Protocol Documentation
Table of Contents
flow/flow.proto
AgentEvent
Field |
Type |
Label |
Description |
---|---|---|---|
type |
|||
unknown |
|||
agent_start |
|||
policy_update |
used for POLICY_UPDATED and POLICY_DELETED |
||
endpoint_regenerate |
used for ENDPOINT_REGENERATE_SUCCESS and ENDPOINT_REGENERATE_FAILURE |
||
endpoint_update |
used for ENDPOINT_CREATED and ENDPOINT_DELETED |
||
ipcache_update |
used for IPCACHE_UPSERTED and IPCACHE_DELETED |
||
service_upsert |
|||
service_delete |
AgentEventUnknown
Field |
Type |
Label |
Description |
---|---|---|---|
type |
|||
notification |
CiliumEventType
CiliumEventType from which the flow originated.
Field |
Type |
Label |
Description |
---|---|---|---|
type |
type of event the flow originated from, i.e. github.com/cilium/cilium/pkg/monitor/api.MessageType* |
||
sub_type |
sub_type may indicate more details depending on type, e.g. - github.com/cilium/cilium/pkg/monitor/api.Trace* - github.com/cilium/cilium/pkg/monitor/api.Drop* - github.com/cilium/cilium/pkg/monitor/api.DbgCapture* |
DNS
DNS flow. This is basically directly mapped from Cilium’s LogRecordDNS:
Field |
Type |
Label |
Description |
---|---|---|---|
query |
DNS name that’s being looked up: e.g. “isovalent.com.” |
||
ips |
repeated |
List of IP addresses in the DNS response. |
|
ttl |
TTL in the DNS response. |
||
cnames |
repeated |
List of CNames in the DNS response. |
|
observation_source |
Corresponds to DNSDataSource defined in: https://github.com/cilium/cilium/blob/04f3889d627774f79e56d14ddbc165b3169e2d01/pkg/proxy/accesslog/record.go#L253 |
||
rcode |
Return code of the DNS request defined in: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6 |
||
qtypes |
repeated |
String representation of qtypes defined in: https://tools.ietf.org/html/rfc1035#section-3.2.3 |
|
rrtypes |
repeated |
String representation of rrtypes defined in: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4 |
DebugEvent
Field |
Type |
Label |
Description |
---|---|---|---|
type |
|||
source |
|||
hash |
|||
arg1 |
|||
arg2 |
|||
arg3 |
|||
message |
|||
cpu |
Endpoint
Field |
Type |
Label |
Description |
---|---|---|---|
ID |
|||
identity |
|||
cluster_name |
|||
namespace |
|||
labels |
repeated |
labels in |
|
pod_name |
|||
workloads |
repeated |
EndpointRegenNotification
Field |
Type |
Label |
Description |
---|---|---|---|
id |
|||
labels |
repeated |
||
error |
EndpointUpdateNotification
Field |
Type |
Label |
Description |
---|---|---|---|
id |
|||
labels |
repeated |
||
error |
|||
pod_name |
|||
namespace |
Ethernet
Field |
Type |
Label |
Description |
---|---|---|---|
source |
|||
destination |
EventTypeFilter
EventTypeFilter is a filter describing a particular event type.
