Documentation ¶
Index ¶
- Constants
- Variables
- func TCPConnectionExpirationNotifier(c cache.DataStore, id interface{}, item interface{})
- type AuthInfo
- type Datapath
- type PUContext
- type PacketProcessor
- type PolicyEnforcer
- type PublicKeyAdder
- type TCPConnection
- func (c *TCPConnection) Cleanup(expiration bool)
- func (c *TCPConnection) GetState() TCPFlowState
- func (c *TCPConnection) SetPacketInfo(flowHash, tcpFlags string)
- func (c *TCPConnection) SetReported(flowState bool)
- func (c *TCPConnection) SetState(state TCPFlowState)
- func (c *TCPConnection) String() string
- type TCPFlowState
Constants ¶
const ( // RejectReported represents that flow was reported as rejected RejectReported bool = true // AcceptReported represents that flow was reported as accepted AcceptReported bool = false )
const ( // TCPAuthenticationOptionBaseLen specifies the length of base TCP Authentication Option packet TCPAuthenticationOptionBaseLen = 4 // TCPAuthenticationOptionAckLen specifies the length of TCP Authentication Option in the ack packet TCPAuthenticationOptionAckLen = 20 // PortNumberLabelString is the label to use for port numbers PortNumberLabelString = "$sys:port" // TransmitterLabel is the name of the label used to identify the Transmitter Context TransmitterLabel = "AporetoContextID" // DefaultNetwork to be used DefaultNetwork = "0.0.0.0/0" )
const DefaultExternalIPTimeout = "500ms"
DefaultExternalIPTimeout is the default used for the cache for External IPTimeout.
Variables ¶
var ( // TraceLogging provides very high level of detail logs for connections TraceLogging int )
Functions ¶
func TCPConnectionExpirationNotifier ¶
TCPConnectionExpirationNotifier handles processing the expiration of an element
Types ¶
type AuthInfo ¶
type AuthInfo struct { LocalContext []byte RemoteContext []byte RemoteContextID string RemotePublicKey interface{} RemoteIP string RemotePort string }
AuthInfo keeps authentication information about a connection
type Datapath ¶
type Datapath struct {
// contains filtered or unexported fields
}
Datapath is the structure holding all information about a connection filter
func (*Datapath) Enforce ¶
Enforce implements the Enforce interface method and configures the data path for a new PU
func (*Datapath) GetFilterQueue ¶
func (d *Datapath) GetFilterQueue() *fqconfig.FilterQueue
GetFilterQueue returns the filter queues used by the data path
type PUContext ¶
type PUContext struct { ID string ManagementID string Identity *policy.TagStore Annotations *policy.TagStore AcceptTxtRules *lookup.PolicyDB RejectTxtRules *lookup.PolicyDB AcceptRcvRules *lookup.PolicyDB RejectRcvRules *lookup.PolicyDB ApplicationACLs *acls.ACLCache NetworkACLS *acls.ACLCache Extension interface{} IP string Mark string Ports []string PUType constants.PUType sync.Mutex // contains filtered or unexported fields }
PUContext holds data indexed by the PU ID
type PacketProcessor ¶
type PacketProcessor interface { // Initialize initializes the secrets of the processor Initialize(s secrets.Secrets, fq *fqconfig.FilterQueue) // PreProcessTCPAppPacket will be called for application packets and return value of false means drop packet. PreProcessTCPAppPacket(p *packet.Packet, context *PUContext, conn *TCPConnection) bool // PostProcessTCPAppPacket will be called for application packets and return value of false means drop packet. PostProcessTCPAppPacket(p *packet.Packet, action interface{}, context *PUContext, conn *TCPConnection) bool // PreProcessTCPNetPacket will be called for network packets and return value of false means drop packet PreProcessTCPNetPacket(p *packet.Packet, context *PUContext, conn *TCPConnection) bool // PostProcessTCPNetPacket will be called for network packets and return value of false means drop packet PostProcessTCPNetPacket(p *packet.Packet, action interface{}, claims *tokens.ConnectionClaims, context *PUContext, conn *TCPConnection) bool }
PacketProcessor is an interface implemented to stitch into our enforcer
type PolicyEnforcer ¶
type PolicyEnforcer interface { // Enforce starts enforcing policies for the given policy.PUInfo. Enforce(contextID string, puInfo *policy.PUInfo) error // Unenforce stops enforcing policy for the given IP. Unenforce(contextID string) error // GetFilterQueue returns the current FilterQueueConfig. GetFilterQueue() *fqconfig.FilterQueue // Start starts the PolicyEnforcer. Start() error // Stop stops the PolicyEnforcer. Stop() error }
A PolicyEnforcer is implementing the enforcer that will modify//analyze the capture packets
func New ¶
func New( mutualAuth bool, filterQueue *fqconfig.FilterQueue, collector collector.EventCollector, service PacketProcessor, secrets secrets.Secrets, serverID string, validity time.Duration, mode constants.ModeType, procMountPoint string, externalIPCacheTimeout time.Duration, ) PolicyEnforcer
New will create a new data path structure. It instantiates the data stores needed to track sessions. The data path is started with a different call. Only required parameters must be provided. Rest a pre-populated with defaults.
