enforcer

package
v1.0.56 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 19, 2017 License: GPL-2.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

View Source
const (

	// RejectReported represents that flow was reported as rejected
	RejectReported bool = true

	// AcceptReported represents that flow was reported as accepted
	AcceptReported bool = false
)
View Source
const (
	// TCPAuthenticationOptionBaseLen specifies the length of base TCP Authentication Option packet
	TCPAuthenticationOptionBaseLen = 4
	// TCPAuthenticationOptionAckLen specifies the length of TCP Authentication Option in the ack packet
	TCPAuthenticationOptionAckLen = 20
	// PortNumberLabelString is the label to use for port numbers
	PortNumberLabelString = "$sys:port"
	// TransmitterLabel is the name of the label used to identify the Transmitter Context
	TransmitterLabel = "AporetoContextID"
	// DefaultNetwork to be used
	DefaultNetwork = "0.0.0.0/0"
)
View Source
const DefaultExternalIPTimeout = "500ms"

DefaultExternalIPTimeout is the default used for the cache for External IPTimeout.

Variables

View Source
var (
	// TraceLogging provides very high level of detail logs for connections
	TraceLogging int
)

Functions

func TCPConnectionExpirationNotifier

func TCPConnectionExpirationNotifier(c cache.DataStore, id interface{}, item interface{})

TCPConnectionExpirationNotifier handles processing the expiration of an element

Types

type AuthInfo

type AuthInfo struct {
	LocalContext    []byte
	RemoteContext   []byte
	RemoteContextID string
	RemotePublicKey interface{}
	RemoteIP        string
	RemotePort      string
}

AuthInfo keeps authentication information about a connection

type Datapath

type Datapath struct {
	// contains filtered or unexported fields
}

Datapath is the structure holding all information about a connection filter

func (*Datapath) Enforce

func (d *Datapath) Enforce(contextID string, puInfo *policy.PUInfo) error

Enforce implements the Enforce interface method and configures the data path for a new PU

func (*Datapath) GetFilterQueue

func (d *Datapath) GetFilterQueue() *fqconfig.FilterQueue

GetFilterQueue returns the filter queues used by the data path

func (*Datapath) Start

func (d *Datapath) Start() error

Start starts the application and network interceptors

func (*Datapath) Stop

func (d *Datapath) Stop() error

Stop stops the enforcer

func (*Datapath) Unenforce

func (d *Datapath) Unenforce(contextID string) error

Unenforce removes the configuration for the given PU

type PUContext

type PUContext struct {
	ID              string
	ManagementID    string
	Identity        *policy.TagStore
	Annotations     *policy.TagStore
	AcceptTxtRules  *lookup.PolicyDB
	RejectTxtRules  *lookup.PolicyDB
	AcceptRcvRules  *lookup.PolicyDB
	RejectRcvRules  *lookup.PolicyDB
	ApplicationACLs *acls.ACLCache
	NetworkACLS     *acls.ACLCache

	Extension interface{}
	IP        string
	Mark      string
	Ports     []string
	PUType    constants.PUType

	sync.Mutex
	// contains filtered or unexported fields
}

PUContext holds data indexed by the PU ID

type PacketProcessor

type PacketProcessor interface {
	// Initialize  initializes the secrets of the processor
	Initialize(s secrets.Secrets, fq *fqconfig.FilterQueue)

	// PreProcessTCPAppPacket will be called for application packets and return value of false means drop packet.
	PreProcessTCPAppPacket(p *packet.Packet, context *PUContext, conn *TCPConnection) bool

	// PostProcessTCPAppPacket will be called for application packets and return value of false means drop packet.
	PostProcessTCPAppPacket(p *packet.Packet, action interface{}, context *PUContext, conn *TCPConnection) bool

	// PreProcessTCPNetPacket will be called for network packets and return value of false means drop packet
	PreProcessTCPNetPacket(p *packet.Packet, context *PUContext, conn *TCPConnection) bool

	// PostProcessTCPNetPacket will be called for network packets and return value of false means drop packet
	PostProcessTCPNetPacket(p *packet.Packet, action interface{}, claims *tokens.ConnectionClaims, context *PUContext, conn *TCPConnection) bool
}

PacketProcessor is an interface implemented to stitch into our enforcer

type PolicyEnforcer

type PolicyEnforcer interface {

	// Enforce starts enforcing policies for the given policy.PUInfo.
	Enforce(contextID string, puInfo *policy.PUInfo) error

	// Unenforce stops enforcing policy for the given IP.
	Unenforce(contextID string) error

	// GetFilterQueue returns the current FilterQueueConfig.
	GetFilterQueue() *fqconfig.FilterQueue

	// Start starts the PolicyEnforcer.
	Start() error

	// Stop stops the PolicyEnforcer.
	Stop() error
}

A PolicyEnforcer is implementing the enforcer that will modify//analyze the capture packets

func New

func New(
	mutualAuth bool,
	filterQueue *fqconfig.FilterQueue,
	collector collector.EventCollector,
	service PacketProcessor,
	secrets secrets.Secrets,
	serverID string,
	validity time.Duration,
	mode constants.ModeType,
	procMountPoint string,
	externalIPCacheTimeout time.Duration,
) PolicyEnforcer

