Protocol Documentation

Table of Contents

Top

flow/flow.proto

AgentEvent

Field

Type

Label

Description

type

AgentEventType

unknown

AgentEventUnknown

agent_start

TimeNotification

policy_update

PolicyUpdateNotification

used for POLICY_UPDATED and POLICY_DELETED

endpoint_regenerate

EndpointRegenNotification

used for ENDPOINT_REGENERATE_SUCCESS and ENDPOINT_REGENERATE_FAILURE

endpoint_update

EndpointUpdateNotification

used for ENDPOINT_CREATED and ENDPOINT_DELETED

ipcache_update

IPCacheNotification

used for IPCACHE_UPSERTED and IPCACHE_DELETED

service_upsert

ServiceUpsertNotification

service_delete

ServiceDeleteNotification

AgentEventUnknown

Field

Type

Label

Description

type

string

notification

string

CiliumEventType

CiliumEventType from which the flow originated.

Field

Type

Label

Description

type

int32

type of event the flow originated from, i.e. github.com/cilium/cilium/pkg/monitor/api.MessageType*

sub_type

int32

sub_type may indicate more details depending on type, e.g. - github.com/cilium/cilium/pkg/monitor/api.Trace* - github.com/cilium/cilium/pkg/monitor/api.Drop* - github.com/cilium/cilium/pkg/monitor/api.DbgCapture*

DNS

DNS flow. This is basically directly mapped from Cilium’s LogRecordDNS:

Field

Type

Label

Description

query

string

DNS name that’s being looked up: e.g. “isovalent.com.”

ips

string

repeated

List of IP addresses in the DNS response.

ttl

uint32

TTL in the DNS response.

cnames

string

repeated

List of CNames in the DNS response.

observation_source

string

Corresponds to DNSDataSource defined in: https://github.com/cilium/cilium/blob/04f3889d627774f79e56d14ddbc165b3169e2d01/pkg/proxy/accesslog/record.go#L253

rcode

uint32

Return code of the DNS request defined in: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6

qtypes

string

repeated

String representation of qtypes defined in: https://tools.ietf.org/html/rfc1035#section-3.2.3

rrtypes

string

repeated

String representation of rrtypes defined in: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4

DebugEvent

Field

Type

Label

Description

type

DebugEventType

source

Endpoint

hash

google.protobuf.UInt32Value

arg1

google.protobuf.UInt32Value

arg2

google.protobuf.UInt32Value

arg3

google.protobuf.UInt32Value

message

string

cpu

google.protobuf.Int32Value

Endpoint

Field

Type

Label

Description

ID

uint32

identity

uint32

cluster_name

string

namespace

string

labels

string

repeated

labels in foo=bar format.

pod_name

string

workloads

Workload

repeated

EndpointRegenNotification

Field

Type

Label

Description

id

uint64

labels

string

repeated

error

string

EndpointUpdateNotification

Field

Type

Label

Description

id

uint64

labels

string

repeated

error

string

pod_name

string

namespace

string

Ethernet

Field

Type

Label

Description

source

string

destination

string

EventTypeFilter

EventTypeFilter is a filter describing a particular event type.

Field

Type

Label

Description

type

int32

type is the primary flow type as defined by: github.com/cilium/cilium/pkg/monitor/api.MessageType*

match_sub_type

bool

match_sub_type is set to true when matching on the sub_type should be done. This flag is required as 0 is a valid sub_type.

sub_type

int32

sub_type is the secondary type, e.g. - github.com/cilium/cilium/pkg/monitor/api.Trace*

Flow

Field

Type

Label

Description

time

google.protobuf.Timestamp

uuid

string

uuid is a universally unique identifier for this flow.

verdict

Verdict

drop_reason

uint32

Deprecated. only applicable to Verdict = DROPPED. deprecated in favor of drop_reason_desc.

auth_type

AuthType

auth_type is the authentication type specified for the flow in Cilium Network Policy. Only set on policy verdict events.

