netlink

package
v0.0.0-...-4ef0159 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 3, 2025 License: Apache-2.0 Imports: 32 Imported by: 0

Documentation

Overview

Package netlink implements network connection tracking.

Index

Constants

This section is empty.

Variables

View Source
var ErrNotPermitted = errors.New("netlink conntracker requires NET_ADMIN capability")

ErrNotPermitted is the error returned when the current process does not have the required permissions for netlink conntracker

Functions

func AddrIsZero

func AddrIsZero(addr netip.Addr) bool

AddrIsZero reports whether addr is its zero value

func AddrPortIsZero

func AddrPortIsZero(addrPort netip.AddrPort) bool

AddrPortIsZero reports whether addrPort is its zero value

func AddrPortWithAddr

func AddrPortWithAddr(addrPort netip.AddrPort, addr netip.Addr) netip.AddrPort

AddrPortWithAddr returns an AddrPort with Addr addr and port addrPort.Port()

func AddrPortWithPort

func AddrPortWithPort(addrPort netip.AddrPort, port uint16) netip.AddrPort

AddrPortWithPort returns an AddrPort with Addr addrPort.Addr() and port port

func DumpHostTable

func DumpHostTable(ctx context.Context, cfg *config.Config, telemetryComp telemetry.Component) (map[uint32][]DebugConntrackEntry, error)

DumpHostTable dumps the host conntrack NAT entries grouped by network namespace

func EncodeConn added in v0.9.0

func EncodeConn(conn *Con) ([]byte, error)

EncodeConn netlink encodes a `Con` object

func GenerateBPFSampler

func GenerateBPFSampler(samplingRate float64) ([]bpf.RawInstruction, error)

GenerateBPFSampler returns BPF assembly for a traffic sampler

func IsNAT added in v0.9.0

func IsNAT(c Con) bool

IsNAT returns whether this Con represents a NAT translation

func LoadNfConntrackKernelModule

func LoadNfConntrackKernelModule(cfg *config.Config) error

LoadNfConntrackKernelModule requests a dummy connection tuple from netlink conntrack which is discarded but has the side effect of loading the nf_conntrack_netlink module

func ParseNetlinkMessage

func ParseNetlinkMessage(b []byte) ([]netlink.Message, error)

ParseNetlinkMessage parses b as an array of netlink messages and returns the slice containing the netlink.Message structures.

Types

type AttributeScanner

type AttributeScanner struct {
	// contains filtered or unexported fields
}

AttributeScanner provides an iterator API to traverse each field in a netlink message. The same AttributeScanner instance can be used multiple times with different messages by calling ResetTo(). When scanning a netlink message, every time we "enter" in a nested field, a new NestedFrame is created. Based on https://github.com/mdlayher/netlink/blob/c558cf25207e57bc9cc026d2dd69e2ea2f6abd0e/attribute.go

func NewAttributeScanner

func NewAttributeScanner() *AttributeScanner

NewAttributeScanner returns a new instance of AttributeScanner

func (*AttributeScanner) Bytes

func (s *AttributeScanner) Bytes() []byte

Bytes returns the raw bytes of the current Attribute's data.

func (*AttributeScanner) Err

func (s *AttributeScanner) Err() error

Err returns the first error encountered by the scanner.

func (*AttributeScanner) Nested

func (s *AttributeScanner) Nested(fn func() error)

Nested executes the given function within a new NestedFrame

func (*AttributeScanner) Next

func (s *AttributeScanner) Next() bool

Next advances the scanner to the next netlink attribute (within the same NestedFrame). It returns false when no more attributes are present, or an error was encountered.

func (*AttributeScanner) ResetTo

func (s *AttributeScanner) ResetTo(data []byte) error

ResetTo makes the current AttributeScanner ready for another netlink message

func (*AttributeScanner) Type

func (s *AttributeScanner) Type() uint16

Type returns the Attribute.Type field of the current netlink attribute pointed to by the scanner.

type CircuitBreaker

type CircuitBreaker struct {
	// contains filtered or unexported fields
}

CircuitBreaker is meant to enforce a maximum rate of events per second Once the event rate goes above the threshold the circuit breaker will trip and remain open until Reset() is called.

func NewCircuitBreaker

func NewCircuitBreaker(maxEventsPerSec int64, tickInterval time.Duration) *CircuitBreaker

NewCircuitBreaker instantiates a new CircuitBreaker that only allows a maxEventsPerSec to pass. The rate of events is calculated using an EWMA.

