package felix

Get desktop application:
View/edit binary Protocol Buffers messages

• rpc Sync (SyncRequest, stream ToDataplane)

  felixbackend.proto:25

  On this API, only the following payloads will be sent: - InSync - IPSetUpdate - IPSetDeltaUpdate - IPSetRemove - ActiveProfileUpdate - ActiveProfileRemove - ActivePolicyUpdate - ActivePolicyRemove - WorkloadEndpointUpdate - WorkloadEndpointRemove - ServiceAccountUpdate - ServiceAccountRemove - NamespaceUpdate - NamespaceRemove - RouteUpdate - RouteRemove - VXLANTunnelEndpointUpdate - VXLANTunnelEndpointRemove

  message SyncRequest

  felixbackend.proto:31

  (message has no fields)

  message ToDataplane

  felixbackend.proto:40

  • uint64 sequence_number = 15

    Sequence number incremented with each message. Useful for correlating messages in logs.

  • oneof payload

    • InSync in_sync = 1

      InSync is sent once a complete snapshot of the datastore has been processed. The dataplane driver should use it as a signal to resynchronise the dataplane.

    • IPSetUpdate ipset_update = 2

      IPSetUpdate is sent when an IP set becomes active. It contains the complete membership of the IP set.

    • IPSetDeltaUpdate ipset_delta_update = 3

      IPSetDeltaUpdates are sent after the first IPSetUpdate; they contain a list of IPs that should be added and removed from the IP set.

    • IPSetRemove ipset_remove = 4

      IPSet remove is sent when an IP set is no longer needed.

    • ActiveProfileUpdate active_profile_update = 5

      ActiveProfileUpdate is sent when a profile becomes active or is updated.

    • ActiveProfileRemove active_profile_remove = 6

      ActiveProfileRemove is sent when a profile becomes inactive or is deleted.

    • ActivePolicyUpdate active_policy_update = 7

      ActivePolicyUpdate is sent when a policy becomes active or is updated.

    • ActivePolicyRemove active_policy_remove = 8

      ActivePolicyRemove is sent when a policy becomes inactive or is deleted.

    • HostEndpointUpdate host_endpoint_update = 9

      HostEndpointUpdate is sent when a local host endpoint is added or updated.

    • HostEndpointRemove host_endpoint_remove = 10

      HostEndpointRemove is sent when a local host endpoint is removed.

    • WorkloadEndpointUpdate workload_endpoint_update = 11

      WorkloadEndpointUpdate is sent when a local workload endpoint is added or updated.

    • WorkloadEndpointRemove workload_endpoint_remove = 12

      WorkloadEndpointRemove is sent when a local workload endpoint is removed.

    • ConfigUpdate config_update = 13

      ConfigUpdate is sent at start of day or when the config changes.

    • HostMetadataUpdate host_metadata_update = 14

      HostMetadataUpdate is sent when a host IP is added or updated. I.e. the IP used for BGP peering/IPIP.

    • HostMetadataRemove host_metadata_remove = 18

      HostIPRemove is sent when a host IP is removed.

    • HostMetadataV4V6Update host_metadata_v4v6_update = 37

      HostMetadataV4V6Update is sent when a host is added or updated.

    • HostMetadataV4V6Remove host_metadata_v4v6_remove = 38

      HostIPRemove is sent when a host is removed.

    • IPAMPoolUpdate ipam_pool_update = 16

      IPAMPoolUpdate is sent when an IPAM pool is added/updated.

    • IPAMPoolRemove ipam_pool_remove = 17

      IPAMPoolRemove is sent when an IPAM pool is removed.

    • ServiceAccountUpdate service_account_update = 19

      ServiceAccountUpdate is sent when a ServiceAccount is added/updated.

    • ServiceAccountRemove service_account_remove = 20

      ServiceAccountRemove is sent when a ServiceAccount is removed.

    • NamespaceUpdate namespace_update = 21

      NamespaceUpdate is sent when a Namespace is added/updated.

    • NamespaceRemove namespace_remove = 22

      NamespaceRemove is sent when a Namespace is removed.

    • RouteUpdate route_update = 23

      RouteUpdate is send when a route is added/updated.

    • RouteRemove route_remove = 24

      RouteRemove is send when a route is deleted.

    • VXLANTunnelEndpointUpdate vtep_update = 25

      VXLANTunnelEndpointUpdate is send when a vtep is added/updated.