ethernet

Ethernet

l2

IP

IP

l3

l4

Layer4

l4

source

Endpoint

destination

Endpoint

Type

FlowType

node_name

string

NodeName is the name of the node from which this Flow was captured.

node_labels

string

repeated

node labels in foo=bar format.

source_names

string

repeated

all names the source IP can have.

destination_names

string

repeated

all names the destination IP can have.

l7

Layer7

L7 information. This field is set if and only if FlowType is L7.

reply

bool

Deprecated. Deprecated. This suffers from false negatives due to protobuf not being able to distinguish between the value being false or it being absent. Please use is_reply instead.

event_type

CiliumEventType

EventType of the originating Cilium event

source_service

Service

source_service contains the service name of the source

destination_service

Service

destination_service contains the service name of the destination

traffic_direction

TrafficDirection

traffic_direction of the connection, e.g. ingress or egress

policy_match_type

uint32

policy_match_type is only applicable to the cilium event type PolicyVerdict https://github.com/cilium/cilium/blob/e831859b5cc336c6d964a6d35bbd34d1840e21b9/pkg/monitor/datapath_policy.go#L50

trace_observation_point

TraceObservationPoint

Only applicable to cilium trace notifications, blank for other types.

trace_reason

TraceReason

Cilium datapath trace reason info.

drop_reason_desc

DropReason

only applicable to Verdict = DROPPED.

is_reply

google.protobuf.BoolValue

is_reply indicates that this was a packet (L4) or message (L7) in the reply direction. May be absent (in which case it is unknown whether it is a reply or not).

debug_capture_point

DebugCapturePoint

Only applicable to cilium debug capture events, blank for other types

interface

NetworkInterface

interface is the network interface on which this flow was observed

proxy_port

uint32

proxy_port indicates the port of the proxy to which the flow was forwarded

trace_context

TraceContext

trace_context contains information about a trace related to the flow, if any.

sock_xlate_point

SocketTranslationPoint

sock_xlate_point is the socket translation point. Only applicable to TraceSock notifications, blank for other types

socket_cookie

uint64

socket_cookie is the Linux kernel socket cookie for this flow. Only applicable to TraceSock notifications, zero for other types

cgroup_id

uint64

cgroup_id of the process which emitted this event. Only applicable to TraceSock notifications, zero for other types

Summary

string

Deprecated. This is a temporary workaround to support summary field for pb.Flow without duplicating logic from the old parser. This field will be removed once we fully migrate to the new parser.

extensions

google.protobuf.Any

extensions can be used to add arbitrary additional metadata to flows. This can be used to extend functionality for other Hubble compatible APIs, or experiment with new functionality without needing to change the public API.

egress_allowed_by

Policy

repeated

The CiliumNetworkPolicies allowing the egress of the flow.

ingress_allowed_by

Policy

repeated

The CiliumNetworkPolicies allowing the ingress of the flow.

egress_denied_by

Policy

repeated

The CiliumNetworkPolicies denying the egress of the flow.

ingress_denied_by

Policy

repeated

The CiliumNetworkPolicies denying the ingress of the flow.

FlowFilter

FlowFilter represent an individual flow filter. All fields are optional. If multiple fields are set, then all fields must match for the filter to match.

Field

Type

Label

Description

uuid

string

repeated

uuid filters by a list of flow uuids.

source_ip

string

repeated

source_ip filters by a list of source ips. Each of the source ips can be specified as an exact match (e.g. “1.1.1.1”) or as a CIDR range (e.g. “1.1.1.0/24”).

source_ip_xlated

string

repeated

source_ip_xlated filters by a list IPs. Each of the IPs can be specified as an exact match (e.g. “1.1.1.1”) or as a CIDR range (e.g. “1.1.1.0/24”).

source_pod

string

repeated

source_pod filters by a list of source pod name prefixes, optionally within a given namespace (e.g. “xwing”, “kube-system/coredns-“). The pod name can be omitted to only filter by namespace (e.g. “kube-system/”) or the namespace can be omitted to filter for pods in any namespace (e.g. “/xwing”)

source_fqdn

string

repeated

source_fqdn filters by a list of source fully qualified domain names

source_label

string

repeated

source_labels filters on a list of source label selectors. Selectors support the full Kubernetes label selector syntax.

