Skip to content

Latest commit

 

History

History

flow

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
flow.pb.go
flow.pb.go
 
 
flow.pb.json.go
flow.pb.json.go
 
 
flow.proto
flow.proto
 
 

README.md

Protocol Documentation

Table of Contents

Top

flow/flow.proto

AgentEvent

Field Type Label Description
type AgentEventType
unknown AgentEventUnknown
agent_start TimeNotification
policy_update PolicyUpdateNotification used for POLICY_UPDATED and POLICY_DELETED
endpoint_regenerate EndpointRegenNotification used for ENDPOINT_REGENERATE_SUCCESS and ENDPOINT_REGENERATE_FAILURE
endpoint_update EndpointUpdateNotification used for ENDPOINT_CREATED and ENDPOINT_DELETED
ipcache_update IPCacheNotification used for IPCACHE_UPSERTED and IPCACHE_DELETED
service_upsert ServiceUpsertNotification
service_delete ServiceDeleteNotification

AgentEventUnknown

Field Type Label Description
type string
notification string

CiliumEventType

CiliumEventType from which the flow originated.

Field Type Label Description
type int32 type of event the flow originated from, i.e. github.com/cilium/cilium/pkg/monitor/api.MessageType*
sub_type int32 sub_type may indicate more details depending on type, e.g. - github.com/cilium/cilium/pkg/monitor/api.Trace* - github.com/cilium/cilium/pkg/monitor/api.Drop* - github.com/cilium/cilium/pkg/monitor/api.DbgCapture*

DNS

DNS flow. This is basically directly mapped from Cilium's LogRecordDNS:

Field Type Label Description
query string DNS name that's being looked up: e.g. "isovalent.com."
ips string repeated List of IP addresses in the DNS response.
ttl uint32 TTL in the DNS response.
cnames string repeated List of CNames in the DNS response.
observation_source string Corresponds to DNSDataSource defined in:

cilium/pkg/proxy/accesslog/record.go

Line 253 in 04f3889

const (
rcode uint32 Return code of the DNS request defined in: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
qtypes string repeated String representation of qtypes defined in: https://tools.ietf.org/html/rfc1035#section-3.2.3
rrtypes string repeated String representation of rrtypes defined in: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4

DebugEvent

Field Type Label Description
type DebugEventType
source Endpoint
hash google.protobuf.UInt32Value
arg1 google.protobuf.UInt32Value
arg2 google.protobuf.UInt32Value
arg3 google.protobuf.UInt32Value
message string
cpu google.protobuf.Int32Value

Endpoint

Field Type Label Description
ID uint32
identity uint32
cluster_name string
namespace string
labels string repeated labels in foo=bar format.
pod_name string
workloads Workload repeated

EndpointRegenNotification

Field Type Label Description
id uint64
labels string repeated
error string

EndpointUpdateNotification

Field Type Label Description
id uint64
labels string repeated
error string
pod_name string
namespace string

Ethernet

Field Type Label Description
source string
destination string

EventTypeFilter

EventTypeFilter is a filter describing a particular event type.

Field Type Label Description
type int32 type is the primary flow type as defined by: github.com/cilium/cilium/pkg/monitor/api.MessageType*
match_sub_type bool match_sub_type is set to true when matching on the sub_type should be done. This flag is required as 0 is a valid sub_type.
sub_type int32 sub_type is the secondary type, e.g. - github.com/cilium/cilium/pkg/monitor/api.Trace*