    • VXLANTunnelEndpointRemove vtep_remove = 26

      VXLANTunnelEndpointRemove is send when a route is deleted.

    • WireguardEndpointUpdate wireguard_endpoint_update = 27

      WireguardEndpointUpdate is sent to setup IPv4 wireguard on the host.

    • WireguardEndpointRemove wireguard_endpoint_remove = 28

      WireguardEndpointRemove is sent to undo IPv4 wireguard on the host.

    • GlobalBGPConfigUpdate global_bgp_config_update = 29

      GlobalBGPConfigUpdate is sent when global BGPConfiguration changes.

    • Encapsulation encapsulation = 30

    • ServiceUpdate service_update = 31

    • ServiceRemove service_remove = 32

    • WireguardEndpointV6Update wireguard_endpoint_v6_update = 33

      WireguardEndpointV6Update is sent to setup IPv6 wireguard on the host.

    • WireguardEndpointV6Remove wireguard_endpoint_v6_remove = 34

      WireguardEndpointV6Remove is sent to undo IPv6 wireguard on the host.

    • HostMetadataV6Update host_metadata_v6_update = 35

      HostMetadataV6Update is sent when a host IPv6 address is added or updated.

    • HostMetadataV6Remove host_metadata_v6_remove = 36

      HostMetadataV6Remove is sent when a host IPv6 address is removed.

• rpc Report (DataplaneStats, ReportResult)

  felixbackend.proto:28

  Report dataplane statistics to Felix.

  message DataplaneStats

  felixbackend.proto:666

  DataplaneStats reports statistics about a flow from the dataplane.

  • string src_ip = 1

    Identity of the flow. Right now, just 5-tuple

  • string dst_ip = 2

  • int32 src_port = 3

  • int32 dst_port = 4

  • optional Protocol protocol = 5

  • repeated Statistic stats = 6

    Each message can report zero or more statistics about the flow.

  • repeated RuleTrace rules = 7

    RuleTrace is the sequence of rules that matched the flow. The last rule allows or denies the flow, each rule prior "passed" to the next tier or to profiles.

  • Action action = 8

    Whether the flow was allowed or denied

  message ReportResult

  felixbackend.proto:660

  • bool successful = 1

    Whether the data was reported successfully.

Action represents an action taken by a policy or rule.

Used in: DataplaneStats, Statistic

• ALLOWED = 0

• DENIED = 1

Used in: ToDataplane

• optional PolicyID id = 1

Used in: ToDataplane

• optional PolicyID id = 1

• optional Policy policy = 2

Used in: ToDataplane

• optional ProfileID id = 1

Used in: ToDataplane

• optional ProfileID id = 1

• optional Profile profile = 2

Used in: ToDataplane

• string message = 3

• map<string, string> config = 1

• map<uint32, RawConfig> source_to_raw_config = 2

Used in: FromDataplane

(message has no fields)

Used in: ToDataplane

• bool ipip_enabled = 1

• bool vxlan_enabled = 2

• bool vxlan_enabled_v6 = 3

Used in: HostEndpointStatusUpdate, WorkloadEndpointStatusUpdate

• string status = 1

• uint64 sequence_number = 8

• oneof payload

  • ProcessStatusUpdate process_status_update = 3

    ProcessStatusUpdate is sent as a periodic heartbeat.

  • HostEndpointStatusUpdate host_endpoint_status_update = 4

    HostEndpointStatusUpdate is sent when the oper status of an endpoint changes.

  • HostEndpointStatusRemove host_endpoint_status_remove = 5

    HostEndpointStatusRemove is sent when an endpoint is removed to clean up its oper status entry.

  • WorkloadEndpointStatusUpdate workload_endpoint_status_update = 6

    WorkloadEndpointStatusUpdate is sent when the oper status of an endpoint changes.

  • WorkloadEndpointStatusRemove workload_endpoint_status_remove = 7

    WorkloadEndpointStatusRemove is sent when an endpoint is removed to clean up its oper status entry.

  • WireguardStatusUpdate wireguard_status_update = 9

    WireguardStatusUpdate is sent when the wireguard is available with the crypto primitives set up.