source_service

string

repeated

source_service filters on a list of source service names. This field supports the same syntax as the source_pod field.

source_workload

Workload

repeated

source_workload filters by a list of source workload.

destination_ip

string

repeated

destination_ip filters by a list of destination ips. Each of the destination ips can be specified as an exact match (e.g. “1.1.1.1”) or as a CIDR range (e.g. “1.1.1.0/24”).

destination_pod

string

repeated

destination_pod filters by a list of destination pod names

destination_fqdn

string

repeated

destination_fqdn filters by a list of destination fully qualified domain names

destination_label

string

repeated

destination_label filters on a list of destination label selectors

destination_service

string

repeated

destination_service filters on a list of destination service names

destination_workload

Workload

repeated

destination_workload filters by a list of destination workload.

traffic_direction

TrafficDirection

repeated

traffic_direction filters flow by direction of the connection, e.g. ingress or egress.

verdict

Verdict

repeated

only return Flows that were classified with a particular verdict.

drop_reason_desc

DropReason

repeated

only applicable to Verdict = DROPPED (e.g. “POLICY_DENIED”, “UNSUPPORTED_L3_PROTOCOL”)

interface

NetworkInterface

repeated

interface is the network interface on which this flow was observed.

event_type

EventTypeFilter

repeated

event_type is the list of event types to filter on

http_status_code

string

repeated

http_status_code is a list of string prefixes (e.g. “4+”, “404”, “5+”) to filter on the HTTP status code

protocol

string

repeated

protocol filters flows by L4 or L7 protocol, e.g. (e.g. “tcp”, “http”)

source_port

string

repeated

source_port filters flows by L4 source port

destination_port

string

repeated

destination_port filters flows by L4 destination port

reply

bool

repeated

reply filters flows based on the direction of the flow.

dns_query

string

repeated

dns_query filters L7 DNS flows by query patterns (RE2 regex), e.g. ‘kube.*local’.

source_identity

uint32

repeated

source_identity filters by the security identity of the source endpoint.

destination_identity

uint32

repeated

destination_identity filters by the security identity of the destination endpoint.

http_method

string

repeated

GET, POST, PUT, etc. methods. This type of field is well suited for an enum but every single existing place is using a string already.

http_path

string

repeated

http_path is a list of regular expressions to filter on the HTTP path.

http_url

string

repeated

http_url is a list of regular expressions to filter on the HTTP URL.

http_header

HTTPHeader

repeated

http_header is a list of key:value pairs to filter on the HTTP headers.

tcp_flags

TCPFlags

repeated

tcp_flags filters flows based on TCP header flags

node_name

string

repeated

node_name is a list of patterns to filter on the node name, e.g. “k8s*”, “test-cluster/*.domain.com”, “cluster-name/” etc.

node_labels

string

repeated

node_labels filters on a list of node label selectors. Selectors support the full Kubernetes label selector syntax.

ip_version

IPVersion

repeated

filter based on IP version (ipv4 or ipv6)

trace_id

string

repeated

trace_id filters flows by trace ID

experimental

FlowFilter.Experimental

experimental contains filters that are not stable yet. Support for experimental features is always optional and subject to change.

FlowFilter.Experimental

Experimental contains filters that are not stable yet. Support for experimental features is always optional and subject to change.

Field

Type

Label

Description

cel_expression

string

repeated

cel_expression takes a common expression language (CEL) expression returning a boolean to determine if the filter matched or not. You can use the _flow variable to access fields on the flow using the flow.Flow protobuf field names. See https://github.com/google/cel-spec/blob/v0.14.0/doc/intro.md#introduction for more details on CEL and accessing the protobuf fields in CEL. Using CEL has performance cost compared to other filters, so prefer using non-CEL filters when possible, and try to specify CEL filters last in the list of FlowFilters.

HTTP

L7 information for HTTP flows. It corresponds to Cilium’s accesslog.LogRecordHTTP type.

