Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var DefaultDisconnector = &SSDisconnector{}
DefaultDisconnector used to close sockets
Functions ¶
func Connect ¶
func Connect() (err error)
Connect queries DBUS to see if we can retrieve the firewalld default zone and therefor understand if firewalld is up
func NotifyReload ¶
NotifyReload on a channel if firewalld is reloaded by sysadmin/ops, we'll want to know about this so we can re-apply any bans in the blacklist that have not expired
Types ¶
type Disconnector ¶ added in v0.0.3
Disconnector is an interface accepted by the firewall to disconnect a peers socket after banning it
type Firewall ¶
type Firewall struct { Disconnector Disconnector // contains filtered or unexported fields }
Firewall is a wrapper round `firewalld` that provides functionality for temporarily banning XRPL peer nodes
func NewFirewall ¶
NewFirewall instantiates a Firewall ready for use with XRPL peer nodes
func (*Firewall) BanPeer ¶
BanPeer bans the XRPL peer by inserting the reject rule, and adds it to a blacklist so we can track the expiration and re-apply on firewalld reload. IP's that are in the whitelist are ignored...
func (*Firewall) Disconnect ¶ added in v0.0.3
Disconnect a peer socket
func (*Firewall) Expire ¶
func (fw *Firewall) Expire()
Expire will traverse the blacklist and remove any XRPL peers which have exceeded their ban length
func (*Firewall) RefreshBans ¶
func (fw *Firewall) RefreshBans()
RefreshBans re-applies the rich rule banning unstable peers, this is used after the firewall reload notify signal.
type SSDisconnector ¶ added in v0.0.3
SSDisconnector uses the ss utility from the iproute2 suite of packages. The option used is `ss -K [filter]` where filter identifies the IP address of the peer. Here is the description from the man page.
-K, --kill Attempts to forcibly close sockets. This option displays sockets that are successfully closed and silently skips sockets that the kernel does not support closing. It supports IPv5 and IPv6 sockets only.
Please note that Linux kernel 4.9 or higher is required with `CONFIG_INET_DIAG_DESTROY` option compiled in. On systems where the kernel doesn't support this, the operation will silently fail.
This Disconnector will execute a command similar to the following
`ss -K dst 192.168.1.10`
Needless to say, this requires root or elevated privileges.
func NewSSDisconnector ¶ added in v0.0.3
func NewSSDisconnector(container string) *SSDisconnector
NewSSDisconnector returns a Disconnector configured to use `ss -K`
func (*SSDisconnector) Disconnect ¶ added in v0.0.3
func (ssd *SSDisconnector) Disconnect(peer *xrpl.Peer) error
Disconnect will try to close the peer's socket
type TCPKillDisconnector ¶ added in v0.0.3
type TCPKillDisconnector struct { Aggression int Docker bool Container string // contains filtered or unexported fields }
TCPKillDisconnector requires the `tcpkill` utility to be available on the system. This utility is more of a brute force approach and may not work consitently - especially on nodes with many open connections and very high traffic volume.
`tcpkill` tries to close the connection by sniffing for the IP's traffic and then aggressively trying to inject a RST packet into the TCP stack receive window. For this reason it may not be successful, but you can try more aggressive levels than the default (3), levels are 1-9.
func NewTCPKIllDisconnector ¶ added in v0.0.3
func NewTCPKIllDisconnector(container string) *TCPKillDisconnector
NewTCPKIllDisconnector returns a Disconnector configured to use `tcpkill`
func (*TCPKillDisconnector) Disconnect ¶ added in v0.0.3
func (tcp *TCPKillDisconnector) Disconnect(peer *xrpl.Peer) error
Disconnect will try to close the peer's socket