netlink

package
v0.0.0-...-ad40689 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 29, 2024 License: Apache-2.0 Imports: 33 Imported by: 0

Documentation

Overview

Package netlink implements network connection tracking.

Index

Constants

This section is empty.

Variables

View Source 
var ErrNotPermitted = errors.New("netlink conntracker requires NET_ADMIN capability")

ErrNotPermitted is the error returned when the current process does not have the required permissions for netlink conntracker

Functions

func AddrIsZero 

func AddrIsZero(addr netip.Addr) bool

AddrIsZero reports whether addr is its zero value

func AddrPortIsZero 

func AddrPortIsZero(addrPort netip.AddrPort) bool

AddrPortIsZero reports whether addrPort is its zero value

func AddrPortWithAddr 

func AddrPortWithAddr(addrPort netip.AddrPort, addr netip.Addr) netip.AddrPort

AddrPortWithAddr returns an AddrPort with Addr addr and port addrPort.Port()

func AddrPortWithPort 

func AddrPortWithPort(addrPort netip.AddrPort, port uint16) netip.AddrPort

AddrPortWithPort returns an AddrPort with Addr addrPort.Addr() and port port

func DumpHostTable 

func DumpHostTable(ctx context.Context, cfg *config.Config, telemetryComp telemetry.Component) (map[uint32][]DebugConntrackEntry, error)

DumpHostTable dumps the host conntrack NAT entries grouped by network namespace

func EncodeConn added in v0.9.0 

func EncodeConn(conn *Con) ([]byte, error)

EncodeConn netlink encodes a `Con` object

func GenerateBPFSampler 

func GenerateBPFSampler(samplingRate float64) ([]bpf.RawInstruction, error)

GenerateBPFSampler returns BPF assembly for a traffic sampler

func IsNAT added in v0.9.0 

func IsNAT(c Con) bool

IsNAT returns whether this Con represents a NAT translation

func LoadNfConntrackKernelModule 

func LoadNfConntrackKernelModule(ns netns.NsHandle) error

LoadNfConntrackKernelModule requests a dummy connection tuple from netlink conntrack which is discarded but has the side effect of loading the nf_conntrack_netlink module

func ParseNetlinkMessage 

func ParseNetlinkMessage(b []byte) ([]netlink.Message, error)

ParseNetlinkMessage parses b as an array of netlink messages and returns the slice containing the netlink.Message structures.

Types

type AttributeScanner 

type AttributeScanner struct {
	// contains filtered or unexported fields
}

AttributeScanner provides an iterator API to traverse each field in a netlink message. The same AttributeScanner instance can be used multiple times with different messages by calling ResetTo(). When scanning a netlink message, every time we "enter" in a nested field, a new NestedFrame is created. Based on https://github.com/mdlayher/netlink/blob/c558cf25207e57bc9cc026d2dd69e2ea2f6abd0e/attribute.go

func NewAttributeScanner 

func NewAttributeScanner() *AttributeScanner

NewAttributeScanner returns a new instance of AttributeScanner

func (*AttributeScanner) Bytes 

func (s *AttributeScanner) Bytes() []byte

Bytes returns the raw bytes of the current Attribute's data.

func (*AttributeScanner) Err 

func (s *AttributeScanner) Err() error

Err returns the first error encountered by the scanner.

func (*AttributeScanner) Nested 

func (s *AttributeScanner) Nested(fn func() error)

Nested executes the given function within a new NestedFrame

func (*AttributeScanner) Next 

func (s *AttributeScanner) Next() bool

Next advances the scanner to the next netlink attribute (within the same NestedFrame). It returns false when no more attributes are present, or an error was encountered.

func (*AttributeScanner) ResetTo 

func (s *AttributeScanner) ResetTo(data []byte) error

ResetTo makes the current AttributeScanner ready for another netlink message

func (*AttributeScanner) Type 

func (s *AttributeScanner) Type() uint16

Type returns the Attribute.Type field of the current netlink attribute pointed to by the scanner.

type CircuitBreaker 

type CircuitBreaker struct {
	// contains filtered or unexported fields
}

CircuitBreaker is meant to enforce a maximum rate of events per second Once the event rate goes above the threshold the circuit breaker will trip and remain open until Reset() is called.

func NewCircuitBreaker 

func NewCircuitBreaker(maxEventsPerSec int64, tickInterval time.Duration) *CircuitBreaker

NewCircuitBreaker instantiates a new CircuitBreaker that only allows a maxEventsPerSec to pass. The rate of events is calculated using an EWMA.