Field

Type

Label

Description

code

uint32

method

string

url

string

protocol

string

headers

HTTPHeader

repeated

HTTPHeader

Field

Type

Label

Description

key

string

value

string

ICMPv4

Field

Type

Label

Description

type

uint32

code

uint32

ICMPv6

Field

Type

Label

Description

type

uint32

code

uint32

IP

Field

Type

Label

Description

source

string

source_xlated

string

source_xlated is the post translation source IP when the flow was SNATed (and in that case source is the the original source IP).

destination

string

ipVersion

IPVersion

encrypted

bool

This field indicates whether the TraceReasonEncryptMask is set or not. https://github.com/cilium/cilium/blob/ba0ed147bd5bb342f67b1794c2ad13c6e99d5236/pkg/monitor/datapath_trace.go#L27

IPCacheNotification

Field

Type

Label

Description

cidr

string

identity

uint32

old_identity

google.protobuf.UInt32Value

host_ip

string

old_host_ip

string

encrypt_key

uint32

namespace

string

pod_name

string

Kafka

L7 information for Kafka flows. It corresponds to Cilium’s accesslog.LogRecordKafka type.

Field

Type

Label

Description

error_code

int32

api_version

int32

api_key

string

correlation_id

int32

topic

string

Layer4

Field

Type

Label

Description

TCP

TCP

UDP

UDP

ICMPv4

ICMPv4

ICMP is technically not L4, but mutually exclusive with the above

ICMPv6

ICMPv6

SCTP

SCTP

Layer7

Message for L7 flow, which roughly corresponds to Cilium’s accesslog LogRecord:

Field

Type

Label

Description

type

L7FlowType

latency_ns

uint64

Latency of the response

dns

DNS

http

HTTP

kafka

Kafka

LostEvent

LostEvent is a message which notifies consumers about a loss of events that happened before the events were captured by Hubble.

Field

Type

Label

Description

source

LostEventSource

source is the location where events got lost.

num_events_lost

uint64

num_events_lost is the number of events that haven been lost at source.

cpu

google.protobuf.Int32Value

cpu on which the event was lost if the source of lost events is PERF_EVENT_RING_BUFFER.

NetworkInterface

Field

Type

Label

Description

index

uint32

name

string

Policy

Field

Type

Label

Description

name

string

namespace

string

labels

string

repeated

revision

uint64

PolicyUpdateNotification

Field

Type

Label

Description

labels

string

repeated

revision

uint64

rule_count

int64

SCTP

Field

Type

Label

Description

source_port

uint32

destination_port

uint32

Service

Field

Type

Label

Description

name

string

namespace

string

ServiceDeleteNotification

Field

Type

Label

Description

id

uint32

ServiceUpsertNotification

Field

Type

Label

Description

id

uint32

frontend_address

ServiceUpsertNotificationAddr

backend_addresses

ServiceUpsertNotificationAddr

repeated

type

string

traffic_policy

string

Deprecated.

name

string

namespace

string

ext_traffic_policy

string

int_traffic_policy

string

ServiceUpsertNotificationAddr

Field

Type

Label

Description

ip

string

port

uint32

TCP

Field

Type

Label

Description

source_port

uint32

destination_port

uint32

flags

TCPFlags

TCPFlags

Field

Type

Label

Description

FIN

bool

SYN

bool

RST

bool

PSH

bool

ACK

bool

URG

bool

ECE

bool

CWR

bool

NS

bool

TimeNotification

Field

Type

Label

Description

time

google.protobuf.Timestamp

TraceContext

TraceContext contains trace context propagation data, i.e. information about a distributed trace. For more information about trace context, check the W3C Trace Context specification.

Field

Type

Label

Description

parent

TraceParent

parent identifies the incoming request in a tracing system.

TraceParent

TraceParent identifies the incoming request in a tracing system.

Field

Type

Label

Description

trace_id

string

trace_id is a unique value that identifies a trace. It is a byte array represented as a hex string.

