Documentation ¶
Index ¶
- Constants
- func ExtractMsgDetails(msg *dns.Msg) (qname string, responseIPs []netip.Addr, TTL uint32, CNAMEs []string, rcode int, ...)
- func GeneratePattern(l7Rules *policy.PerSelectorPolicy) (pattern string)
- func NewSessionUDPFactory(ipFamily ipfamily.IPFamily) (dns.SessionUDPFactory, error)
- type CachedSelectorREEntry
- type DNSProxy
- func (p *DNSProxy) CheckAllowed(endpointID uint64, destPortProto restore.PortProto, ...) (allowed bool, err error)
- func (p *DNSProxy) Cleanup()
- func (p *DNSProxy) GetBindPort() uint16
- func (p *DNSProxy) GetRules(version *versioned.VersionHandle, endpointID uint16) (restore.DNSRules, error)
- func (p *DNSProxy) LookupEndpointByIP(ip netip.Addr) (endpoint *endpoint.Endpoint, isHost bool, err error)
- func (p *DNSProxy) RemoveRestoredRules(endpointID uint16)
- func (p *DNSProxy) RestoreRules(ep *endpoint.Endpoint)
- func (p *DNSProxy) ServeDNS(w dns.ResponseWriter, request *dns.Msg)
- func (p *DNSProxy) SetRejectReply(opt string)
- func (p *DNSProxy) UpdateAllowed(endpointID uint64, destPortProto restore.PortProto, newRules policy.L7DataMap) error
- func (p *DNSProxy) UpdateAllowedFromSelectorRegexes(endpointID uint64, destPortProto restore.PortProto, ...) error
- type DNSProxyConfig
- type ErrDNSRequestNoEndpoint
- type ErrFailedAcquireSemaphore
- type ErrTimedOutAcquireSemaphore
- type LookupEndpointIDByIPFunc
- type LookupIPsBySecIDFunc
- type LookupSecIDByIPFunc
- type NotifyOnDNSMsgFunc
- type ProxyRequestContext
- type SharedClient
- type SharedClients
- func (s *SharedClients) Exchange(key string, conf *dns.Client, m *dns.Msg, serverAddrStr string) (r *dns.Msg, rtt time.Duration, closer func(), err error)
- func (s *SharedClients) ExchangeContext(ctx context.Context, key string, conf *dns.Client, m *dns.Msg, ...) (r *dns.Msg, rtt time.Duration, closer func(), err error)
- func (s *SharedClients) GetSharedClient(key string, conf *dns.Client, serverAddrStr string) (client *SharedClient, closer func())
- func (s *SharedClients) ShutdownTCPClient(key string)
Constants ¶
const ( // ProxyForwardTimeout is the maximum time to wait for DNS responses to // forwarded DNS requests. This is needed since UDP queries have no way to // indicate that the client has stopped expecting a response. ProxyForwardTimeout = 10 * time.Second // ProxyBindTimeout is how long we wait for a successful bind to the bindaddr. // Note: This must be divisible by 5 without going to 0 ProxyBindTimeout = 20 * time.Second // ProxyBindRetryInterval is how long to wait between attempts to bind to the // proxy address:port ProxyBindRetryInterval = ProxyBindTimeout / 5 )
Variables ¶
This section is empty.
Functions ¶
func ExtractMsgDetails ¶
func ExtractMsgDetails(msg *dns.Msg) (qname string, responseIPs []netip.Addr, TTL uint32, CNAMEs []string, rcode int, answerTypes []uint16, qTypes []uint16, err error)
ExtractMsgDetails extracts a canonical query name, any IPs in a response, the lowest applicable TTL, rcode, anwer rr types and question types When a CNAME is returned the chain is collapsed down, keeping the lowest TTL, and CNAME targets are returned.
func GeneratePattern ¶
func GeneratePattern(l7Rules *policy.PerSelectorPolicy) (pattern string)
GeneratePattern takes a set of l7Rules and returns a regular expression pattern for matching the provided l7 rules.
func NewSessionUDPFactory ¶ added in v1.14.3
func NewSessionUDPFactory(ipFamily ipfamily.IPFamily) (dns.SessionUDPFactory, error)
Set up new SessionUDPFactory with dedicated raw socket for sending responses.