func NewWithDefaults ¶
func NewWithDefaults( serverID string, collector collector.EventCollector, service PacketProcessor, secrets secrets.Secrets, mode constants.ModeType, procMountPoint string, ) PolicyEnforcer
NewWithDefaults create a new data path with most things used by default
type PublicKeyAdder ¶
type PublicKeyAdder interface { // PublicKeyAdd adds the given cert for the given host. PublicKeyAdd(host string, cert []byte) error }
PublicKeyAdder register a publicKey for a Node.
type TCPConnection ¶
type TCPConnection struct { sync.Mutex Auth AuthInfo // ServiceData allows services to associate state with a connection ServiceData interface{} // Context is the PUContext that is associated with this connection // Minimizes the number of caches and lookups Context *PUContext // TimeOut signals the timeout to be used by the state machines TimeOut time.Duration // ServiceConnection indicates that this connection is handled by a service ServiceConnection bool // FlowPolicy holds the last matched policy FlowPolicy *policy.FlowPolicy // contains filtered or unexported fields }
TCPConnection is information regarding TCP Connection
func NewTCPConnection ¶
func NewTCPConnection() *TCPConnection
NewTCPConnection returns a TCPConnection information struct
func (*TCPConnection) Cleanup ¶
func (c *TCPConnection) Cleanup(expiration bool)
Cleanup will provide information when a connection is removed by a timer.
func (*TCPConnection) GetState ¶
func (c *TCPConnection) GetState() TCPFlowState
GetState is used to return the state
func (*TCPConnection) SetPacketInfo ¶
func (c *TCPConnection) SetPacketInfo(flowHash, tcpFlags string)
SetPacketInfo is used to setup the state for the TCP connection
func (*TCPConnection) SetReported ¶
func (c *TCPConnection) SetReported(flowState bool)
SetReported is used to track if a flow is reported
func (*TCPConnection) SetState ¶
func (c *TCPConnection) SetState(state TCPFlowState)
SetState is used to setup the state for the TCP connection
func (*TCPConnection) String ¶
func (c *TCPConnection) String() string
String returns a printable version of connection
type TCPFlowState ¶
type TCPFlowState int
TCPFlowState identifies the constants of the state of a TCP connectioncon
const ( // TCPSynSend is the state where the Syn packets has been send, but no response has been received TCPSynSend TCPFlowState = iota // TCPSynReceived indicates that the syn packet has been received TCPSynReceived // TCPSynAckSend indicates that the SynAck packet has been send TCPSynAckSend // TCPSynAckReceived is the state where the SynAck has been received TCPSynAckReceived // TCPAckSend indicates that the ack packets has been sent TCPAckSend // TCPAckProcessed is the state that the negotiation has been completed TCPAckProcessed // TCPData indicates that the packets are now data packets TCPData )
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package mockenforcer is a generated GoMock package.
|
Package mockenforcer is a generated GoMock package. |
Package enforcerproxy :: This is the implementation of the RPC client It implements the interface of Trireme Enforcer and forwards these requests to the actual remote enforcer instead of implementing locally
|
Package enforcerproxy :: This is the implementation of the RPC client It implements the interface of Trireme Enforcer and forwards these requests to the actual remote enforcer instead of implementing locally |
utils
|
|
packet
Package packet support for TCP/IP packet manipulations needed by the Aporeto infrastructure.
|
Package packet support for TCP/IP packet manipulations needed by the Aporeto infrastructure. |
packetgen
Package packetgen "PacketGen" is a Packet Generator library Current version: V1.0, Updates are coming soon
|
Package packetgen "PacketGen" is a Packet Generator library Current version: V1.0, Updates are coming soon |