UDP

Field

Type

Label

Description

source_port

uint32

destination_port

uint32

Workload

Field

Type

Label

Description

name

string

kind

string

AgentEventType

AgentEventType is the type of agent event. These values are shared with type AgentNotification in pkg/monitor/api/types.go.

Name

Number

Description

AGENT_EVENT_UNKNOWN

0

AGENT_STARTED

2

POLICY_UPDATED

3

POLICY_DELETED

4

ENDPOINT_REGENERATE_SUCCESS

5

ENDPOINT_REGENERATE_FAILURE

6

ENDPOINT_CREATED

7

ENDPOINT_DELETED

8

IPCACHE_UPSERTED

9

IPCACHE_DELETED

10

SERVICE_UPSERTED

11

SERVICE_DELETED

12

AuthType

These types correspond to definitions in pkg/policy/l4.go.

Name

Number

Description

DISABLED

0

SPIRE

1

TEST_ALWAYS_FAIL

2

DebugCapturePoint

These values are shared with pkg/monitor/api/datapath_debug.go and bpf/lib/dbg.h.

Name

Number

Description

DBG_CAPTURE_POINT_UNKNOWN

0

DBG_CAPTURE_DELIVERY

4

DBG_CAPTURE_FROM_LB

5

DBG_CAPTURE_AFTER_V46

6

DBG_CAPTURE_AFTER_V64

7

DBG_CAPTURE_PROXY_PRE

8

DBG_CAPTURE_PROXY_POST

9

DBG_CAPTURE_SNAT_PRE

10

DBG_CAPTURE_SNAT_POST

11

DebugEventType

These values are shared with pkg/monitor/api/datapath_debug.go and bpf/lib/dbg.h.