  • DataplaneInSync dataplane_in_sync = 10

Used in: ToDataplane

• repeated string service_cluster_cidrs = 1

• repeated string service_external_cidrs = 2

• repeated string service_loadbalancer_cidrs = 3

• string local_workload_peering_ip_v4 = 4

• string local_workload_peering_ip_v6 = 5

Used in: Rule

• repeated string methods = 1

• repeated HTTPMatch.PathMatch paths = 2

Used in: HTTPMatch

• oneof path_match

  • string exact = 1

  • string prefix = 2

Used in: HostEndpointUpdate

• string name = 1

• repeated string profile_ids = 2

• repeated TierInfo tiers = 3

• repeated TierInfo untracked_tiers = 6

• repeated TierInfo pre_dnat_tiers = 7

• repeated TierInfo forward_tiers = 8

• repeated string expected_ipv4_addrs = 4

• repeated string expected_ipv6_addrs = 5

Used in: HostEndpointRemove, HostEndpointStatusRemove, HostEndpointStatusUpdate, HostEndpointUpdate

• string endpoint_id = 2

Used in: ToDataplane

• optional HostEndpointID id = 1

Used in: FromDataplane

• optional HostEndpointID id = 1

Used in: FromDataplane

• optional HostEndpointID id = 1

• optional EndpointStatus status = 2

Used in: ToDataplane

• optional HostEndpointID id = 1

• optional HostEndpoint endpoint = 3

Used in: ToDataplane

• string hostname = 1

• string ipv4_addr = 2

Used in: ToDataplane

• string hostname = 1

• string ipv4_addr = 2

Used in: ToDataplane

• string hostname = 1

• string ipv4_addr = 2

Used in: ToDataplane

• string hostname = 1

• string ipv4_addr = 2

• string ipv6_addr = 3

• string asnumber = 4

• map<string, string> labels = 5

Used in: ToDataplane

• string hostname = 1

• string ipv6_addr = 2

Used in: ToDataplane

• string hostname = 1

• string ipv6_addr = 2

Used in: IPAMPoolUpdate

• string cidr = 1

• bool masquerade = 2

• string ipip_mode = 3

• string vxlan_mode = 4

Used in: ToDataplane

• string id = 1

Used in: ToDataplane

• string id = 1

• optional IPAMPool pool = 2

Used in: RouteUpdate

• NONE = 0

• NO_ENCAP = 1

• VXLAN = 2

• IPIP = 3

Used in: ToDataplane

• string id = 1

• repeated string added_members = 2

• repeated string removed_members = 3

Used in: ToDataplane

• string id = 1

Used in: ToDataplane

• string id = 1

• repeated string members = 2

• IPSetUpdate.IPSetType type = 3

Used in: IPSetUpdate

• IP = 0

  Each member is an IP address in dotted-decimal or IPv6 format.

• IP_AND_PORT = 1

  Each member is "<IP>,(tcp|udp):port".

• NET = 2

  Each member is a CIDR in dotted-decimal or IPv6 format.

Used in: Rule, WireguardStatusUpdate

• ANY = 0

• IPV4 = 4

• IPV6 = 6

Used in: Rule

• int32 type = 1

• int32 code = 2

Used in: ToDataplane

(message has no fields)

Used in: WorkloadEndpoint

• string bgp_peer_name = 1

Used in: NamespaceRemove, NamespaceUpdate

• string name = 1

Used in: ToDataplane

• optional NamespaceID id = 1

Used in: ToDataplane

• optional NamespaceID id = 1

• map<string, string> labels = 2

Used in: WorkloadEndpoint

• string ext_ip = 1

• string int_ip = 2

Used in: ActivePolicyUpdate

• string namespace = 5

  If the Policy represents a NetworkPolicy, this contains the namespace that the policy came from. Otherwise, empty.

• repeated Rule inbound_rules = 1

• repeated Rule outbound_rules = 2

• bool untracked = 3

• bool pre_dnat = 4

• string original_selector = 6

Used in: ActivePolicyRemove, ActivePolicyUpdate, RuleTrace

• string tier = 1

• string name = 2

Individual ports are sent with first == last.

Used in: Rule

• int32 first = 1

• int32 last = 2

Used in: FromDataplane

• string iso_timestamp = 1

• double uptime = 2

Used in: ActiveProfileUpdate

• repeated Rule inbound_rules = 1

• repeated Rule outbound_rules = 2

Used in: ActiveProfileRemove, ActiveProfileUpdate, RuleTrace

• string name = 1

Used in: DataplaneStats, Rule

• oneof number_or_name

  • int32 number = 1

  • string name = 2

Used in: WorkloadEndpoint

• int64 IngressBandwidth = 1

• int64 EgressBandwidth = 2

• int64 IngressBurst = 3

• int64 EgressBurst = 4

• int64 IngressPacketRate = 5

• int64 EgressPacketRate = 6

• int64 IngressMaxConnections = 7

• int64 EgressMaxConnections = 8

Used in: ConfigUpdate

• string source = 1

• map<string, string> config = 2

Used in: ToDataplane

• string dst = 2

RouteTYpe defines a type of route. Each is a power of 2, so that theye can be used as unique bits within a bitmap.

Used in: RouteUpdate

• CIDR_INFO = 0

  CIDR_INFO gives information about a CIDR without establishing a route. For example, it is emitted for IP pools with no blocks.

• REMOTE_WORKLOAD = 1

• REMOTE_HOST = 2

• LOCAL_WORKLOAD = 4

• LOCAL_HOST = 8

• REMOTE_TUNNEL = 16

• LOCAL_TUNNEL = 32

Used in: ToDataplane

• RouteType types = 12

  Types is a bitmap field indicating which route types apply to this route.

• IPPoolType ip_pool_type = 2

• string dst = 3

• string dst_node_name = 4

  The name of the node holding this destination, if this route targets a calico node.

• string dst_node_ip = 5

  IP of the node holding this destination.

• bool same_subnet = 7

• bool nat_outgoing = 8

• bool local_workload = 9

• optional TunnelType tunnel_type = 10

• bool borrowed = 11

Used in: Policy, Profile

• string action = 1

• IPVersion ip_version = 2

• optional Protocol protocol = 3

• repeated string src_net = 4

• repeated PortRange src_ports = 5

  The list of ports is split into numeric and named ports, where named ports are represented by (IP, port) IP sets. A packet matches this rule if it matches any numeric port range *or* any listed named port IP set.

• repeated string src_named_port_ip_set_ids = 12

• repeated string dst_net = 6

• repeated PortRange dst_ports = 7

• repeated string dst_named_port_ip_set_ids = 13

• oneof icmp

  • int32 icmp_type = 8

    Distinguish between a match on type only and type+code. We can't use the fact that fields ar optional because Go can't distinguish 0 from "not-present".

  • IcmpTypeAndCode icmp_type_code = 9

• repeated string src_ip_set_ids = 10

• repeated string dst_ip_set_ids = 11

• repeated string dst_ip_port_set_ids = 15

  IP sets on which we should match both IP and port.

• optional Protocol not_protocol = 102

• repeated string not_src_net = 103

• repeated PortRange not_src_ports = 104

• repeated string not_dst_net = 105

• repeated PortRange not_dst_ports = 106

• oneof not_icmp

  • int32 not_icmp_type = 107

  • IcmpTypeAndCode not_icmp_type_code = 108

• repeated string not_src_ip_set_ids = 109

• repeated string not_dst_ip_set_ids = 110

• repeated string not_src_named_port_ip_set_ids = 112

• repeated string not_dst_named_port_ip_set_ids = 113

• string original_src_selector = 114

  These fields pass through the original selectors from the v3 datamodel unmodified as required for the policy sync API.

• string original_dst_selector = 115

• string original_src_namespace_selector = 116

• string original_dst_namespace_selector = 117

• string original_not_src_selector = 118

• string original_not_dst_selector = 119

• string original_src_service = 132

  Original source service match criteria.

• string original_src_service_namespace = 133

• string original_dst_service = 130

  Original destination service match criteria.

• string original_dst_service_namespace = 131

• optional ServiceAccountMatch src_service_account_match = 120

  Pass through of the v3 datamodel service account match criteria.

• optional ServiceAccountMatch dst_service_account_match = 121

• optional HTTPMatch http_match = 122

  Pass through of the v3 datamodel HTTP match criteria.

• optional RuleMetadata metadata = 123

• string rule_id = 201

  An opaque ID/hash for the rule.

Used in: Rule

• map<string, string> annotations = 1

RuleTrace indicates a rule that matched the flow as it was being evaluated.

Used in: DataplaneStats

• oneof id

  • PolicyID policy = 1

    The rule is part of a policy identified in this field.

  • ProfileID profile = 2

    The rule is part of a profile identified in this field.

  • bool none = 3

    The flow was neither allowed nor denied by any policy or profile. By default this means the flow is denied. If this is set the rule num should be ignored since no rule matched the flow.

• RuleTrace.Direction direction = 4

• int32 rule_num = 5

  The numerical index of the rule that matched.

Whether the rule appears in INBOUND or OUTBOUND rules for the policy / profile.