Field |
Type |
Label |
Description |
---|---|---|---|
type |
type is the primary flow type as defined by: github.com/cilium/cilium/pkg/monitor/api.MessageType* |
||
match_sub_type |
match_sub_type is set to true when matching on the sub_type should be done. This flag is required as 0 is a valid sub_type. |
||
sub_type |
sub_type is the secondary type, e.g. - github.com/cilium/cilium/pkg/monitor/api.Trace* |
Flow
Field |
Type |
Label |
Description |
---|---|---|---|
time |
|||
uuid |
uuid is a universally unique identifier for this flow. |
||
verdict |
|||
drop_reason |
Deprecated. only applicable to Verdict = DROPPED. deprecated in favor of drop_reason_desc. |
||
auth_type |
auth_type is the authentication type specified for the flow in Cilium Network Policy. Only set on policy verdict events. |
||
ethernet |
l2 |
||
IP |
l3 |
||
l4 |
l4 |
||
source |
|||
destination |
|||
Type |
|||
node_name |
NodeName is the name of the node from which this Flow was captured. |
||
node_labels |
repeated |
node labels in |
|
source_names |
repeated |
all names the source IP can have. |
|
destination_names |
repeated |
all names the destination IP can have. |
|
l7 |
L7 information. This field is set if and only if FlowType is L7. |
||
reply |
Deprecated. Deprecated. This suffers from false negatives due to protobuf not being able to distinguish between the value being false or it being absent. Please use is_reply instead. |
||
event_type |
EventType of the originating Cilium event |
||
source_service |
source_service contains the service name of the source |
||
destination_service |
destination_service contains the service name of the destination |
||
traffic_direction |
traffic_direction of the connection, e.g. ingress or egress |
||
policy_match_type |
policy_match_type is only applicable to the cilium event type PolicyVerdict https://github.com/cilium/cilium/blob/e831859b5cc336c6d964a6d35bbd34d1840e21b9/pkg/monitor/datapath_policy.go#L50 |
||
trace_observation_point |
Only applicable to cilium trace notifications, blank for other types. |
||
trace_reason |
Cilium datapath trace reason info. |
||
drop_reason_desc |
only applicable to Verdict = DROPPED. |
||
is_reply |
is_reply indicates that this was a packet (L4) or message (L7) in the reply direction. May be absent (in which case it is unknown whether it is a reply or not). |
||
debug_capture_point |
Only applicable to cilium debug capture events, blank for other types |
||
interface |
interface is the network interface on which this flow was observed |
||
proxy_port |
proxy_port indicates the port of the proxy to which the flow was forwarded |
||
trace_context |
trace_context contains information about a trace related to the flow, if any. |
||
sock_xlate_point |
sock_xlate_point is the socket translation point. Only applicable to TraceSock notifications, blank for other types |
||
socket_cookie |
socket_cookie is the Linux kernel socket cookie for this flow. Only applicable to TraceSock notifications, zero for other types |
||
cgroup_id |
cgroup_id of the process which emitted this event. Only applicable to TraceSock notifications, zero for other types |
||
Summary |
Deprecated. This is a temporary workaround to support summary field for pb.Flow without duplicating logic from the old parser. This field will be removed once we fully migrate to the new parser. |
||
extensions |
extensions can be used to add arbitrary additional metadata to flows. This can be used to extend functionality for other Hubble compatible APIs, or experiment with new functionality without needing to change the public API. |
||
egress_allowed_by |
repeated |
The CiliumNetworkPolicies allowing the egress of the flow. |
|
ingress_allowed_by |
repeated |
The CiliumNetworkPolicies allowing the ingress of the flow. |
|
egress_denied_by |
repeated |
The CiliumNetworkPolicies denying the egress of the flow. |
|
ingress_denied_by |
repeated |
The CiliumNetworkPolicies denying the ingress of the flow. |
FlowFilter
FlowFilter represent an individual flow filter. All fields are optional. If multiple fields are set, then all fields must match for the filter to match.
Field |
Type |
Label |
Description |
---|---|---|---|
uuid |
repeated |
uuid filters by a list of flow uuids. |
|
source_ip |
repeated |
source_ip filters by a list of source ips. Each of the source ips can be specified as an exact match (e.g. “1.1.1.1”) or as a CIDR range (e.g. “1.1.1.0/24”). |
|
source_ip_xlated |
repeated |
source_ip_xlated filters by a list IPs. Each of the IPs can be specified as an exact match (e.g. “1.1.1.1”) or as a CIDR range (e.g. “1.1.1.0/24”). |
|
source_pod |
repeated |
source_pod filters by a list of source pod name prefixes, optionally within a given namespace (e.g. “xwing”, “kube-system/coredns-“). The pod name can be omitted to only filter by namespace (e.g. “kube-system/”) or the namespace can be omitted to filter for pods in any namespace (e.g. “/xwing”) |
|
source_fqdn |
repeated |
source_fqdn filters by a list of source fully qualified domain names |
|
source_label |
repeated |