- Must use a raw UDP socket for sending responses so that we can send from a specific port without binding to it.
- The raw UDP socket must be bound to a specific IP address to prevent it receiving ALL UDP packets on the host.
- We use oob data to override the source IP address when sending
- Must use separate sockets for IPv4/IPv6, as sending to a v6-mapped v4 address from a socket bound to "::1" does not work due to kernel checking that a route exists from the source address before the source address is replaced with the (transparently) changed one
Types ¶
type CachedSelectorREEntry ¶
type CachedSelectorREEntry map[policy.CachedSelector]*regexp.Regexp
CachedSelectorREEntry maps port numbers to selectors to rules, mirroring policy.L7DataMap but the DNS rules are compiled into a regex
type DNSProxy ¶
type DNSProxy struct { // BindPort is the port in BindAddr. BindPort uint16 // LookupRegisteredEndpoint is a provided callback that returns the endpoint ID // as a uint16. // Note: this is a little pointless since this proxy is in-process but it is // intended to allow us to switch to an external proxy process by forcing the // design now. LookupRegisteredEndpoint LookupEndpointIDByIPFunc // LookupSecIDByIP is a provided callback that returns the IP's security ID // from the ipcache. // Note: this is a little pointless since this proxy is in-process but it is // intended to allow us to switch to an external proxy process by forcing the // design now. LookupSecIDByIP LookupSecIDByIPFunc // LookupIPsBySecID is a provided callback that returns the IPs by security ID // from the ipcache. LookupIPsBySecID LookupIPsBySecIDFunc // NotifyOnDNSMsg is a provided callback by which the proxy can emit DNS // response data. It is intended to wire into a DNS cache and a // fqdn.NameManager. // Note: this is a little pointless since this proxy is in-process but it is // intended to allow us to switch to an external proxy process by forcing the // design now. NotifyOnDNSMsg NotifyOnDNSMsgFunc // DNSServers are the cilium/dns server instances. // Depending on the configuration, these might be // TCPv4, UDPv4, TCPv6 and/or UDPv4. // They handle DNS parsing etc. for us. DNSServers []*dns.Server // EnableDNSCompression allows the DNS proxy to compress responses to // endpoints that are larger than 512 Bytes or the EDNS0 option, if present. EnableDNSCompression bool // ConcurrencyLimit limits parallel goroutines number that serve DNS ConcurrencyLimit *semaphore.Weighted // ConcurrencyGracePeriod is the grace period for waiting on // ConcurrencyLimit before timing out ConcurrencyGracePeriod time.Duration // this mutex protects variables below this point lock.RWMutex // DNSClients is a container for dns.SharedClient instances. DNSClients *SharedClients // contains filtered or unexported fields }
DNSProxy is a L7 proxy for DNS traffic. It keeps a list of allowed DNS lookups that can be regexps and blocks lookups that are not allowed. A singleton is always running inside cilium-agent. Note: All public fields are read only and do not require locking
func StartDNSProxy ¶
func StartDNSProxy( dnsProxyConfig DNSProxyConfig, lookupEPFunc LookupEndpointIDByIPFunc, lookupSecIDFunc LookupSecIDByIPFunc, lookupIPsFunc LookupIPsBySecIDFunc, notifyFunc NotifyOnDNSMsgFunc, ) (*DNSProxy, error)
StartDNSProxy starts a proxy used for DNS L7 redirects that listens on address and port on IPv4 and/or IPv6 depending on the values of ipv4/ipv6. address is the bind address to listen on. Empty binds to all local addresses. port is the port to bind to for both UDP and TCP. 0 causes the kernel to select a free port. lookupEPFunc will be called with the source IP of DNS requests, and expects a unique identifier for the endpoint that made the request. notifyFunc will be called with DNS response data that is returned to a requesting endpoint. Note that denied requests will not trigger this callback.