Name

Number

Description

DBG_EVENT_UNKNOWN

0

DBG_GENERIC

1

DBG_LOCAL_DELIVERY

2

DBG_ENCAP

3

DBG_LXC_FOUND

4

DBG_POLICY_DENIED

5

DBG_CT_LOOKUP

6

DBG_CT_LOOKUP_REV

7

DBG_CT_MATCH

8

DBG_CT_CREATED

9

DBG_CT_CREATED2

10

DBG_ICMP6_HANDLE

11

DBG_ICMP6_REQUEST

12

DBG_ICMP6_NS

13

DBG_ICMP6_TIME_EXCEEDED

14

DBG_CT_VERDICT

15

DBG_DECAP

16

DBG_PORT_MAP

17

DBG_ERROR_RET

18

DBG_TO_HOST

19

DBG_TO_STACK

20

DBG_PKT_HASH

21

DBG_LB6_LOOKUP_FRONTEND

22

DBG_LB6_LOOKUP_FRONTEND_FAIL

23

DBG_LB6_LOOKUP_BACKEND_SLOT

24

DBG_LB6_LOOKUP_BACKEND_SLOT_SUCCESS

25

DBG_LB6_LOOKUP_BACKEND_SLOT_V2_FAIL

26

DBG_LB6_LOOKUP_BACKEND_FAIL

27

DBG_LB6_REVERSE_NAT_LOOKUP

28

DBG_LB6_REVERSE_NAT

29

DBG_LB4_LOOKUP_FRONTEND

30

DBG_LB4_LOOKUP_FRONTEND_FAIL

31

DBG_LB4_LOOKUP_BACKEND_SLOT

32

DBG_LB4_LOOKUP_BACKEND_SLOT_SUCCESS

33

DBG_LB4_LOOKUP_BACKEND_SLOT_V2_FAIL

34

DBG_LB4_LOOKUP_BACKEND_FAIL

35

DBG_LB4_REVERSE_NAT_LOOKUP

36

DBG_LB4_REVERSE_NAT

37

DBG_LB4_LOOPBACK_SNAT

38

DBG_LB4_LOOPBACK_SNAT_REV

39

DBG_CT_LOOKUP4

40

DBG_RR_BACKEND_SLOT_SEL

41

DBG_REV_PROXY_LOOKUP

42

DBG_REV_PROXY_FOUND

43

DBG_REV_PROXY_UPDATE

44

DBG_L4_POLICY

45

DBG_NETDEV_IN_CLUSTER

46

DBG_NETDEV_ENCAP4

47

DBG_CT_LOOKUP4_1

48

DBG_CT_LOOKUP4_2

49

DBG_CT_CREATED4

50

DBG_CT_LOOKUP6_1

51

DBG_CT_LOOKUP6_2

52

DBG_CT_CREATED6

53

DBG_SKIP_PROXY

54

DBG_L4_CREATE

55

DBG_IP_ID_MAP_FAILED4

56

DBG_IP_ID_MAP_FAILED6

57

DBG_IP_ID_MAP_SUCCEED4

58

DBG_IP_ID_MAP_SUCCEED6

59

DBG_LB_STALE_CT

60

DBG_INHERIT_IDENTITY

61

DBG_SK_LOOKUP4

62

DBG_SK_LOOKUP6

63

DBG_SK_ASSIGN

64

DBG_L7_LB

65

DBG_SKIP_POLICY

66

DropReason

These values are shared with pkg/monitor/api/drop.go and bpf/lib/common.h. Note that non-drop reasons (i.e. values less than api.DropMin) are not used here.