func (*CircuitBreaker) IsOpen

func (c *CircuitBreaker) IsOpen() bool

IsOpen returns true when the circuit breaker trips and remain unchanched until Reset() is called.

func (*CircuitBreaker) Rate

func (c *CircuitBreaker) Rate() int64

Rate returns the current rate of events

func (*CircuitBreaker) Reset

func (c *CircuitBreaker) Reset()

Reset closes the circuit breaker and its state.

func (*CircuitBreaker) Stop added in v0.9.0

func (c *CircuitBreaker) Stop()

Stop stops the circuit breaker.

func (*CircuitBreaker) Tick

func (c *CircuitBreaker) Tick(n int)

Tick represents one or more events passing through the circuit breaker.

type Con added in v0.9.0

type Con struct {
	Origin ConTuple
	Reply  ConTuple
	NetNS  uint32
}

Con represents a conntrack entry, along with any network namespace info (nsid)

func (Con) String added in v0.9.0

func (c Con) String() string

type ConTuple

type ConTuple struct {
	Src   netip.AddrPort
	Dst   netip.AddrPort
	Proto uint8
}

ConTuple represents a tuple within a conntrack entry

func (ConTuple) IsZero

func (c ConTuple) IsZero() bool

IsZero returns c is its zero value

type Conntrack added in v0.9.0

type Conntrack interface {
	// Exists checks if a connection exists in the conntrack
	// table based on matches to `conn.Origin` or `conn.Reply`.
	Exists(conn *Con) (bool, error)
	// Dump dumps the conntrack table.
	Dump() ([]Con, error)
	// Get gets the conntrack record for a connection. Similar to
	// Exists, but returns the full connection information.
	Get(conn *Con) (Con, error)
	// Close closes the conntrack object
	Close() error
}

Conntrack is an interface to the system conntrack table

func NewConntrack added in v0.9.0

func NewConntrack(netNS netns.NsHandle) (Conntrack, error)

NewConntrack creates an implementation of the Conntrack interface. `netNS` is the network namespace for the conntrack operations. A value of `0` will use the current thread's network namespace

type Conntracker

type Conntracker interface {
	// Describe returns all descriptions of the collector
	Describe(descs chan<- *prometheus.Desc)
	// Collect returns the current state of all metrics of the collector
	Collect(metrics chan<- prometheus.Metric)
	GetTranslationForConn(*network.ConnectionTuple) *network.IPTranslation
	// GetType returns a string describing the conntracker type
	GetType() string
	DeleteTranslation(*network.ConnectionTuple)
	DumpCachedTable(context.Context) (map[uint32][]DebugConntrackEntry, error)
	Close()
}

Conntracker is a wrapper around go-conntracker that keeps a record of all connections in user space

func NewConntracker

func NewConntracker(config *config.Config, telemetrycomp telemetryComp.Component) (Conntracker, error)

NewConntracker creates a new conntracker with a short term buffer capped at the given size

func NewNoOpConntracker

func NewNoOpConntracker() Conntracker

NewNoOpConntracker creates a conntracker which always returns empty information

type Consumer

type Consumer struct {
	// contains filtered or unexported fields
}

Consumer is responsible for encapsulating all the logic of hooking into Conntrack via a Netlink socket and streaming new connection events.

func NewConsumer

func NewConsumer(cfg *config.Config, _ telemetryComp.Component) (*Consumer, error)

NewConsumer creates a new Conntrack event consumer. targetRateLimit represents the maximum number of netlink messages per second that can be read off the socket

func (*Consumer) DumpAndDiscardTable

func (c *Consumer) DumpAndDiscardTable(family uint8) (<-chan bool, error)

DumpAndDiscardTable sends a message to netlink to dump all entries present in the Conntrack table. It returns a channel which be closed once all entries have been read. Because the dumped conntrack entries are read & processed in kernelspace, the messages received from netlink here are immediately discarded. This method is meant to be used once during the process initialization of system-probe when the ebpf conntracker is used.

func (*Consumer) DumpTable

func (c *Consumer) DumpTable(family uint8) (<-chan Event, error)

DumpTable returns a channel of Event objects containing all entries present in the Conntrack table. The channel is closed once all entries are read. This method is meant to be used once during the process initialization of system-probe.

func (*Consumer) Events

func (c *Consumer) Events() (<-chan Event, error)

Events returns a channel of Event objects (wrapping netlink messages) which receives all new connections added to the Conntrack table.