source_labels filters on a list of source label selectors. Selectors support the full Kubernetes label selector syntax. |
|
source_service |
repeated |
source_service filters on a list of source service names. This field supports the same syntax as the source_pod field. |
|
source_workload |
repeated |
source_workload filters by a list of source workload. |
|
destination_ip |
repeated |
destination_ip filters by a list of destination ips. Each of the destination ips can be specified as an exact match (e.g. “1.1.1.1”) or as a CIDR range (e.g. “1.1.1.0/24”). |
|
destination_pod |
repeated |
destination_pod filters by a list of destination pod names |
|
destination_fqdn |
repeated |
destination_fqdn filters by a list of destination fully qualified domain names |
|
destination_label |
repeated |
destination_label filters on a list of destination label selectors |
|
destination_service |
repeated |
destination_service filters on a list of destination service names |
|
destination_workload |
repeated |
destination_workload filters by a list of destination workload. |
|
traffic_direction |
repeated |
traffic_direction filters flow by direction of the connection, e.g. ingress or egress. |
|
verdict |
repeated |
only return Flows that were classified with a particular verdict. |
|
drop_reason_desc |
repeated |
only applicable to Verdict = DROPPED (e.g. “POLICY_DENIED”, “UNSUPPORTED_L3_PROTOCOL”) |
|
interface |
repeated |
interface is the network interface on which this flow was observed. |
|
event_type |
repeated |
event_type is the list of event types to filter on |
|
http_status_code |
repeated |
http_status_code is a list of string prefixes (e.g. “4+”, “404”, “5+”) to filter on the HTTP status code |
|
protocol |
repeated |
protocol filters flows by L4 or L7 protocol, e.g. (e.g. “tcp”, “http”) |
|
source_port |
repeated |
source_port filters flows by L4 source port |
|
destination_port |
repeated |
destination_port filters flows by L4 destination port |
|
reply |
repeated |
reply filters flows based on the direction of the flow. |
|
dns_query |
repeated |
dns_query filters L7 DNS flows by query patterns (RE2 regex), e.g. ‘kube.*local’. |
|
source_identity |
repeated |
source_identity filters by the security identity of the source endpoint. |
|
destination_identity |
repeated |
destination_identity filters by the security identity of the destination endpoint. |
|
http_method |
repeated |
GET, POST, PUT, etc. methods. This type of field is well suited for an enum but every single existing place is using a string already. |
|
http_path |
repeated |
http_path is a list of regular expressions to filter on the HTTP path. |
|
http_url |
repeated |
http_url is a list of regular expressions to filter on the HTTP URL. |
|
http_header |
repeated |
http_header is a list of key:value pairs to filter on the HTTP headers. |
|
tcp_flags |
repeated |
tcp_flags filters flows based on TCP header flags |
|
node_name |
repeated |
node_name is a list of patterns to filter on the node name, e.g. “k8s*”, “test-cluster/*.domain.com”, “cluster-name/” etc. |
|
node_labels |
repeated |
node_labels filters on a list of node label selectors. Selectors support the full Kubernetes label selector syntax. |
|
ip_version |
repeated |
filter based on IP version (ipv4 or ipv6) |
|
trace_id |
repeated |
trace_id filters flows by trace ID |
|
experimental |
experimental contains filters that are not stable yet. Support for experimental features is always optional and subject to change. |
FlowFilter.Experimental
Experimental contains filters that are not stable yet. Support for experimental features is always optional and subject to change.
Field |
Type |
Label |
Description |
---|---|---|---|
cel_expression |
repeated |
cel_expression takes a common expression language (CEL) expression returning a boolean to determine if the filter matched or not. You can use the |
HTTP
L7 information for HTTP flows. It corresponds to Cilium’s accesslog.LogRecordHTTP type.
Field |
Type |
Label |
Description |
---|---|---|---|
code |
|||
method |
|||
url |
|||
protocol |
|||
headers |
repeated |
HTTPHeader
Field |
Type |
Label |
Description |
---|---|---|---|
key |
|||
value |
ICMPv4
Field |
Type |
Label |
Description |
---|---|---|---|
type |
|||
code |
ICMPv6
Field |
Type |
Label |
Description |
---|---|---|---|
type |
|||
code |
IP
Field |
Type |
Label |
Description |
---|---|---|---|
source |
|||
source_xlated |
source_xlated is the post translation source IP when the flow was SNATed (and in that case source is the the original source IP). |
||
destination |
|||
ipVersion |
|||
encrypted |
This field indicates whether the TraceReasonEncryptMask is set or not. https://github.com/cilium/cilium/blob/ba0ed147bd5bb342f67b1794c2ad13c6e99d5236/pkg/monitor/datapath_trace.go#L27 |
IPCacheNotification
Field |
Type |
Label |
Description |
---|---|---|---|
cidr |
|||
identity |
|||
old_identity |
|||
host_ip |
|||
old_host_ip |
|||
encrypt_key |
|||
namespace |
|||
pod_name |
Kafka
L7 information for Kafka flows. It corresponds to Cilium’s accesslog.LogRecordKafka type.