FileInfo

Field Type Label Description
name string
line uint32

Flow

Field Type Label Description
time google.protobuf.Timestamp
uuid string uuid is a universally unique identifier for this flow.
verdict Verdict
drop_reason uint32 Deprecated. only applicable to Verdict = DROPPED. deprecated in favor of drop_reason_desc.
auth_type AuthType auth_type is the authentication type specified for the flow in Cilium Network Policy. Only set on policy verdict events.
ethernet Ethernet l2
IP IP l3
l4 Layer4 l4
source Endpoint
destination Endpoint
Type FlowType
node_name string NodeName is the name of the node from which this Flow was captured.
node_labels string repeated node labels in foo=bar format.
source_names string repeated all names the source IP can have.
destination_names string repeated all names the destination IP can have.
l7 Layer7 L7 information. This field is set if and only if FlowType is L7.
reply bool Deprecated. Deprecated. This suffers from false negatives due to protobuf not being able to distinguish between the value being false or it being absent. Please use is_reply instead.
event_type CiliumEventType EventType of the originating Cilium event
source_service Service source_service contains the service name of the source
destination_service Service destination_service contains the service name of the destination
traffic_direction TrafficDirection traffic_direction of the connection, e.g. ingress or egress
policy_match_type uint32 policy_match_type is only applicable to the cilium event type PolicyVerdict

cilium/pkg/monitor/datapath_policy.go

Line 50 in e831859

// PolicyMatchNone is the value of MatchType indicatating no policy match
trace_observation_point TraceObservationPoint Only applicable to cilium trace notifications, blank for other types.
trace_reason TraceReason Cilium datapath trace reason info.
file FileInfo Cilium datapath filename and line number. Currently only applicable when Verdict = DROPPED.
drop_reason_desc DropReason only applicable to Verdict = DROPPED.
is_reply google.protobuf.BoolValue is_reply indicates that this was a packet (L4) or message (L7) in the reply direction. May be absent (in which case it is unknown whether it is a reply or not).
debug_capture_point DebugCapturePoint Only applicable to cilium debug capture events, blank for other types
interface NetworkInterface interface is the network interface on which this flow was observed
proxy_port uint32 proxy_port indicates the port of the proxy to which the flow was forwarded
trace_context TraceContext trace_context contains information about a trace related to the flow, if any.
sock_xlate_point SocketTranslationPoint sock_xlate_point is the socket translation point. Only applicable to TraceSock notifications, blank for other types
socket_cookie uint64 socket_cookie is the Linux kernel socket cookie for this flow. Only applicable to TraceSock notifications, zero for other types
cgroup_id uint64 cgroup_id of the process which emitted this event. Only applicable to TraceSock notifications, zero for other types
Summary string Deprecated. This is a temporary workaround to support summary field for pb.Flow without duplicating logic from the old parser. This field will be removed once we fully migrate to the new parser.
extensions google.protobuf.Any extensions can be used to add arbitrary additional metadata to flows. This can be used to extend functionality for other Hubble compatible APIs, or experiment with new functionality without needing to change the public API.
egress_allowed_by Policy repeated The CiliumNetworkPolicies allowing the egress of the flow.
ingress_allowed_by Policy repeated The CiliumNetworkPolicies allowing the ingress of the flow.
egress_denied_by Policy repeated The CiliumNetworkPolicies denying the egress of the flow.
ingress_denied_by Policy repeated The CiliumNetworkPolicies denying the ingress of the flow.

FlowFilter

FlowFilter represent an individual flow filter. All fields are optional. If multiple fields are set, then all fields must match for the filter to match.