func (*CircuitBreaker) IsOpen 

func (c *CircuitBreaker) IsOpen() bool

IsOpen returns true when the circuit breaker trips and remain unchanched until Reset() is called.

func (*CircuitBreaker) Rate 

func (c *CircuitBreaker) Rate() int64

Rate returns the current rate of events

func (*CircuitBreaker) Reset 

func (c *CircuitBreaker) Reset()

Reset closes the circuit breaker and its state.

func (*CircuitBreaker) Stop added in v0.9.0 

func (c *CircuitBreaker) Stop()

Stop stops the circuit breaker.

func (*CircuitBreaker) Tick 

func (c *CircuitBreaker) Tick(n int)

Tick represents one or more events passing through the circuit breaker.

type Con added in v0.9.0 

type Con struct {
	Origin ConTuple
	Reply  ConTuple
	NetNS  uint32
}

Con represents a conntrack entry, along with any network namespace info (nsid)

func (Con) String added in v0.9.0 

func (c Con) String() string

type ConTuple 

type ConTuple struct {
	Src   netip.AddrPort
	Dst   netip.AddrPort
	Proto uint8
}

ConTuple represents a tuple within a conntrack entry

func (ConTuple) IsZero 

func (c ConTuple) IsZero() bool

IsZero returns c is its zero value

type Conntrack added in v0.9.0 

type Conntrack interface {
	// Exists checks if a connection exists in the conntrack
	// table based on matches to `conn.Origin` or `conn.Reply`.
	Exists(conn *Con) (bool, error)
	// Dump dumps the conntrack table.
	Dump() ([]Con, error)
	// Get gets the conntrack record for a connection. Similar to
	// Exists, but returns the full connection information.
	Get(conn *Con) (Con, error)
	// Close closes the conntrack object
	Close() error
}

Conntrack is an interface to the system conntrack table

func NewConntrack added in v0.9.0 

func NewConntrack(netNS netns.NsHandle) (Conntrack, error)

NewConntrack creates an implementation of the Conntrack interface. `netNS` is the network namespace for the conntrack operations. A value of `0` will use the current thread's network namespace

type Conntracker 

type Conntracker interface {
	// Describe returns all descriptions of the collector
	Describe(descs chan<- *prometheus.Desc)
	// Collect returns the current state of all metrics of the collector
	Collect(metrics chan<- prometheus.Metric)
	GetTranslationForConn(*network.ConnectionTuple) *network.IPTranslation
	// GetType returns a string describing whether the conntracker is "ebpf" or "netlink"
	GetType() string
	DeleteTranslation(*network.ConnectionTuple)
	DumpCachedTable(context.Context) (map[uint32][]DebugConntrackEntry, error)
	Close()
}

Conntracker is a wrapper around go-conntracker that keeps a record of all connections in user space

func NewConntracker 

func NewConntracker(config *config.Config, telemetrycomp telemetryComp.Component) (Conntracker, error)

NewConntracker creates a new conntracker with a short term buffer capped at the given size

func NewNoOpConntracker 

func NewNoOpConntracker() Conntracker

NewNoOpConntracker creates a conntracker which always returns empty information

type Consumer 

type Consumer struct {
	// contains filtered or unexported fields
}

Consumer is responsible for encapsulating all the logic of hooking into Conntrack via a Netlink socket and streaming new connection events.

func NewConsumer 

func NewConsumer(cfg *config.Config, _ telemetryComp.Component) (*Consumer, error)

NewConsumer creates a new Conntrack event consumer. targetRateLimit represents the maximum number of netlink messages per second that can be read off the socket

func (*Consumer) DumpAndDiscardTable 

func (c *Consumer) DumpAndDiscardTable(family uint8) (<-chan bool, error)

DumpAndDiscardTable sends a message to netlink to dump all entries present in the Conntrack table. It returns a channel which be closed once all entries have been read. Because the dumped conntrack entries are read & processed in kernelspace, the messages received from netlink here are immediately discarded. This method is meant to be used once during the process initialization of system-probe when the ebpf conntracker is used.

func (*Consumer) DumpTable 

func (c *Consumer) DumpTable(family uint8) (<-chan Event, error)

DumpTable returns a channel of Event objects containing all entries present in the Conntrack table. The channel is closed once all entries are read. This method is meant to be used once during the process initialization of system-probe.

func (*Consumer) Events 

func (c *Consumer) Events() (<-chan Event, error)

Events returns a channel of Event objects (wrapping netlink messages) which receives all new connections added to the Conntrack table.

func (*Consumer) Stop 

func (c *Consumer) Stop()