Field |
Type |
Label |
Description |
---|---|---|---|
error_code |
|||
api_version |
|||
api_key |
|||
correlation_id |
|||
topic |
Layer4
Field |
Type |
Label |
Description |
---|---|---|---|
TCP |
|||
UDP |
|||
ICMPv4 |
ICMP is technically not L4, but mutually exclusive with the above |
||
ICMPv6 |
|||
SCTP |
Layer7
Message for L7 flow, which roughly corresponds to Cilium’s accesslog LogRecord:
Field |
Type |
Label |
Description |
---|---|---|---|
type |
|||
latency_ns |
Latency of the response |
||
dns |
|||
http |
|||
kafka |
LostEvent
LostEvent is a message which notifies consumers about a loss of events that happened before the events were captured by Hubble.
Field |
Type |
Label |
Description |
---|---|---|---|
source |
source is the location where events got lost. |
||
num_events_lost |
num_events_lost is the number of events that haven been lost at source. |
||
cpu |
cpu on which the event was lost if the source of lost events is PERF_EVENT_RING_BUFFER. |
NetworkInterface
Field |
Type |
Label |
Description |
---|---|---|---|
index |
|||
name |
Policy
Field |
Type |
Label |
Description |
---|---|---|---|
name |
|||
namespace |
|||
labels |
repeated |
||
revision |
PolicyUpdateNotification
Field |
Type |
Label |
Description |
---|---|---|---|
labels |
repeated |
||
revision |
|||
rule_count |
SCTP
Field |
Type |
Label |
Description |
---|---|---|---|
source_port |
|||
destination_port |
Service
Field |
Type |
Label |
Description |
---|---|---|---|
name |
|||
namespace |
ServiceDeleteNotification
Field |
Type |
Label |
Description |
---|---|---|---|
id |
ServiceUpsertNotification
Field |
Type |
Label |
Description |
---|---|---|---|
id |
|||
frontend_address |
|||
backend_addresses |
repeated |
||
type |
|||
traffic_policy |
Deprecated. |
||
name |
|||
namespace |
|||
ext_traffic_policy |
|||
int_traffic_policy |
ServiceUpsertNotificationAddr
Field |
Type |
Label |
Description |
---|---|---|---|
ip |
|||
port |
TCP
Field |
Type |
Label |
Description |
---|---|---|---|
source_port |
|||
destination_port |
|||
flags |
TCPFlags
Field |
Type |
Label |
Description |
---|---|---|---|
FIN |
|||
SYN |
|||
RST |
|||
PSH |
|||
ACK |
|||
URG |
|||
ECE |
|||
CWR |
|||
NS |
TimeNotification
Field |
Type |
Label |
Description |
---|---|---|---|
time |
TraceContext
TraceContext contains trace context propagation data, i.e. information about a distributed trace. For more information about trace context, check the W3C Trace Context specification.
Field |
Type |
Label |
Description |
---|---|---|---|
parent |
parent identifies the incoming request in a tracing system. |
TraceParent
TraceParent identifies the incoming request in a tracing system.
Field |
Type |
Label |
Description |
---|---|---|---|
trace_id |
trace_id is a unique value that identifies a trace. It is a byte array represented as a hex string. |
UDP
Field |
Type |
Label |
Description |
---|---|---|---|
source_port |
|||
destination_port |
Workload
Field |
Type |
Label |
Description |
---|---|---|---|
name |
|||
kind |
AgentEventType
AgentEventType is the type of agent event. These values are shared with type AgentNotification in pkg/monitor/api/types.go.
Name |
Number |
Description |
---|---|---|
AGENT_EVENT_UNKNOWN |
0 |
|
AGENT_STARTED |
2 |
|
POLICY_UPDATED |
3 |
|
POLICY_DELETED |
4 |
|
ENDPOINT_REGENERATE_SUCCESS |
5 |
|
ENDPOINT_REGENERATE_FAILURE |
6 |
|
ENDPOINT_CREATED |
7 |
|
ENDPOINT_DELETED |
8 |
|
IPCACHE_UPSERTED |
9 |
|
IPCACHE_DELETED |
10 |
|
SERVICE_UPSERTED |
11 |
|
SERVICE_DELETED |
12 |
AuthType
These types correspond to definitions in pkg/policy/l4.go.
Name |
Number |
Description |
---|---|---|
DISABLED |
0 |
|
SPIRE |
1 |
|
TEST_ALWAYS_FAIL |
2 |
DebugCapturePoint
These values are shared with pkg/monitor/api/datapath_debug.go and bpf/lib/dbg.h.