New will create a new data path structure. It instantiates the data stores needed to track sessions. The data path is started with a different call. Only required parameters must be provided. Rest a pre-populated with defaults.

func NewWithDefaults

func NewWithDefaults(
	serverID string,
	collector collector.EventCollector,
	service PacketProcessor,
	secrets secrets.Secrets,
	mode constants.ModeType,
	procMountPoint string,
) PolicyEnforcer

NewWithDefaults create a new data path with most things used by default

type PublicKeyAdder

type PublicKeyAdder interface {

	// PublicKeyAdd adds the given cert for the given host.
	PublicKeyAdd(host string, cert []byte) error
}

PublicKeyAdder register a publicKey for a Node.

type TCPConnection

type TCPConnection struct {
	sync.Mutex

	Auth AuthInfo

	// ServiceData allows services to associate state with a connection
	ServiceData interface{}

	// Context is the PUContext that is associated with this connection
	// Minimizes the number of caches and lookups
	Context *PUContext

	// TimeOut signals the timeout to be used by the state machines
	TimeOut time.Duration

	// ServiceConnection indicates that this connection is handled by a service
	ServiceConnection bool

	// FlowPolicy holds the last matched policy
	FlowPolicy *policy.FlowPolicy
	// contains filtered or unexported fields
}

TCPConnection is information regarding TCP Connection

func NewTCPConnection

func NewTCPConnection() *TCPConnection

NewTCPConnection returns a TCPConnection information struct

func (*TCPConnection) Cleanup

func (c *TCPConnection) Cleanup(expiration bool)

Cleanup will provide information when a connection is removed by a timer.

func (*TCPConnection) GetState

func (c *TCPConnection) GetState() TCPFlowState

GetState is used to return the state

func (*TCPConnection) SetPacketInfo

func (c *TCPConnection) SetPacketInfo(flowHash, tcpFlags string)

SetPacketInfo is used to setup the state for the TCP connection

func (*TCPConnection) SetReported

func (c *TCPConnection) SetReported(flowState bool)

SetReported is used to track if a flow is reported

func (*TCPConnection) SetState

func (c *TCPConnection) SetState(state TCPFlowState)

SetState is used to setup the state for the TCP connection

func (*TCPConnection) String

func (c *TCPConnection) String() string

String returns a printable version of connection

type TCPFlowState

type TCPFlowState int

TCPFlowState identifies the constants of the state of a TCP connectioncon

const (

	// TCPSynSend is the state where the Syn packets has been send, but no response has been received
	TCPSynSend TCPFlowState = iota

	// TCPSynReceived indicates that the syn packet has been received
	TCPSynReceived

	// TCPSynAckSend indicates that the SynAck packet has been send
	TCPSynAckSend

	// TCPSynAckReceived is the state where the SynAck has been received
	TCPSynAckReceived

	// TCPAckSend indicates that the ack packets has been sent
	TCPAckSend

	// TCPAckProcessed is the state that the negotiation has been completed
	TCPAckProcessed

	// TCPData indicates that the packets are now data packets
	TCPData
)

type TestPolicyEnforcer

type TestPolicyEnforcer interface {
	PolicyEnforcer
	MockEnforce(t *testing.T, impl func(contextID string, puInfo *policy.PUInfo) error)
	MockUnenforce(t *testing.T, impl func(ip string) error)
	MockGetFilterQueue(t *testing.T, impl func() *fqconfig.FilterQueue)
	MockStart(t *testing.T, impl func() error)
	MockStop(t *testing.T, impl func() error)
}

TestPolicyEnforcer vxcv

func NewTestPolicyEnforcer

func NewTestPolicyEnforcer() TestPolicyEnforcer

NewTestPolicyEnforcer returns a new TestManipulator.

type TestPublicKeyAdder

type TestPublicKeyAdder interface {
	PublicKeyAdder
	MockPublicKeyAdd(t *testing.T, impl func(host string, cert []byte) error)
}

TestPublicKeyAdder vxcv

func NewTestPublicKeyAdder

func NewTestPublicKeyAdder() TestPublicKeyAdder

NewTestPublicKeyAdder returns a new TestManipulator.

Directories

Path Synopsis
Package enforcerproxy :: This is the implementation of the RPC client It implements the interface of Trireme Enforcer and forwards these requests to the actual remote enforcer instead of implementing locally
Package enforcerproxy :: This is the implementation of the RPC client It implements the interface of Trireme Enforcer and forwards these requests to the actual remote enforcer instead of implementing locally
utils
packet
Package packet support for TCP/IP packet manipulations needed by the Aporeto infrastructure.
Package packet support for TCP/IP packet manipulations needed by the Aporeto infrastructure.
packetgen
Package packetgen "PacketGen" is a Packet Generator library Current version: V1.0, Updates are coming soon
Package packetgen "PacketGen" is a Packet Generator library Current version: V1.0, Updates are coming soon

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL