ruleset

Documentation

Index

• type Action
  • func (a Action) String() string
• type BuiltinConfig
• type ExprRule
  • func ExprRulesFromYAML(file string) ([]ExprRule, error)
• type Function
• type Logger
• type MatchResult
• type ModifierEntry
• type Protocol
  • func (p Protocol) String() string
• type Ruleset
  • func CompileExprRules(rules []ExprRule, ans []analyzer.Analyzer, mods []modifier.Modifier, ...) (Ruleset, error)
• type StreamInfo
  • func (i StreamInfo) DstString() string
  • func (i StreamInfo) SrcString() string

Types

type Action

type Action int

const (
	// ActionMaybe indicates that the ruleset hasn't seen anything worth blocking based on
	// current information, but that may change if volatile fields change in the future.
	ActionMaybe Action = iota
	// ActionAllow indicates that the stream should be allowed regardless of future changes.
	ActionAllow
	// ActionBlock indicates that the stream should be blocked.
	ActionBlock
	// ActionDrop indicates that the current packet should be dropped,
	// but the stream should be allowed to continue.
	// Only valid for UDP streams. Equivalent to ActionBlock for TCP streams.
	ActionDrop
	// ActionModify indicates that the current packet should be modified,
	// and the stream should be allowed to continue.
	// Only valid for UDP streams. Equivalent to ActionMaybe for TCP streams.
	ActionModify
)

func (Action) String

func (a Action) String() string

type BuiltinConfig

type BuiltinConfig struct {
	Logger               Logger
	GeoMatcher           *geo.GeoMatcher
	ProtectedDialContext func(ctx context.Context, network, address string) (net.Conn, error)
}

type ExprRule

type ExprRule struct {
	Name     string        `yaml:"name"`
	Action   string        `yaml:"action"`
	Log      bool          `yaml:"log"`
	Modifier ModifierEntry `yaml:"modifier"`
	Expr     string        `yaml:"expr"`
}

ExprRule is the external representation of an expression rule.

func ExprRulesFromYAML

func ExprRulesFromYAML(file string) ([]ExprRule, error)

type Function

type Function struct {
	InitFunc  func() error
	PatchFunc func(args *[]ast.Node) error
	Func      func(params ...any) (any, error)
	Types     []reflect.Type
}

type Logger

type Logger interface {
	Log(info StreamInfo, name string)
	MatchError(info StreamInfo, name string, err error)
}

Logger is the logging interface for the ruleset.

type MatchResult

type MatchResult struct {
	Action      Action
	ModInstance modifier.Instance
}

type ModifierEntry

type ModifierEntry struct {
	Name string                 `yaml:"name"`
	Args map[string]interface{} `yaml:"args"`
}

type Protocol

type Protocol int

const (
	ProtocolTCP Protocol = iota
	ProtocolUDP
)

func (Protocol) String

func (p Protocol) String() string

type Ruleset

type Ruleset interface {
	// Analyzers returns the list of analyzers to use for a stream.
	// It must be safe for concurrent use by multiple workers.
	Analyzers(StreamInfo) []analyzer.Analyzer
	// Match matches a stream against the ruleset and returns the result.
	// It must be safe for concurrent use by multiple workers.
	Match(StreamInfo) MatchResult
}

func CompileExprRules

func CompileExprRules(rules []ExprRule, ans []analyzer.Analyzer, mods []modifier.Modifier, config *BuiltinConfig) (Ruleset, error)

CompileExprRules compiles a list of expression rules into a ruleset. It returns an error if any of the rules are invalid, or if any of the analyzers used by the rules are unknown (not provided in the analyzer list).

type StreamInfo

type StreamInfo struct {
	ID               int64
	Protocol         Protocol
	SrcIP, DstIP     net.IP
	SrcPort, DstPort uint16
	Props            analyzer.CombinedPropMap
}

func (StreamInfo) DstString

func (i StreamInfo) DstString() string

func (StreamInfo) SrcString

func (i StreamInfo) SrcString() string