Name

Number

Description

DROP_REASON_UNKNOWN

0

non-drop reasons

INVALID_SOURCE_MAC

130

drop reasons

INVALID_DESTINATION_MAC

131

INVALID_SOURCE_IP

132

POLICY_DENIED

133

INVALID_PACKET_DROPPED

134

CT_TRUNCATED_OR_INVALID_HEADER

135

CT_MISSING_TCP_ACK_FLAG

136

CT_UNKNOWN_L4_PROTOCOL

137

CT_CANNOT_CREATE_ENTRY_FROM_PACKET

138

UNSUPPORTED_L3_PROTOCOL

139

MISSED_TAIL_CALL

140

ERROR_WRITING_TO_PACKET

141

UNKNOWN_L4_PROTOCOL

142

UNKNOWN_ICMPV4_CODE

143

UNKNOWN_ICMPV4_TYPE

144

UNKNOWN_ICMPV6_CODE

145

UNKNOWN_ICMPV6_TYPE

146

ERROR_RETRIEVING_TUNNEL_KEY

147

ERROR_RETRIEVING_TUNNEL_OPTIONS

148

INVALID_GENEVE_OPTION

149

UNKNOWN_L3_TARGET_ADDRESS

150

STALE_OR_UNROUTABLE_IP

151

NO_MATCHING_LOCAL_CONTAINER_FOUND

152

ERROR_WHILE_CORRECTING_L3_CHECKSUM

153

ERROR_WHILE_CORRECTING_L4_CHECKSUM

154

CT_MAP_INSERTION_FAILED

155

INVALID_IPV6_EXTENSION_HEADER

156

IP_FRAGMENTATION_NOT_SUPPORTED

157

SERVICE_BACKEND_NOT_FOUND

158

NO_TUNNEL_OR_ENCAPSULATION_ENDPOINT

160

FAILED_TO_INSERT_INTO_PROXYMAP

161

REACHED_EDT_RATE_LIMITING_DROP_HORIZON

162

UNKNOWN_CONNECTION_TRACKING_STATE

163

LOCAL_HOST_IS_UNREACHABLE

164

NO_CONFIGURATION_AVAILABLE_TO_PERFORM_POLICY_DECISION

165

UNSUPPORTED_L2_PROTOCOL

166

NO_MAPPING_FOR_NAT_MASQUERADE

167

UNSUPPORTED_PROTOCOL_FOR_NAT_MASQUERADE

168

FIB_LOOKUP_FAILED

169

ENCAPSULATION_TRAFFIC_IS_PROHIBITED

170

INVALID_IDENTITY

171

UNKNOWN_SENDER

172

NAT_NOT_NEEDED

173

IS_A_CLUSTERIP

174

FIRST_LOGICAL_DATAGRAM_FRAGMENT_NOT_FOUND

175

FORBIDDEN_ICMPV6_MESSAGE

176

DENIED_BY_LB_SRC_RANGE_CHECK

177

SOCKET_LOOKUP_FAILED

178

SOCKET_ASSIGN_FAILED

179

PROXY_REDIRECTION_NOT_SUPPORTED_FOR_PROTOCOL

180

POLICY_DENY

181

VLAN_FILTERED

182

INVALID_VNI

183

INVALID_TC_BUFFER

184

NO_SID

185

MISSING_SRV6_STATE

186

NAT46

187

NAT64

188

AUTH_REQUIRED

189

CT_NO_MAP_FOUND

190

SNAT_NO_MAP_FOUND

191

INVALID_CLUSTER_ID

192

UNSUPPORTED_PROTOCOL_FOR_DSR_ENCAP

193

NO_EGRESS_GATEWAY

194

UNENCRYPTED_TRAFFIC

195

TTL_EXCEEDED

196

NO_NODE_ID

197

DROP_RATE_LIMITED

198

IGMP_HANDLED

199

IGMP_SUBSCRIBED

200

MULTICAST_HANDLED

201

DROP_HOST_NOT_READY

202

A BPF program wants to tail call into bpf_host, but the host datapath hasn’t been loaded yet.

DROP_EP_NOT_READY

203

A BPF program wants to tail call some endpoint’s policy program in the POLICY_CALL_MAP, but the program is not available.

DROP_NO_EGRESS_IP

204

An Egress Gateway node matched a packet against an Egress Gateway policy that didn’t select a valid Egress IP.

EventType

EventType are constants are based on the ones from <linux/perf_event.h>.

Name

Number

Description

UNKNOWN

0

EventSample

9

EventSample is equivalent to PERF_RECORD_SAMPLE.

RecordLost

2

RecordLost is equivalent to PERF_RECORD_LOST.

FlowType

Name

Number

Description

UNKNOWN_TYPE

0

L3_L4

1

not sure about the underscore here, but L34 also reads strange

L7

2

SOCK

3

IPVersion

Name

Number

Description

IP_NOT_USED

0

IPv4

1

IPv6

2

L7FlowType

This enum corresponds to Cilium’s L7 accesslog FlowType:

Name

Number

Description

UNKNOWN_L7_TYPE

0

REQUEST

1

RESPONSE

2

SAMPLE

3

LostEventSource

Name

Number

Description

UNKNOWN_LOST_EVENT_SOURCE

0

PERF_EVENT_RING_BUFFER

1

PERF_EVENT_RING_BUFFER indicates that events were dropped in the BPF perf event ring buffer, indicating that userspace agent did not keep up with the events produced by the datapath.

OBSERVER_EVENTS_QUEUE

2

OBSERVER_EVENTS_QUEUE indicates that events were dropped because the Hubble events queue was full, indicating that the Hubble observer did not keep up.

HUBBLE_RING_BUFFER

3

HUBBLE_RING_BUFFER indicates that the event was dropped because it could not be read from Hubble’s ring buffer in time before being overwritten.

SocketTranslationPoint

This mirrors enum xlate_point in bpf/lib/trace_sock.h

Name

Number

Description

SOCK_XLATE_POINT_UNKNOWN

0

SOCK_XLATE_POINT_PRE_DIRECTION_FWD

1

Pre service translation

SOCK_XLATE_POINT_POST_DIRECTION_FWD

2

Post service translation

SOCK_XLATE_POINT_PRE_DIRECTION_REV

3

Pre reverse service translation

SOCK_XLATE_POINT_POST_DIRECTION_REV

4

Post reverse service translation

TraceObservationPoint

Name

Number

Description

UNKNOWN_POINT

0

Cilium treats 0 as TO_LXC, but its’s something we should work to remove. This is intentionally set as unknown, so proto API can guarantee the observation point is always going to be present on trace events.

TO_PROXY

1

TO_PROXY indicates network packets are transmitted towards the l7 proxy.

TO_HOST

2

TO_HOST indicates network packets are transmitted towards the host namespace.