Field Type Label Description
uuid string repeated uuid filters by a list of flow uuids.
source_ip string repeated source_ip filters by a list of source ips. Each of the source ips can be specified as an exact match (e.g. "1.1.1.1") or as a CIDR range (e.g. "1.1.1.0/24").
source_ip_xlated string repeated source_ip_xlated filters by a list IPs. Each of the IPs can be specified as an exact match (e.g. "1.1.1.1") or as a CIDR range (e.g. "1.1.1.0/24").
source_pod string repeated source_pod filters by a list of source pod name prefixes, optionally within a given namespace (e.g. "xwing", "kube-system/coredns-"). The pod name can be omitted to only filter by namespace (e.g. "kube-system/") or the namespace can be omitted to filter for pods in any namespace (e.g. "/xwing")
source_fqdn string repeated source_fqdn filters by a list of source fully qualified domain names
source_label string repeated source_labels filters on a list of source label selectors. Selectors support the full Kubernetes label selector syntax.
source_service string repeated source_service filters on a list of source service names. This field supports the same syntax as the source_pod field.
source_workload Workload repeated source_workload filters by a list of source workload.
source_cluster_name string repeated source_cluster_name filters by a list of source cluster names.
destination_ip string repeated destination_ip filters by a list of destination ips. Each of the destination ips can be specified as an exact match (e.g. "1.1.1.1") or as a CIDR range (e.g. "1.1.1.0/24").
destination_pod string repeated destination_pod filters by a list of destination pod names
destination_fqdn string repeated destination_fqdn filters by a list of destination fully qualified domain names
destination_label string repeated destination_label filters on a list of destination label selectors
destination_service string repeated destination_service filters on a list of destination service names
destination_workload Workload repeated destination_workload filters by a list of destination workload.
destination_cluster_name string repeated destination_cluster_name filters by a list of destination cluster names.
traffic_direction TrafficDirection repeated traffic_direction filters flow by direction of the connection, e.g. ingress or egress.
verdict Verdict repeated only return Flows that were classified with a particular verdict.
drop_reason_desc DropReason repeated only applicable to Verdict = DROPPED (e.g. "POLICY_DENIED", "UNSUPPORTED_L3_PROTOCOL")
interface NetworkInterface repeated interface is the network interface on which this flow was observed.
event_type EventTypeFilter repeated event_type is the list of event types to filter on
http_status_code string repeated http_status_code is a list of string prefixes (e.g. "4+", "404", "5+") to filter on the HTTP status code
protocol string repeated protocol filters flows by L4 or L7 protocol, e.g. (e.g. "tcp", "http")
source_port string repeated source_port filters flows by L4 source port
destination_port string repeated destination_port filters flows by L4 destination port
reply bool repeated reply filters flows based on the direction of the flow.
dns_query string repeated dns_query filters L7 DNS flows by query patterns (RE2 regex), e.g. 'kube.*local'.
source_identity uint32 repeated source_identity filters by the security identity of the source endpoint.
destination_identity uint32 repeated destination_identity filters by the security identity of the destination endpoint.
http_method string repeated GET, POST, PUT, etc. methods. This type of field is well suited for an enum but every single existing place is using a string already.
http_path string repeated http_path is a list of regular expressions to filter on the HTTP path.
http_url string repeated http_url is a list of regular expressions to filter on the HTTP URL.
http_header HTTPHeader repeated http_header is a list of key:value pairs to filter on the HTTP headers.
tcp_flags TCPFlags repeated tcp_flags filters flows based on TCP header flags
node_name string repeated node_name is a list of patterns to filter on the node name, e.g. "k8s*", "test-cluster/*.domain.com", "cluster-name/" etc.
node_labels string repeated node_labels filters on a list of node label selectors. Selectors support the full Kubernetes label selector syntax.
ip_version IPVersion repeated filter based on IP version (ipv4 or ipv6)
trace_id string repeated trace_id filters flows by trace ID
experimental FlowFilter.Experimental experimental contains filters that are not stable yet. Support for experimental features is always optional and subject to change.

FlowFilter.Experimental

Experimental contains filters that are not stable yet. Support for experimental features is always optional and subject to change.

Field Type Label Description
cel_expression string repeated cel_expression takes a common expression language (CEL) expression returning a boolean to determine if the filter matched or not. You can use the _flow variable to access fields on the flow using the flow.Flow protobuf field names. See https://github.com/google/cel-spec/blob/v0.14.0/doc/intro.md#introduction for more details on CEL and accessing the protobuf fields in CEL. Using CEL has performance cost compared to other filters, so prefer using non-CEL filters when possible, and try to specify CEL filters last in the list of FlowFilters.