Used in: RuleTrace

• INBOUND = 0

• OUTBOUND = 1

Used in: ServiceAccountRemove, ServiceAccountUpdate

• string namespace = 1

• string name = 2

Used in: Rule

• string selector = 1

• repeated string names = 2

Used in: ToDataplane

• optional ServiceAccountID id = 1

Used in: ToDataplane

• optional ServiceAccountID id = 1

• map<string, string> labels = 2

Used in: ServiceUpdate

• string Protocol = 1

• int32 Port = 2

• int32 NodePort = 3

Used in: ToDataplane

• string name = 1

• string namespace = 2

Used in: ToDataplane

• string name = 1

• string namespace = 2

• string type = 3

• repeated string cluster_ips = 4

• string loadbalancer_ip = 5

• repeated string external_ips = 6

• repeated ServicePort ports = 7

Statistic is a piece of summary information for a flow.

Used in: DataplaneStats

• Statistic.Direction direction = 1

• Statistic.Relativity relativity = 2

• Statistic.Kind kind = 3

• Action action = 4

  Action further qualifies the kind. For example, an action of ALLOWED with a kind of PACKETS means this statistic is the number of allowed packets.

• int64 value = 5

  The numerical value of the statistic.

Whether the statistic is for inbound or outbound data flow, relative to the dataplane reporting.

Used in: Statistic

• IN = 0

• OUT = 1

Kind indicates what this statistic is about.

Used in: Statistic

• PACKETS = 0

• BYTES = 1

Whether the data is relative. ABSOLUTE data gives the total for the flow since it started. DELTA data gives the change since the last report for this flow.

Used in: Statistic

• ABSOLUTE = 0

• DELTA = 1

Used in: HostEndpoint, WorkloadEndpoint

• string name = 1

• repeated string ingress_policies = 2

• repeated string egress_policies = 3

• string default_action = 4

Used in: RouteUpdate

• bool ipip = 1

• bool vxlan = 2

• bool wireguard = 3

Used in: ToDataplane

• string node = 1

Used in: ToDataplane

• string node = 1

• string mac = 2

• string ipv4_addr = 3

• string parent_device_ip = 4

• string mac_v6 = 5

• string ipv6_addr = 6

• string parent_device_ipv6 = 7

Used in: ToDataplane

• string hostname = 1

  The name of the IPv4 wireguard host.

Used in: ToDataplane

• string hostname = 1

  The name of the IPv4 wireguard host.

• string public_key = 2

  The public key for IPv4 wireguard on this endpoint.

• string interface_ipv4_addr = 3

  The IP address of the IPv4 wireguard interface.

Used in: ToDataplane

• string hostname = 1

  The name of the IPv6 wireguard host.

Used in: ToDataplane

• string hostname = 1

  The name of the IPv6 wireguard host.

• string public_key_v6 = 2

  The public key for IPv6 wireguard on this endpoint.

• string interface_ipv6_addr = 3

  The IP address of the IPv6 wireguard interface.

Used in: FromDataplane

• string public_key = 1

  Wireguard public-key set on the interface.

• IPVersion ip_version = 2

  The IP version of this update

Used in: WorkloadEndpointStatusUpdate, WorkloadEndpointUpdate

• string state = 1

• string name = 2

• string mac = 3

• repeated string profile_ids = 4

• repeated string ipv4_nets = 5

• repeated string ipv6_nets = 6

• repeated TierInfo tiers = 7

• repeated NatInfo ipv4_nat = 8

• repeated NatInfo ipv6_nat = 9

• repeated string allow_spoofed_source_prefixes = 10

• map<string, string> annotations = 11

• optional QoSControls qos_controls = 12

• optional LocalBGPPeer local_bgp_peer = 13

• WorkloadType type = 14

Used in: WorkloadEndpointRemove, WorkloadEndpointStatusRemove, WorkloadEndpointStatusUpdate, WorkloadEndpointUpdate

• string orchestrator_id = 2

• string workload_id = 3

• string endpoint_id = 4

Used in: ToDataplane

• optional WorkloadEndpointID id = 1

Used in: FromDataplane

• optional WorkloadEndpointID id = 1

Used in: FromDataplane

• optional WorkloadEndpointID id = 1

• optional EndpointStatus status = 2

• optional WorkloadEndpoint endpoint = 3

Used in: ToDataplane

• optional WorkloadEndpointID id = 1

• optional WorkloadEndpoint endpoint = 5

Used in: WorkloadEndpoint

• REGULAR = 0

• VM = 1