TO_STACK

3

TO_STACK indicates network packets are transmitted towards the Linux kernel network stack on host machine.

TO_OVERLAY

4

TO_OVERLAY indicates network packets are transmitted towards the tunnel device.

TO_ENDPOINT

101

TO_ENDPOINT indicates network packets are transmitted towards endpoints (containers).

FROM_ENDPOINT

5

FROM_ENDPOINT indicates network packets were received from endpoints (containers).

FROM_PROXY

6

FROM_PROXY indicates network packets were received from the l7 proxy.

FROM_HOST

7

FROM_HOST indicates network packets were received from the host namespace.

FROM_STACK

8

FROM_STACK indicates network packets were received from the Linux kernel network stack on host machine.

FROM_OVERLAY

9

FROM_OVERLAY indicates network packets were received from the tunnel device.

FROM_NETWORK

10

FROM_NETWORK indicates network packets were received from native devices.

TO_NETWORK

11

TO_NETWORK indicates network packets are transmitted towards native devices.

TraceReason

Name

Number

Description

TRACE_REASON_UNKNOWN

0

NEW

1

ESTABLISHED

2

REPLY

3

RELATED

4

REOPENED

5

SRV6_ENCAP

6

SRV6_DECAP

7

ENCRYPT_OVERLAY

8

TrafficDirection

Name

Number

Description

TRAFFIC_DIRECTION_UNKNOWN

0

INGRESS

1

EGRESS

2

Verdict

Name

Number

Description

VERDICT_UNKNOWN

0

UNKNOWN is used if there is no verdict for this flow event

FORWARDED

1

FORWARDED is used for flow events where the trace point has forwarded this packet or connection to the next processing entity.

DROPPED

2

DROPPED is used for flow events where the connection or packet has been dropped (e.g. due to a malformed packet, it being rejected by a network policy etc). The exact drop reason may be found in drop_reason_desc.

ERROR

3

ERROR is used for flow events where an error occurred during processing

AUDIT

4

AUDIT is used on policy verdict events in policy audit mode, to denominate flows that would have been dropped by policy if audit mode was turned off

REDIRECTED

5

REDIRECTED is used for flow events which have been redirected to the proxy

TRACED

6

TRACED is used for flow events which have been observed at a trace point, but no particular verdict has been reached yet

TRANSLATED

7

TRANSLATED is used for flow events where an address has been translated

Scalar Value Types

.proto Type

Notes

C++

Java

Python

Go

C#

PHP

Ruby

double

double

double

float

float64

double

float

Float

float

float

float

float

float32

float

float

Float

int32

Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead.

int32

int

int

int32

int

integer

Bignum or Fixnum (as required)

int64

Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead.

int64

long

int/long

int64

long

integer/string

Bignum

uint32

Uses variable-length encoding.

uint32

int

int/long

uint32

uint

integer

Bignum or Fixnum (as required)

uint64

Uses variable-length encoding.

uint64

long

int/long

uint64

ulong

integer/string

Bignum or Fixnum (as required)

sint32

Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s.

int32

int

int

int32

int

integer

Bignum or Fixnum (as required)

sint64

Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s.

int64

long

int/long

int64

long

integer/string

Bignum

fixed32

Always four bytes. More efficient than uint32 if values are often greater than 2^28.

uint32

int

int

uint32

uint

integer

Bignum or Fixnum (as required)

fixed64

Always eight bytes. More efficient than uint64 if values are often greater than 2^56.

uint64

long

int/long

uint64

ulong

integer/string

Bignum

sfixed32

Always four bytes.

int32

int

int

int32

int

integer

Bignum or Fixnum (as required)

sfixed64

Always eight bytes.

int64

long

int/long

int64

long

integer/string

Bignum

bool

bool

boolean

boolean

bool

bool

boolean

TrueClass/FalseClass

string

A string must always contain UTF-8 encoded or 7-bit ASCII text.

string

String

str/unicode

string

string

string

String (UTF-8)

bytes

May contain any arbitrary sequence of bytes.

string

ByteString

str

[]byte

ByteString

string

String (ASCII-8BIT)