Name |
Number |
Description |
---|---|---|
DBG_CAPTURE_POINT_UNKNOWN |
0 |
|
DBG_CAPTURE_DELIVERY |
4 |
|
DBG_CAPTURE_FROM_LB |
5 |
|
DBG_CAPTURE_AFTER_V46 |
6 |
|
DBG_CAPTURE_AFTER_V64 |
7 |
|
DBG_CAPTURE_PROXY_PRE |
8 |
|
DBG_CAPTURE_PROXY_POST |
9 |
|
DBG_CAPTURE_SNAT_PRE |
10 |
|
DBG_CAPTURE_SNAT_POST |
11 |
DebugEventType
These values are shared with pkg/monitor/api/datapath_debug.go and bpf/lib/dbg.h.
Name |
Number |
Description |
---|---|---|
DBG_EVENT_UNKNOWN |
0 |
|
DBG_GENERIC |
1 |
|
DBG_LOCAL_DELIVERY |
2 |
|
DBG_ENCAP |
3 |
|
DBG_LXC_FOUND |
4 |
|
DBG_POLICY_DENIED |
5 |
|
DBG_CT_LOOKUP |
6 |
|
DBG_CT_LOOKUP_REV |
7 |
|
DBG_CT_MATCH |
8 |
|
DBG_CT_CREATED |
9 |
|
DBG_CT_CREATED2 |
10 |
|
DBG_ICMP6_HANDLE |
11 |
|
DBG_ICMP6_REQUEST |
12 |
|
DBG_ICMP6_NS |
13 |
|
DBG_ICMP6_TIME_EXCEEDED |
14 |
|
DBG_CT_VERDICT |
15 |
|
DBG_DECAP |
16 |
|
DBG_PORT_MAP |
17 |
|
DBG_ERROR_RET |
18 |
|
DBG_TO_HOST |
19 |
|
DBG_TO_STACK |
20 |
|
DBG_PKT_HASH |
21 |
|
DBG_LB6_LOOKUP_FRONTEND |
22 |
|
DBG_LB6_LOOKUP_FRONTEND_FAIL |
23 |
|
DBG_LB6_LOOKUP_BACKEND_SLOT |
24 |
|
DBG_LB6_LOOKUP_BACKEND_SLOT_SUCCESS |
25 |
|
DBG_LB6_LOOKUP_BACKEND_SLOT_V2_FAIL |
26 |
|
DBG_LB6_LOOKUP_BACKEND_FAIL |
27 |
|
DBG_LB6_REVERSE_NAT_LOOKUP |
28 |
|
DBG_LB6_REVERSE_NAT |
29 |
|
DBG_LB4_LOOKUP_FRONTEND |
30 |
|
DBG_LB4_LOOKUP_FRONTEND_FAIL |
31 |
|
DBG_LB4_LOOKUP_BACKEND_SLOT |
32 |
|
DBG_LB4_LOOKUP_BACKEND_SLOT_SUCCESS |
33 |
|
DBG_LB4_LOOKUP_BACKEND_SLOT_V2_FAIL |
34 |
|
DBG_LB4_LOOKUP_BACKEND_FAIL |
35 |
|
DBG_LB4_REVERSE_NAT_LOOKUP |
36 |
|
DBG_LB4_REVERSE_NAT |
37 |
|
DBG_LB4_LOOPBACK_SNAT |
38 |
|
DBG_LB4_LOOPBACK_SNAT_REV |
39 |
|
DBG_CT_LOOKUP4 |
40 |
|
DBG_RR_BACKEND_SLOT_SEL |
41 |
|
DBG_REV_PROXY_LOOKUP |
42 |
|
DBG_REV_PROXY_FOUND |
43 |
|
DBG_REV_PROXY_UPDATE |
44 |
|
DBG_L4_POLICY |
45 |
|
DBG_NETDEV_IN_CLUSTER |
46 |
|
DBG_NETDEV_ENCAP4 |
47 |
|
DBG_CT_LOOKUP4_1 |
48 |
|
DBG_CT_LOOKUP4_2 |
49 |
|
DBG_CT_CREATED4 |
50 |
|
DBG_CT_LOOKUP6_1 |
51 |
|
DBG_CT_LOOKUP6_2 |
52 |
|
DBG_CT_CREATED6 |
53 |
|
DBG_SKIP_PROXY |
54 |
|
DBG_L4_CREATE |
55 |
|
DBG_IP_ID_MAP_FAILED4 |
56 |
|
DBG_IP_ID_MAP_FAILED6 |
57 |
|
DBG_IP_ID_MAP_SUCCEED4 |
58 |
|
DBG_IP_ID_MAP_SUCCEED6 |
59 |
|
DBG_LB_STALE_CT |
60 |
|
DBG_INHERIT_IDENTITY |
61 |
|
DBG_SK_LOOKUP4 |
62 |
|
DBG_SK_LOOKUP6 |
63 |
|
DBG_SK_ASSIGN |
64 |
|
DBG_L7_LB |
65 |
|
DBG_SKIP_POLICY |
66 |
DropReason
These values are shared with pkg/monitor/api/drop.go and bpf/lib/common.h. Note that non-drop reasons (i.e. values less than api.DropMin) are not used here.