func (*Consumer) Stop

func (c *Consumer) Stop()

Stop the consumer

type DebugConntrackEntry

type DebugConntrackEntry struct {
	Proto  string
	Family string
	Origin DebugConntrackTuple
	Reply  DebugConntrackTuple
}

DebugConntrackEntry is a entry in a conntrack table (host or cached).

func (DebugConntrackEntry) Compare

Compare orders entries to get deterministic output in the flare

func (DebugConntrackEntry) String

func (e DebugConntrackEntry) String() string

String roughly matches conntrack -L format

type DebugConntrackTuple

type DebugConntrackTuple struct {
	Src netip.AddrPort
	Dst netip.AddrPort
}

DebugConntrackTuple is one side of a conntrack entry

func (DebugConntrackTuple) Compare

Compare orders entries to get deterministic output in the flare

func (DebugConntrackTuple) String

func (t DebugConntrackTuple) String() string

String roughly matches conntrack -L format

type Decoder added in v0.9.0

type Decoder struct {
	// contains filtered or unexported fields
}

Decoder is responsible for decoding netlink messages

func NewDecoder added in v0.9.0

func NewDecoder() *Decoder

NewDecoder returns a new netlink message Decoder

func (*Decoder) DecodeAndReleaseEvent added in v0.9.0

func (d *Decoder) DecodeAndReleaseEvent(e Event) []Con

DecodeAndReleaseEvent decodes a single Event into a slice of []ct.Con objects and releases the underlying buffer.

type Event

type Event struct {
	// contains filtered or unexported fields
}

Event encapsulates the result of a single netlink.Con.Receive() call

func (*Event) Done

func (e *Event) Done()

Done must be called after decoding events so the underlying buffers can be reclaimed.

func (*Event) Messages

func (e *Event) Messages() []netlink.Message

Messages returned from the socket read

type NestedFrame

type NestedFrame struct {
	// contains filtered or unexported fields
}

A NestedFrame encapsulates the decoding information of a certain nesting level

type Socket

type Socket struct {
	// contains filtered or unexported fields
}

Socket is an implementation of netlink.Socket (github.com/mdlayher/netlink) It's mostly a copy of the original implementation (netlink.conn) with a few optimizations: * We don't MSG_PEEK as we use a pre-allocated buffer large enough to fit any netlink message; * We use a buffer pool for the message data; * We remove all the synchronization & go-channels cruft and bring it upstream in a cheaper/simpler way (Consumer)

func NewSocket

func NewSocket(netNS netns.NsHandle) (*Socket, error)

NewSocket creates a new NETLINK socket

func (*Socket) Close

func (s *Socket) Close() error

Close the socket

func (*Socket) File

func (s *Socket) File() *os.File

File descriptor of the socket

func (*Socket) GetSockoptInt added in v0.9.0

func (s *Socket) GetSockoptInt(level, opt int) (int, error)

GetSockoptInt gets a socket option

func (*Socket) JoinGroup

func (s *Socket) JoinGroup(group uint32) error

JoinGroup creates a new group membership

func (*Socket) LeaveGroup

func (s *Socket) LeaveGroup(group uint32) error

LeaveGroup deletes a group membership

func (*Socket) Receive

func (s *Socket) Receive() ([]netlink.Message, error)

Receive is not implemented. See ReceiveInto

func (*Socket) ReceiveAndDiscard

func (s *Socket) ReceiveAndDiscard() (bool, uint32, error)

ReceiveAndDiscard reads netlink messages off the socket & discards them. If the NLMSG_DONE flag is found in one of the messages, returns true.

func (*Socket) ReceiveInto

func (s *Socket) ReceiveInto(b []byte) ([]netlink.Message, uint32, error)

ReceiveInto reads one or more netlink.Messages off the socket

func (*Socket) Send

func (s *Socket) Send(m netlink.Message) error

Send a netlink.Message

func (*Socket) SendMessages

func (s *Socket) SendMessages(_m []netlink.Message) error

SendMessages isn't implemented in our case

func (*Socket) SetBPF

func (s *Socket) SetBPF(filter []bpf.RawInstruction) error

SetBPF attaches an assembled BPF program to the socket

func (*Socket) SetSockoptInt

func (s *Socket) SetSockoptInt(level, opt, value int) error

SetSockoptInt sets a socket option

Directories

Path Synopsis
Package testutil contains helper functions used for testing conntrack
Package testutil contains helper functions used for testing conntrack

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL