the local lookup rule which is
	// moved on init from 0
	RulePriorityLocalLookup = 100

	// RulePriorityEgress is the priority of the rule used for egress routing
	// of endpoints. This priority is after the local table priority.
	RulePriorityEgress = 110

	// RulePriorityEgress is the v2 of the priority of the rule used for egress
	// routing of endpoints. This priority is after the local table priority.
	//
	// Because of https://github.com/cilium/cilium/issues/14336, we must use a
	// new priority value to disambiguate which rules are still under the old
	// scheme.
	RulePriorityEgressv2 = 111

	// RulePriorityNodeport is the priority of the rule used with AWS ENI to
	// make sure that lookups for multi-node NodePort traffic are NOT done
	// from the table for the VPC to which the endpoint's CIDR is
	// associated, but from the main routing table instead.
	// This priority is before the egress priority.
	RulePriorityNodeport = RulePriorityEgress - 1

	// RulePriorityVtep is the priority of the rule used for routing packets to VTEP device
	RulePriorityVtep = 112

	// IPSec offset value for node rules
	IPsecMaxKeyVersion = 15

	// IPsecMarkMaskNodeID is the mask used for the node ID.
	IPsecMarkMaskNodeID = 0xFFFF0000

	// IPsecMarkBitMask is the mask used for the encrypt and decrypt bits.
	IPsecMarkBitMask = 0x0F00

	// IPsecOldMarkMaskOut is the mask that was previously used. It can be
	// removed in Cilium v1.15.
	IPsecOldMarkMaskOut = 0xFF00

	// IPsecMarkMask is the mask required for the IPsec SPI, node ID, and encrypt/decrypt bits
	IPsecMarkMaskOut = IPsecOldMarkMaskOut | IPsecMarkMaskNodeID

	// IPsecMarkMaskIn is the mask required for the IPsec node ID and encrypt/decrypt bits
	IPsecMarkMaskIn = IPsecMarkBitMask | IPsecMarkMaskNodeID

	// IPsecFwdPriority is the priority of the fwd rules placed by IPsec
	IPsecFwdPriority = 0x0B9F

	// IPsecXFRMMarkSPIShift defines how many bits the SPI is shifted when
	// encoded in a XfrmMark
	IPsecXFRMMarkSPIShift = 12
)

const (
	// MagicMarkHostMask can be used to fetch the host/proxy-relevant magic
	// bits from a mark.
	MagicMarkHostMask int = 0x0F00
	// MagicMarkProxyMask can be used to fetch the proxy-relevant magic
	// bits from a mark.
	MagicMarkProxyMask int = 0x0E00
	// MagicMarkProxyNoIDMask can be used to fetch the proxy-relevant magic
	// bits from a mark for proxy reply traffic.
	MagicMarkProxyNoIDMask int = 0xFFFFFEFF
	// MagicMarkIsProxyEPID can be used in conjunction with
	// MagicMarkProxyMask to determine whether the mark is indicating that
	// traffic is sourced from a proxy prior to endpoint policy enforcement.
	MagicMarkIsProxyEPID int = 0x0800
	// MagicMarkIsProxy can be used in conjunction with MagicMarkProxyMask
	// to determine whether the mark is indicating that traffic is sourced
	// from a proxy.
	MagicMarkIsProxy int = 0x0A00
	// MagicMarkIsToProxy can be used in conjunction with MagicMarkHostMask
	// to determine whether the mark is indicating that traffic is destined
	// to a proxy.
	MagicMarkIsToProxy uint32 = 0x0200

	MagicMarkSNATDone int = 0x0300

	// MagicMarkOverlay is set by the to-overlay program, and can be used
	// to identify cilium-managed overlay traffic.
	MagicMarkOverlay int = 0x0400

	// MagicMarkProxyEgressEPID determines that the traffic is sourced from
	// the proxy which is capturing traffic before it is subject to egress
	// policy enforcement that must be done after the proxy. The identity
	// stored in the mark is source Endpoint ID.
	//
	// Note that this is not used from Go code, but is included here to
	// document this pattern. This must match the definition of
	// MARK_MAGIC_PROXY_EGRESS_EPID in the datapath, and the Envoy code in
	// cilium/proxy/cilium/bpf_metadata.cc
	MagicMarkProxyEgressEPID int = 0x0900

	// MagicMarkIngress determines that the traffic is sourced from the
	// proxy which is applying Ingress policy
	MagicMarkIngress int = 0x0A00
	// MagicMarkEgress determines that the traffic is sourced from the
	// proxy which is applying Egress policy
	MagicMarkEgress int = 0x0B00

	// MagicMarkHost determines that the traffic is sourced from the local
	// host and not from a proxy.
	MagicMarkHost int = 0x0C00

	// MagicMarkIdentity determines that the traffic carries a security
	// identity in the skb->mark
	MagicMarkIdentity int = 0x0F00

	// MagicMarkK8sMasq determines that the traffic should be masqueraded
	// by kube-proxy in kubernetes environments.
	MagicMarkK8sMasq int = 0x4000
	// MagicMarkK8sDrop determines that the traffic should be dropped in
	// kubernetes environments.
	MagicMarkK8sDrop int = 0x8000

	// MagicMarkWireGuardEncrypted is set by the WireGuard tunnel device
	// in order to indicate that a packet has been encrypted, and that there
	// is no need to forward it again to the WG tunnel netdev.
	//
	// The mark invades the K8s mark space described above. This is because
	// some packets might carry a security identity which is indicated with
	// MagicMarkIdentity which takes all 4 bits. The LSB bit which we take
	// from the K8s space is not used, so this is fine). I.e., the LSB bit is
	// 0x1000, and the K8s marks are 0x4000 and 0x8000. So both are not
	// interfering with that bit.
	MagicMarkWireGuardEncrypted int = 0x1E00
)