Stop the consumer

type DebugConntrackEntry 

type DebugConntrackEntry struct {
	Proto  string
	Family string
	Origin DebugConntrackTuple
	Reply  DebugConntrackTuple
}

DebugConntrackEntry is a entry in a conntrack table (host or cached).

func (DebugConntrackEntry) Compare 

func (e DebugConntrackEntry) Compare(o DebugConntrackEntry) int

Compare orders entries to get deterministic output in the flare

func (DebugConntrackEntry) String 

func (e DebugConntrackEntry) String() string

String roughly matches conntrack -L format

type DebugConntrackTuple 

type DebugConntrackTuple struct {
	Src netip.AddrPort
	Dst netip.AddrPort
}

DebugConntrackTuple is one side of a conntrack entry

func (DebugConntrackTuple) Compare 

func (t DebugConntrackTuple) Compare(o DebugConntrackTuple) int

Compare orders entries to get deterministic output in the flare

func (DebugConntrackTuple) String 

func (t DebugConntrackTuple) String() string

String roughly matches conntrack -L format

type Decoder added in v0.9.0 

type Decoder struct {
	// contains filtered or unexported fields
}

Decoder is responsible for decoding netlink messages

func NewDecoder added in v0.9.0 

func NewDecoder() *Decoder

NewDecoder returns a new netlink message Decoder

func (*Decoder) DecodeAndReleaseEvent added in v0.9.0 

func (d *Decoder) DecodeAndReleaseEvent(e Event) []Con

DecodeAndReleaseEvent decodes a single Event into a slice of []ct.Con objects and releases the underlying buffer.

type Event 

type Event struct {
	// contains filtered or unexported fields
}

Event encapsulates the result of a single netlink.Con.Receive() call

func (*Event) Done 

func (e *Event) Done()

Done must be called after decoding events so the underlying buffers can be reclaimed.

func (*Event) Messages 

func (e *Event) Messages() []netlink.Message

Messages returned from the socket read

type NestedFrame 

type NestedFrame struct {
	// contains filtered or unexported fields
}

A NestedFrame encapsulates the decoding information of a certain nesting level

type Socket 

type Socket struct {
	// contains filtered or unexported fields
}

Socket is an implementation of netlink.Socket (github.com/mdlayher/netlink) It's mostly a copy of the original implementation (netlink.conn) with a few optimizations: * We don't MSG_PEEK as we use a pre-allocated buffer large enough to fit any netlink message; * We use a buffer pool for the message data; * We remove all the synchronization & go-channels cruft and bring it upstream in a cheaper/simpler way (Consumer)

func NewSocket 

func NewSocket(netNS netns.NsHandle) (*Socket, error)

NewSocket creates a new NETLINK socket

func (*Socket) Close 

func (s *Socket) Close() error

Close the socket

func (*Socket) File 

func (s *Socket) File() *os.File

File descriptor of the socket

func (*Socket) GetSockoptInt added in v0.9.0 

func (s *Socket) GetSockoptInt(level, opt int) (int, error)

GetSockoptInt gets a socket option

func (*Socket) JoinGroup 

func (s *Socket) JoinGroup(group uint32) error

JoinGroup creates a new group membership

func (*Socket) LeaveGroup 

func (s *Socket) LeaveGroup(group uint32) error

LeaveGroup deletes a group membership

func (*Socket) Receive 

func (s *Socket) Receive() ([]netlink.Message, error)

Receive is not implemented. See ReceiveInto

func (*Socket) ReceiveAndDiscard 

func (s *Socket) ReceiveAndDiscard() (bool, uint32, error)

ReceiveAndDiscard reads netlink messages off the socket & discards them. If the NLMSG_DONE flag is found in one of the messages, returns true.

func (*Socket) ReceiveInto 

func (s *Socket) ReceiveInto(b []byte) ([]netlink.Message, uint32, error)

ReceiveInto reads one or more netlink.Messages off the socket

func (*Socket) Send 

func (s *Socket) Send(m netlink.Message) error

Send a netlink.Message

func (*Socket) SendMessages 

func (s *Socket) SendMessages(_m []netlink.Message) error

SendMessages isn't implemented in our case

func (*Socket) SetBPF 

func (s *Socket) SetBPF(filter []bpf.RawInstruction) error

SetBPF attaches an assembled BPF program to the socket

func (*Socket) SetSockoptInt 

func (s *Socket) SetSockoptInt(level, opt, value int) error

SetSockoptInt sets a socket option

Source Files

View all Source files

Directories

Path Synopsis
Package testutil contains helper functions used for testing conntrack
 Package testutil contains helper functions used for testing conntrack

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.