HTTP

L7 information for HTTP flows. It corresponds to Cilium's accesslog.LogRecordHTTP type.

Field Type Label Description
code uint32
method string
url string
protocol string
headers HTTPHeader repeated

HTTPHeader

Field Type Label Description
key string
value string

ICMPv4

Field Type Label Description
type uint32
code uint32

ICMPv6

Field Type Label Description
type uint32
code uint32

IP

Field Type Label Description
source string
source_xlated string source_xlated is the post-translation source IP when the flow was SNATed. When "source_xlated" is set, the "source" field is populated with the pre-translation source IP address.
destination string
ipVersion IPVersion
encrypted bool This field indicates whether the TraceReasonEncryptMask is set or not.

cilium/pkg/monitor/datapath_trace.go

Line 27 in ba0ed14

// TraceReasonEncryptMask is the bit used to indicate encryption or not

IPCacheNotification

Field Type Label Description
cidr string
identity uint32
old_identity google.protobuf.UInt32Value
host_ip string
old_host_ip string
encrypt_key uint32
namespace string
pod_name string

Kafka

L7 information for Kafka flows. It corresponds to Cilium's accesslog.LogRecordKafka type.

Field Type Label Description
error_code int32
api_version int32
api_key string
correlation_id int32
topic string

Layer4

Field Type Label Description
TCP TCP
UDP UDP
ICMPv4 ICMPv4 ICMP is technically not L4, but mutually exclusive with the above
ICMPv6 ICMPv6
SCTP SCTP

Layer7

Message for L7 flow, which roughly corresponds to Cilium's accesslog LogRecord:

Field Type Label Description
type L7FlowType
latency_ns uint64 Latency of the response
dns DNS
http HTTP
kafka Kafka

LostEvent

LostEvent is a message which notifies consumers about a loss of events that happened before the events were captured by Hubble.

Field Type Label Description
source LostEventSource source is the location where events got lost.
num_events_lost uint64 num_events_lost is the number of events that haven been lost at source.
cpu google.protobuf.Int32Value cpu on which the event was lost if the source of lost events is PERF_EVENT_RING_BUFFER.

NetworkInterface

Field Type Label Description
index uint32
name string

Policy

Field Type Label Description
name string
namespace string
labels string repeated
revision uint64
kind string

PolicyUpdateNotification

Field Type Label Description
labels string repeated
revision uint64
rule_count int64

SCTP

Field Type Label Description
source_port uint32
destination_port uint32

Service

Field Type Label Description
name string
namespace string

ServiceDeleteNotification

Field Type Label Description
id uint32

ServiceUpsertNotification

Field Type Label Description
id uint32
frontend_address ServiceUpsertNotificationAddr
backend_addresses ServiceUpsertNotificationAddr repeated
type string
traffic_policy string Deprecated.
name string
namespace string
ext_traffic_policy string
int_traffic_policy string

ServiceUpsertNotificationAddr

Field Type Label Description
ip string
port uint32

TCP

Field Type Label Description
source_port uint32
destination_port uint32
flags TCPFlags

TCPFlags

Field Type Label Description
FIN bool
SYN bool
RST bool
PSH bool
ACK bool
URG bool
ECE bool
CWR bool
NS bool

TimeNotification

Field Type Label Description
time google.protobuf.Timestamp

TraceContext

TraceContext contains trace context propagation data, i.e. information about a distributed trace. For more information about trace context, check the W3C Trace Context specification.

Field Type Label Description
parent TraceParent parent identifies the incoming request in a tracing system.

TraceParent

TraceParent identifies the incoming request in a tracing system.

Field Type Label Description
trace_id string trace_id is a unique value that identifies a trace. It is a byte array represented as a hex string.

UDP

Field Type Label Description
source_port uint32
destination_port uint32

Workload

Field Type Label Description
name string
kind string

AgentEventType

AgentEventType is the type of agent event. These values are shared with type AgentNotification in pkg/monitor/api/types.go.