Name |
Number |
Description |
---|---|---|
DROP_REASON_UNKNOWN |
0 |
non-drop reasons |
INVALID_SOURCE_MAC |
130 |
drop reasons |
INVALID_DESTINATION_MAC |
131 |
|
INVALID_SOURCE_IP |
132 |
|
POLICY_DENIED |
133 |
|
INVALID_PACKET_DROPPED |
134 |
|
CT_TRUNCATED_OR_INVALID_HEADER |
135 |
|
CT_MISSING_TCP_ACK_FLAG |
136 |
|
CT_UNKNOWN_L4_PROTOCOL |
137 |
|
CT_CANNOT_CREATE_ENTRY_FROM_PACKET |
138 |
|
UNSUPPORTED_L3_PROTOCOL |
139 |
|
MISSED_TAIL_CALL |
140 |
|
ERROR_WRITING_TO_PACKET |
141 |
|
UNKNOWN_L4_PROTOCOL |
142 |
|
UNKNOWN_ICMPV4_CODE |
143 |
|
UNKNOWN_ICMPV4_TYPE |
144 |
|
UNKNOWN_ICMPV6_CODE |
145 |
|
UNKNOWN_ICMPV6_TYPE |
146 |
|
ERROR_RETRIEVING_TUNNEL_KEY |
147 |
|
ERROR_RETRIEVING_TUNNEL_OPTIONS |
148 |
|
INVALID_GENEVE_OPTION |
149 |
|
UNKNOWN_L3_TARGET_ADDRESS |
150 |
|
STALE_OR_UNROUTABLE_IP |
151 |
|
NO_MATCHING_LOCAL_CONTAINER_FOUND |
152 |
|
ERROR_WHILE_CORRECTING_L3_CHECKSUM |
153 |
|
ERROR_WHILE_CORRECTING_L4_CHECKSUM |
154 |
|
CT_MAP_INSERTION_FAILED |
155 |
|
INVALID_IPV6_EXTENSION_HEADER |
156 |
|
IP_FRAGMENTATION_NOT_SUPPORTED |
157 |
|
SERVICE_BACKEND_NOT_FOUND |
158 |
|
NO_TUNNEL_OR_ENCAPSULATION_ENDPOINT |
160 |
|
FAILED_TO_INSERT_INTO_PROXYMAP |
161 |
|
REACHED_EDT_RATE_LIMITING_DROP_HORIZON |
162 |
|
UNKNOWN_CONNECTION_TRACKING_STATE |
163 |
|
LOCAL_HOST_IS_UNREACHABLE |
164 |
|
NO_CONFIGURATION_AVAILABLE_TO_PERFORM_POLICY_DECISION |
165 |
|
UNSUPPORTED_L2_PROTOCOL |
166 |
|
NO_MAPPING_FOR_NAT_MASQUERADE |
167 |
|
UNSUPPORTED_PROTOCOL_FOR_NAT_MASQUERADE |
168 |
|
FIB_LOOKUP_FAILED |
169 |
|
ENCAPSULATION_TRAFFIC_IS_PROHIBITED |
170 |
|
INVALID_IDENTITY |
171 |
|
UNKNOWN_SENDER |
172 |
|
NAT_NOT_NEEDED |
173 |
|
IS_A_CLUSTERIP |
174 |
|
FIRST_LOGICAL_DATAGRAM_FRAGMENT_NOT_FOUND |
175 |
|
FORBIDDEN_ICMPV6_MESSAGE |
176 |
|
DENIED_BY_LB_SRC_RANGE_CHECK |
177 |
|
SOCKET_LOOKUP_FAILED |
178 |
|
SOCKET_ASSIGN_FAILED |
179 |
|
PROXY_REDIRECTION_NOT_SUPPORTED_FOR_PROTOCOL |
180 |
|
POLICY_DENY |
181 |
|
VLAN_FILTERED |
182 |
|
INVALID_VNI |
183 |
|
INVALID_TC_BUFFER |
184 |
|
NO_SID |
185 |
|
MISSING_SRV6_STATE |
186 |
|
NAT46 |
187 |
|
NAT64 |
188 |
|
AUTH_REQUIRED |
189 |
|
CT_NO_MAP_FOUND |
190 |
|
SNAT_NO_MAP_FOUND |
191 |
|
INVALID_CLUSTER_ID |
192 |
|
UNSUPPORTED_PROTOCOL_FOR_DSR_ENCAP |
193 |
|
NO_EGRESS_GATEWAY |
194 |
|
UNENCRYPTED_TRAFFIC |
195 |
|
TTL_EXCEEDED |
196 |
|
NO_NODE_ID |
197 |
|
DROP_RATE_LIMITED |
198 |
|
IGMP_HANDLED |
199 |
|
IGMP_SUBSCRIBED |
200 |
|
MULTICAST_HANDLED |
201 |
|
DROP_HOST_NOT_READY |
202 |
A BPF program wants to tail call into bpf_host, but the host datapath hasn’t been loaded yet. |
DROP_EP_NOT_READY |
203 |
A BPF program wants to tail call some endpoint’s policy program in the POLICY_CALL_MAP, but the program is not available. |
DROP_NO_EGRESS_IP |
204 |
An Egress Gateway node matched a packet against an Egress Gateway policy that didn’t select a valid Egress IP. |
EventType
EventType are constants are based on the ones from <linux/perf_event.h>.
Name |
Number |
Description |
---|---|---|
UNKNOWN |
0 |
|
EventSample |
9 |
EventSample is equivalent to PERF_RECORD_SAMPLE. |
RecordLost |
2 |
RecordLost is equivalent to PERF_RECORD_LOST. |
FlowType
Name |