func (*DNSProxy) CheckAllowed ¶
func (p *DNSProxy) CheckAllowed(endpointID uint64, destPortProto restore.PortProto, destID identity.NumericIdentity, destIP netip.Addr, name string) (allowed bool, err error)
CheckAllowed checks endpointID, destPortProto, destID, destIP, and name against the rules added to the proxy or restored during restart, and only returns true if this all match something that was added (via UpdateAllowed or RestoreRules) previously.
func (*DNSProxy) GetBindPort ¶
func (*DNSProxy) GetRules ¶
func (p *DNSProxy) GetRules(version *versioned.VersionHandle, endpointID uint16) (restore.DNSRules, error)
GetRules creates a fresh copy of EP's DNS rules to be stored for later restoration.
func (*DNSProxy) LookupEndpointByIP ¶
func (p *DNSProxy) LookupEndpointByIP(ip netip.Addr) (endpoint *endpoint.Endpoint, isHost bool, err error)
LookupEndpointByIP wraps LookupRegisteredEndpoint by falling back to an restored EP, if available
func (*DNSProxy) RemoveRestoredRules ¶
RemoveRestoredRules removes all restored rules for 'endpointID'.
func (*DNSProxy) RestoreRules ¶
RestoreRules is used in the beginning of endpoint restoration to install rules saved before the restart to be used before the endpoint is regenerated. 'ep' passed in is not fully functional yet, but just unmarshaled from JSON!
func (*DNSProxy) ServeDNS ¶
func (p *DNSProxy) ServeDNS(w dns.ResponseWriter, request *dns.Msg)
ServeDNS handles individual DNS requests forwarded to the proxy, and meets the dns.Handler interface. It will:
- Look up the endpoint that sent the request by IP, via LookupEndpointByIP.
- Look up the Sec ID of the destination server, via LookupSecIDByIP.
- Check that the endpoint ID, destination Sec ID, destination port and the qname all match a rule. If not, the request is dropped.
- The allowed request is forwarded to the originally intended DNS server IP
- The response is shared via NotifyOnDNSMsg (this will go to a fqdn/NameManager instance).
- Write the response to the endpoint.
func (*DNSProxy) SetRejectReply ¶
SetRejectReply sets the default reject reply on denied dns responses.
func (*DNSProxy) UpdateAllowed ¶
func (p *DNSProxy) UpdateAllowed(endpointID uint64, destPortProto restore.PortProto, newRules policy.L7DataMap) error
UpdateAllowed sets newRules for endpointID and destPort. It compiles the DNS rules into regexes that are then used in CheckAllowed.
func (*DNSProxy) UpdateAllowedFromSelectorRegexes ¶
func (p *DNSProxy) UpdateAllowedFromSelectorRegexes(endpointID uint64, destPortProto restore.PortProto, newRules CachedSelectorREEntry) error
UpdateAllowedFromSelectorRegexes sets newRules for endpointID and destPort.
type DNSProxyConfig ¶ added in v1.16.0
type DNSProxyConfig struct { Address string Port uint16 IPv4 bool IPv6 bool EnableDNSCompression bool MaxRestoreDNSIPs int ConcurrencyLimit int ConcurrencyGracePeriod time.Duration }
DNSProxyConfig is the configuration for the DNS proxy.
type ErrDNSRequestNoEndpoint ¶
type ErrDNSRequestNoEndpoint struct{}
ErrDNSRequestNoEndpoint represents an error when the local daemon cannot find the corresponding endpoint that triggered a DNS request processed by the local DNS proxy (FQDN proxy).
func (ErrDNSRequestNoEndpoint) Error ¶
func (ErrDNSRequestNoEndpoint) Error() string
type ErrFailedAcquireSemaphore ¶
type ErrFailedAcquireSemaphore struct {
// contains filtered or unexported fields
}
ErrFailedAcquireSemaphore is an an error representing the DNS proxy's failure to acquire the semaphore. This is error is treated like a timeout.
func (ErrFailedAcquireSemaphore) Error ¶
func (e ErrFailedAcquireSemaphore) Error() string
func (ErrFailedAcquireSemaphore) Temporary ¶
func (e ErrFailedAcquireSemaphore) Temporary() bool
Temporary is deprecated. Return false.