Name Number Description
AGENT_EVENT_UNKNOWN 0
AGENT_STARTED 2
POLICY_UPDATED 3
POLICY_DELETED 4
ENDPOINT_REGENERATE_SUCCESS 5
ENDPOINT_REGENERATE_FAILURE 6
ENDPOINT_CREATED 7
ENDPOINT_DELETED 8
IPCACHE_UPSERTED 9
IPCACHE_DELETED 10
SERVICE_UPSERTED 11
SERVICE_DELETED 12

AuthType

These types correspond to definitions in pkg/policy/l4.go.

Name Number Description
DISABLED 0
SPIRE 1
TEST_ALWAYS_FAIL 2

DebugCapturePoint

These values are shared with pkg/monitor/api/datapath_debug.go and bpf/lib/dbg.h.

Name Number Description
DBG_CAPTURE_POINT_UNKNOWN 0
DBG_CAPTURE_DELIVERY 4
DBG_CAPTURE_FROM_LB 5
DBG_CAPTURE_AFTER_V46 6
DBG_CAPTURE_AFTER_V64 7
DBG_CAPTURE_PROXY_PRE 8
DBG_CAPTURE_PROXY_POST 9
DBG_CAPTURE_SNAT_PRE 10
DBG_CAPTURE_SNAT_POST 11

DebugEventType

These values are shared with pkg/monitor/api/datapath_debug.go and bpf/lib/dbg.h.

Name Number Description
DBG_EVENT_UNKNOWN 0
DBG_GENERIC 1
DBG_LOCAL_DELIVERY 2
DBG_ENCAP 3
DBG_LXC_FOUND 4
DBG_POLICY_DENIED 5
DBG_CT_LOOKUP 6
DBG_CT_LOOKUP_REV 7
DBG_CT_MATCH 8
DBG_CT_CREATED 9
DBG_CT_CREATED2 10
DBG_ICMP6_HANDLE 11
DBG_ICMP6_REQUEST 12
DBG_ICMP6_NS 13
DBG_ICMP6_TIME_EXCEEDED 14
DBG_CT_VERDICT 15
DBG_DECAP 16
DBG_PORT_MAP 17
DBG_ERROR_RET 18
DBG_TO_HOST 19
DBG_TO_STACK 20
DBG_PKT_HASH 21
DBG_LB6_LOOKUP_FRONTEND 22
DBG_LB6_LOOKUP_FRONTEND_FAIL 23
DBG_LB6_LOOKUP_BACKEND_SLOT 24
DBG_LB6_LOOKUP_BACKEND_SLOT_SUCCESS 25
DBG_LB6_LOOKUP_BACKEND_SLOT_V2_FAIL 26
DBG_LB6_LOOKUP_BACKEND_FAIL 27
DBG_LB6_REVERSE_NAT_LOOKUP 28
DBG_LB6_REVERSE_NAT 29
DBG_LB4_LOOKUP_FRONTEND 30
DBG_LB4_LOOKUP_FRONTEND_FAIL 31
DBG_LB4_LOOKUP_BACKEND_SLOT 32
DBG_LB4_LOOKUP_BACKEND_SLOT_SUCCESS 33
DBG_LB4_LOOKUP_BACKEND_SLOT_V2_FAIL 34
DBG_LB4_LOOKUP_BACKEND_FAIL 35
DBG_LB4_REVERSE_NAT_LOOKUP 36
DBG_LB4_REVERSE_NAT 37
DBG_LB4_LOOPBACK_SNAT 38
DBG_LB4_LOOPBACK_SNAT_REV 39
DBG_CT_LOOKUP4 40
DBG_RR_BACKEND_SLOT_SEL 41
DBG_REV_PROXY_LOOKUP 42
DBG_REV_PROXY_FOUND 43
DBG_REV_PROXY_UPDATE 44
DBG_L4_POLICY 45
DBG_NETDEV_IN_CLUSTER 46
DBG_NETDEV_ENCAP4 47
DBG_CT_LOOKUP4_1 48
DBG_CT_LOOKUP4_2 49
DBG_CT_CREATED4 50
DBG_CT_LOOKUP6_1 51
DBG_CT_LOOKUP6_2 52
DBG_CT_CREATED6 53
DBG_SKIP_PROXY 54
DBG_L4_CREATE 55
DBG_IP_ID_MAP_FAILED4 56
DBG_IP_ID_MAP_FAILED6 57
DBG_IP_ID_MAP_SUCCEED4 58
DBG_IP_ID_MAP_SUCCEED6 59
DBG_LB_STALE_CT 60
DBG_INHERIT_IDENTITY 61
DBG_SK_LOOKUP4 62
DBG_SK_LOOKUP6 63
DBG_SK_ASSIGN 64
DBG_L7_LB 65
DBG_SKIP_POLICY 66

DropReason

These values are shared with pkg/monitor/api/drop.go and bpf/lib/common.h. Note that non-drop reasons (i.e. values less than api.DropMin) are not used here.

Name Number Description
DROP_REASON_UNKNOWN 0 non-drop reasons
INVALID_SOURCE_MAC 130 drop reasons
INVALID_DESTINATION_MAC 131
INVALID_SOURCE_IP 132
POLICY_DENIED 133
INVALID_PACKET_DROPPED 134
CT_TRUNCATED_OR_INVALID_HEADER 135
CT_MISSING_TCP_ACK_FLAG 136
CT_UNKNOWN_L4_PROTOCOL 137
CT_CANNOT_CREATE_ENTRY_FROM_PACKET 138
UNSUPPORTED_L3_PROTOCOL 139
MISSED_TAIL_CALL 140
ERROR_WRITING_TO_PACKET 141
UNKNOWN_L4_PROTOCOL 142
UNKNOWN_ICMPV4_CODE 143
UNKNOWN_ICMPV4_TYPE 144
UNKNOWN_ICMPV6_CODE 145
UNKNOWN_ICMPV6_TYPE 146
ERROR_RETRIEVING_TUNNEL_KEY 147
ERROR_RETRIEVING_TUNNEL_OPTIONS 148
INVALID_GENEVE_OPTION 149
UNKNOWN_L3_TARGET_ADDRESS 150
STALE_OR_UNROUTABLE_IP 151
NO_MATCHING_LOCAL_CONTAINER_FOUND 152
ERROR_WHILE_CORRECTING_L3_CHECKSUM 153
ERROR_WHILE_CORRECTING_L4_CHECKSUM 154
CT_MAP_INSERTION_FAILED 155
INVALID_IPV6_EXTENSION_HEADER 156
IP_FRAGMENTATION_NOT_SUPPORTED 157
SERVICE_BACKEND_NOT_FOUND 158
NO_TUNNEL_OR_ENCAPSULATION_ENDPOINT 160
FAILED_TO_INSERT_INTO_PROXYMAP 161
REACHED_EDT_RATE_LIMITING_DROP_HORIZON 162
UNKNOWN_CONNECTION_TRACKING_STATE 163
LOCAL_HOST_IS_UNREACHABLE 164
NO_CONFIGURATION_AVAILABLE_TO_PERFORM_POLICY_DECISION 165
UNSUPPORTED_L2_PROTOCOL 166
NO_MAPPING_FOR_NAT_MASQUERADE 167
UNSUPPORTED_PROTOCOL_FOR_NAT_MASQUERADE 168
FIB_LOOKUP_FAILED 169
ENCAPSULATION_TRAFFIC_IS_PROHIBITED 170
INVALID_IDENTITY 171
UNKNOWN_SENDER 172
NAT_NOT_NEEDED 173
IS_A_CLUSTERIP 174
FIRST_LOGICAL_DATAGRAM_FRAGMENT_NOT_FOUND 175
FORBIDDEN_ICMPV6_MESSAGE 176
DENIED_BY_LB_SRC_RANGE_CHECK 177
SOCKET_LOOKUP_FAILED 178
SOCKET_ASSIGN_FAILED 179
PROXY_REDIRECTION_NOT_SUPPORTED_FOR_PROTOCOL 180
POLICY_DENY 181
VLAN_FILTERED 182
INVALID_VNI 183
INVALID_TC_BUFFER 184
NO_SID 185
MISSING_SRV6_STATE 186
NAT46 187
NAT64 188
AUTH_REQUIRED 189
CT_NO_MAP_FOUND 190
SNAT_NO_MAP_FOUND 191
INVALID_CLUSTER_ID 192
UNSUPPORTED_PROTOCOL_FOR_DSR_ENCAP 193
NO_EGRESS_GATEWAY 194
UNENCRYPTED_TRAFFIC 195
TTL_EXCEEDED 196
NO_NODE_ID 197
DROP_RATE_LIMITED 198
IGMP_HANDLED 199
IGMP_SUBSCRIBED 200
MULTICAST_HANDLED 201
DROP_HOST_NOT_READY 202 A BPF program wants to tail call into bpf_host, but the host datapath hasn't been loaded yet.
DROP_EP_NOT_READY 203 A BPF program wants to tail call some endpoint's policy program in cilium_call_policy, but the program is not available.
DROP_NO_EGRESS_IP 204 An Egress Gateway node matched a packet against an Egress Gateway policy that didn't select a valid Egress IP.

EventType

EventType are constants are based on the ones from <linux/perf_event.h>.

Name Number Description
UNKNOWN 0
EventSample 9 EventSample is equivalent to PERF_RECORD_SAMPLE.
RecordLost 2 RecordLost is equivalent to PERF_RECORD_LOST.

FlowType

Name Number Description
UNKNOWN_TYPE 0
L3_L4 1 not sure about the underscore here, but L34 also reads strange
L7 2
SOCK 3

IPVersion

Name Number Description
IP_NOT_USED 0
IPv4 1
IPv6 2

L7FlowType

This enum corresponds to Cilium's L7 accesslog FlowType:

Name Number Description
UNKNOWN_L7_TYPE 0
REQUEST 1
RESPONSE 2
SAMPLE 3

LostEventSource

Name Number Description
UNKNOWN_LOST_EVENT_SOURCE 0
PERF_EVENT_RING_BUFFER 1 PERF_EVENT_RING_BUFFER indicates that events were dropped in the BPF perf event ring buffer, indicating that userspace agent did not keep up with the events produced by the datapath.
OBSERVER_EVENTS_QUEUE 2 OBSERVER_EVENTS_QUEUE indicates that events were dropped because the Hubble events queue was full, indicating that the Hubble observer did not keep up.
HUBBLE_RING_BUFFER 3 HUBBLE_RING_BUFFER indicates that the event was dropped because it could not be read from Hubble's ring buffer in time before being overwritten.

SocketTranslationPoint

This mirrors enum xlate_point in bpf/lib/trace_sock.h

Name Number Description
SOCK_XLATE_POINT_UNKNOWN 0
SOCK_XLATE_POINT_PRE_DIRECTION_FWD 1 Pre service translation
SOCK_XLATE_POINT_POST_DIRECTION_FWD 2 Post service translation
SOCK_XLATE_POINT_PRE_DIRECTION_REV 3 Pre reverse service translation
SOCK_XLATE_POINT_POST_DIRECTION_REV 4 Post reverse service translation

TraceObservationPoint

Name Number Description
UNKNOWN_POINT 0 Cilium treats 0 as TO_LXC, but its's something we should work to remove. This is intentionally set as unknown, so proto API can guarantee the observation point is always going to be present on trace events.
TO_PROXY 1 TO_PROXY indicates network packets are transmitted towards the l7 proxy.
TO_HOST 2 TO_HOST indicates network packets are transmitted towards the host namespace.
TO_STACK 3 TO_STACK indicates network packets are transmitted towards the Linux kernel network stack on host machine.
TO_OVERLAY 4 TO_OVERLAY indicates network packets are transmitted towards the tunnel device.
TO_ENDPOINT 101 TO_ENDPOINT indicates network packets are transmitted towards endpoints (containers).
FROM_ENDPOINT 5 FROM_ENDPOINT indicates network packets were received from endpoints (containers).
FROM_PROXY 6 FROM_PROXY indicates network packets were received from the l7 proxy.
FROM_HOST 7 FROM_HOST indicates network packets were received from the host namespace.
FROM_STACK 8 FROM_STACK indicates network packets were received from the Linux kernel network stack on host machine.
FROM_OVERLAY 9 FROM_OVERLAY indicates network packets were received from the tunnel device.
FROM_NETWORK 10 FROM_NETWORK indicates network packets were received from native devices.
TO_NETWORK 11 TO_NETWORK indicates network packets are transmitted towards native devices.

TraceReason

Name Number Description
TRACE_REASON_UNKNOWN 0
NEW 1
ESTABLISHED 2
REPLY 3
RELATED 4
REOPENED 5
SRV6_ENCAP 6
SRV6_DECAP 7
ENCRYPT_OVERLAY 8

TrafficDirection

Name Number Description
TRAFFIC_DIRECTION_UNKNOWN 0
INGRESS 1
EGRESS 2

Verdict

Name Number Description
VERDICT_UNKNOWN 0 UNKNOWN is used if there is no verdict for this flow event
FORWARDED 1 FORWARDED is used for flow events where the trace point has forwarded this packet or connection to the next processing entity.
DROPPED 2 DROPPED is used for flow events where the connection or packet has been dropped (e.g. due to a malformed packet, it being rejected by a network policy etc). The exact drop reason may be found in drop_reason_desc.
ERROR 3 ERROR is used for flow events where an error occurred during processing
AUDIT 4 AUDIT is used on policy verdict events in policy audit mode, to denominate flows that would have been dropped by policy if audit mode was turned off
REDIRECTED 5 REDIRECTED is used for flow events which have been redirected to the proxy
TRACED 6 TRACED is used for flow events which have been observed at a trace point, but no particular verdict has been reached yet
TRANSLATED 7 TRANSLATED is used for flow events where an address has been translated

Scalar Value Types

.proto Type Notes C++ Java Python Go C# PHP Ruby
double double double float float64 double float Float
float float float float float32 float float Float
int32 Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead. int32 int int int32 int integer Bignum or Fixnum (as required)
int64 Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead. int64 long int/long int64 long integer/string Bignum
uint32 Uses variable-length encoding. uint32 int int/long uint32 uint integer Bignum or Fixnum (as required)
uint64 Uses variable-length encoding. uint64 long int/long uint64 ulong integer/string Bignum or Fixnum (as required)
sint32 Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s. int32 int int int32 int integer Bignum or Fixnum (as required)
sint64 Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s. int64 long int/long int64 long integer/string Bignum
fixed32 Always four bytes. More efficient than uint32 if values are often greater than 2^28. uint32 int int uint32 uint integer Bignum or Fixnum (as required)
fixed64 Always eight bytes. More efficient than uint64 if values are often greater than 2^56. uint64 long int/long uint64 ulong integer/string Bignum
sfixed32 Always four bytes. int32 int int int32 int integer Bignum or Fixnum (as required)
sfixed64 Always eight bytes. int64 long int/long int64 long integer/string Bignum
bool bool boolean boolean bool bool boolean TrueClass/FalseClass
string A string must always contain UTF-8 encoded or 7-bit ASCII text. string String str/unicode string string string String (UTF-8)
bytes May contain any arbitrary sequence of bytes. string ByteString str []byte ByteString string String (ASCII-8BIT)