Number |
Description |
---|---|---|
UNKNOWN_TYPE |
0 |
|
L3_L4 |
1 |
not sure about the underscore here, but |
L7 |
2 |
|
SOCK |
3 |
IPVersion
Name |
Number |
Description |
---|---|---|
IP_NOT_USED |
0 |
|
IPv4 |
1 |
|
IPv6 |
2 |
L7FlowType
This enum corresponds to Cilium’s L7 accesslog FlowType:
Name |
Number |
Description |
---|---|---|
UNKNOWN_L7_TYPE |
0 |
|
REQUEST |
1 |
|
RESPONSE |
2 |
|
SAMPLE |
3 |
LostEventSource
Name |
Number |
Description |
---|---|---|
UNKNOWN_LOST_EVENT_SOURCE |
0 |
|
PERF_EVENT_RING_BUFFER |
1 |
PERF_EVENT_RING_BUFFER indicates that events were dropped in the BPF perf event ring buffer, indicating that userspace agent did not keep up with the events produced by the datapath. |
OBSERVER_EVENTS_QUEUE |
2 |
OBSERVER_EVENTS_QUEUE indicates that events were dropped because the Hubble events queue was full, indicating that the Hubble observer did not keep up. |
HUBBLE_RING_BUFFER |
3 |
HUBBLE_RING_BUFFER indicates that the event was dropped because it could not be read from Hubble’s ring buffer in time before being overwritten. |
SocketTranslationPoint
This mirrors enum xlate_point in bpf/lib/trace_sock.h
Name |
Number |
Description |
---|---|---|
SOCK_XLATE_POINT_UNKNOWN |
0 |
|
SOCK_XLATE_POINT_PRE_DIRECTION_FWD |
1 |
Pre service translation |
SOCK_XLATE_POINT_POST_DIRECTION_FWD |
2 |
Post service translation |
SOCK_XLATE_POINT_PRE_DIRECTION_REV |
3 |
Pre reverse service translation |
SOCK_XLATE_POINT_POST_DIRECTION_REV |
4 |
Post reverse service translation |
TraceObservationPoint
Name |
Number |
Description |
---|---|---|
UNKNOWN_POINT |
0 |
Cilium treats 0 as TO_LXC, but its’s something we should work to remove. This is intentionally set as unknown, so proto API can guarantee the observation point is always going to be present on trace events. |
TO_PROXY |
1 |
TO_PROXY indicates network packets are transmitted towards the l7 proxy. |
TO_HOST |
2 |
TO_HOST indicates network packets are transmitted towards the host namespace. |
TO_STACK |
3 |
TO_STACK indicates network packets are transmitted towards the Linux kernel network stack on host machine. |
TO_OVERLAY |
4 |
TO_OVERLAY indicates network packets are transmitted towards the tunnel device. |
TO_ENDPOINT |
101 |
TO_ENDPOINT indicates network packets are transmitted towards endpoints (containers). |
FROM_ENDPOINT |
5 |
FROM_ENDPOINT indicates network packets were received from endpoints (containers). |
FROM_PROXY |
6 |
FROM_PROXY indicates network packets were received from the l7 proxy. |
FROM_HOST |
7 |
FROM_HOST indicates network packets were received from the host namespace. |
FROM_STACK |
8 |
FROM_STACK indicates network packets were received from the Linux kernel network stack on host machine. |
FROM_OVERLAY |
9 |
FROM_OVERLAY indicates network packets were received from the tunnel device. |
FROM_NETWORK |
10 |
FROM_NETWORK indicates network packets were received from native devices. |
TO_NETWORK |
11 |
TO_NETWORK indicates network packets are transmitted towards native devices. |
TraceReason
Name |
Number |
Description |
---|---|---|
TRACE_REASON_UNKNOWN |
0 |
|
NEW |
1 |
|
ESTABLISHED |
2 |
|
REPLY |
3 |
|
RELATED |
4 |
|
REOPENED |
5 |
|
SRV6_ENCAP |
6 |
|
SRV6_DECAP |
7 |
|
ENCRYPT_OVERLAY |
8 |
TrafficDirection
Name |
Number |
Description |
---|---|---|
TRAFFIC_DIRECTION_UNKNOWN |
0 |
|
INGRESS |
1 |
|
EGRESS |
2 |
Verdict
Name |
Number |
Description |
---|---|---|
VERDICT_UNKNOWN |
0 |
UNKNOWN is used if there is no verdict for this flow event |
FORWARDED |
1 |
FORWARDED is used for flow events where the trace point has forwarded this packet or connection to the next processing entity. |
DROPPED |
2 |
DROPPED is used for flow events where the connection or packet has been dropped (e.g. due to a malformed packet, it being rejected by a network policy etc). The exact drop reason may be found in drop_reason_desc. |
ERROR |
3 |
ERROR is used for flow events where an error occurred during processing |
AUDIT |
4 |
AUDIT is used on policy verdict events in policy audit mode, to denominate flows that would have been dropped by policy if audit mode was turned off |
REDIRECTED |
5 |
REDIRECTED is used for flow events which have been redirected to the proxy |
TRACED |
6 |
TRACED is used for flow events which have been observed at a trace point, but no particular verdict has been reached yet |
TRANSLATED |
7 |
TRANSLATED is used for flow events where an address has been translated |
Scalar Value Types
.proto Type |
Notes |
C++ |
Java |
Python |
Go |
C# |
PHP |
Ruby |
---|---|---|---|---|---|---|---|---|
double |
double |
float |
float64 |
double |
float |
Float |
||
float |
float |
float |
float32 |
float |
float |
Float |
||
Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead. |
int32 |
int |
int |
int32 |
int |
integer |
Bignum or Fixnum (as required) |
|
Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead. |
int64 |
long |
int/long |
int64 |
long |
integer/string |
Bignum |
|
Uses variable-length encoding. |
uint32 |
int |
int/long |
uint32 |
uint |
integer |
Bignum or Fixnum (as required) |
|
Uses variable-length encoding. |
uint64 |
long |
int/long |
uint64 |
ulong |
integer/string |
Bignum or Fixnum (as required) |
|
Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s. |
int32 |
int |
int |
int32 |
int |
integer |
Bignum or Fixnum (as required) |
|
Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s. |
int64 |
long |
int/long |
int64 |
long |
integer/string |
Bignum |
|
Always four bytes. More efficient than uint32 if values are often greater than 2^28. |
uint32 |
int |
int |
uint32 |
uint |
integer |
Bignum or Fixnum (as required) |
|
Always eight bytes. More efficient than uint64 if values are often greater than 2^56. |
uint64 |
long |
int/long |
uint64 |
ulong |
integer/string |
Bignum |
|
Always four bytes. |
int32 |
int |
int |
int32 |
int |
integer |
Bignum or Fixnum (as required) |
|
Always eight bytes. |
int64 |
long |
int/long |
int64 |
long |
integer/string |
Bignum |
|
bool |
boolean |
boolean |
bool |
bool |
boolean |
TrueClass/FalseClass |
||
A string must always contain UTF-8 encoded or 7-bit ASCII text. |
string |
String |
str/unicode |
string |
string |
string |
String (UTF-8) |
|
May contain any arbitrary sequence of bytes. |
string |
ByteString |
str |
[]byte |
ByteString |
string |
String (ASCII-8BIT) |