func (ErrFailedAcquireSemaphore) Timeout ¶
func (e ErrFailedAcquireSemaphore) Timeout() bool
type ErrTimedOutAcquireSemaphore ¶
type ErrTimedOutAcquireSemaphore struct { ErrFailedAcquireSemaphore // contains filtered or unexported fields }
ErrTimedOutAcquireSemaphore is an an error representing the DNS proxy timing out when acquiring the semaphore. It is treated the same as ErrTimedOutAcquireSemaphore.
func (ErrTimedOutAcquireSemaphore) Error ¶
func (e ErrTimedOutAcquireSemaphore) Error() string
type LookupEndpointIDByIPFunc ¶
type LookupEndpointIDByIPFunc func(ip netip.Addr) (endpoint *endpoint.Endpoint, isHost bool, err error)
LookupEndpointIDByIPFunc wraps logic to lookup an endpoint with any backend. See DNSProxy.LookupRegisteredEndpoint for usage.
type LookupIPsBySecIDFunc ¶
type LookupIPsBySecIDFunc func(nid identity.NumericIdentity) []string
LookupIPsBySecIDFunc Func wraps logic to lookup an IPs by security ID from the ipcache.
type LookupSecIDByIPFunc ¶
LookupSecIDByIPFunc Func wraps logic to lookup an IP's security ID from the ipcache. See DNSProxy.LookupSecIDByIP for usage.
type NotifyOnDNSMsgFunc ¶
type NotifyOnDNSMsgFunc func(lookupTime time.Time, ep *endpoint.Endpoint, epIPPort string, serverID identity.NumericIdentity, serverAddr string, msg *dns.Msg, protocol string, allowed bool, stat *ProxyRequestContext) error
NotifyOnDNSMsgFunc handles propagating DNS response data See DNSProxy.LookupEndpointIDByIP for usage.
type ProxyRequestContext ¶
type ProxyRequestContext struct { TotalTime spanstat.SpanStat ProcessingTime spanstat.SpanStat // This is going to happen at the end of the second callback. // Error is a enum of [timeout, allow, denied, proxyerr]. UpstreamTime spanstat.SpanStat SemaphoreAcquireTime spanstat.SpanStat PolicyCheckTime spanstat.SpanStat PolicyGenerationTime spanstat.SpanStat DataplaneTime spanstat.SpanStat Success bool Err error DataSource accesslog.DNSDataSource }
ProxyRequestContext proxy dns request context struct to send in the callback
func (*ProxyRequestContext) IsTimeout ¶
func (proxyStat *ProxyRequestContext) IsTimeout() bool
IsTimeout return true if the ProxyRequest timeout
type SharedClient ¶ added in v1.16.1
type SharedClient struct { // contains filtered or unexported fields }
A SharedClient keeps state for concurrent transactions on the same upstream client/connection.
func (*SharedClient) ExchangeShared ¶ added in v1.16.1
ExchangeShared dials a connection to the server on first invocation, and starts a handler goroutines to send and receive responses, distributing them to appropriate concurrent caller based on the DNS message Id.
type SharedClients ¶ added in v1.16.1
type SharedClients struct {
// contains filtered or unexported fields
}
SharedClients holds a set of SharedClient instances.
func NewSharedClients ¶ added in v1.16.1
func NewSharedClients() *SharedClients
func (*SharedClients) ExchangeContext ¶ added in v1.16.1
func (*SharedClients) GetSharedClient ¶ added in v1.16.1
func (s *SharedClients) GetSharedClient(key string, conf *dns.Client, serverAddrStr string) (client *SharedClient, closer func())
GetSharedClient gets or creates an instance of SharedClient keyed with 'key'. if 'key' is an empty sting, a new client is always created and it is not actually shared. The returned 'closer' must be called once the client is no longer needed. Conversely, the returned 'client' must not be used after the closer is called.
func (*SharedClients) ShutdownTCPClient ¶ added in v1.16.1
func (s *SharedClients) ShutdownTCPClient(key string)
Called by wrapped TCP connection once the downstream connection breaks/is closed. Used as a signal to close the upstream connection.