Documentation ¶
Index ¶
- Constants
- func Compress(data []byte) []byte
- func Contains(list []string, target string) bool
- func ContainsAny(list, targets []string) bool
- func ContainsInt(list []int, target int) bool
- func ContainsWildcard(patterns []string, target string) bool
- func CopyBuffer(dst io.Writer, src io.Reader, buf []byte) (written int64, err error)
- func CopyNBuffer(dst io.Writer, src io.Reader, n int64, buf []byte) (written int64, err error)
- func Decompress(data []byte) ([]byte, error)
- func EscapeRedactIPAddressString(address string) string
- func FileExists(filePath string) bool
- func FormatByteCount(bytes uint64) string
- func GenerateAuthenticatedDataPackageKeys() (string, string, error)
- func GenerateWebServerCertificate(hostname string) (string, string, string, error)
- func GetCurrentTimestamp() string
- func GetInterfaceIPAddresses(interfaceName string) (net.IP, net.IP, error)
- func GetRoutableInterfaceIPAddresses() (net.IP, net.IP, error)
- func GetStringSlice(value interface{}) ([]string, bool)
- func IPAddressFromAddr(addr net.Addr) string
- func IsBogon(IP net.IP) bool
- func MakeSecureRandomBytes(length int) ([]byte, error)
- func MaxDuration(durations ...time.Duration) time.Duration
- func MergeContextCancel(ctx, cancelCtx context.Context) (context.Context, context.CancelFunc)
- func NewAuthenticatedDataPackageReader(dataPackage io.ReadSeeker, signingPublicKey string) (io.Reader, error)
- func ParseDNSQuestion(request []byte) (string, error)
- func PortFromAddr(addr net.Addr) int
- func ReadAuthenticatedDataPackage(dataPackage []byte, isCompressed bool, signingPublicKey string) (string, error)
- func RedactFilePaths(s string, filePaths ...string) string
- func RedactFilePathsError(err error, filePaths ...string) error
- func RedactIPAddresses(b []byte) []byte
- func RedactIPAddressesString(s string) string
- func RedactNetError(err error) error
- func RedactURLError(err error) error
- func RunNetworkConfigCommand(logger Logger, useSudo bool, commandName string, commandArgs ...string) error
- func SafeParseRequestURI(rawurl string) (*url.URL, error)
- func SafeParseURL(rawurl string) (*url.URL, error)
- func SleepWithContext(ctx context.Context, duration time.Duration)
- func SleepWithJitter(ctx context.Context, duration time.Duration, jitter float64)
- func TerminateHTTPConnection(responseWriter http.ResponseWriter, request *http.Request)
- func TruncateTimestampToHour(timestamp string) string
- func ValueOrDefault[T comparable](value, defaultValue T) T
- func WriteAuthenticatedDataPackage(data string, signingPublicKey, signingPrivateKey string) ([]byte, error)
- func WriteRuntimeProfiles(logger Logger, outputDirectory string, filenameSuffix string, ...)
- type APIParameterLogFieldFormatter
- type APIParameterValidator
- type APIParameters
- type ActivityMonitoredConn
- func (conn *ActivityMonitoredConn) GetActiveDuration() time.Duration
- func (conn *ActivityMonitoredConn) GetStartTime() time.Time
- func (conn *ActivityMonitoredConn) IsClosed() bool
- func (conn *ActivityMonitoredConn) Read(buffer []byte) (int, error)
- func (conn *ActivityMonitoredConn) Write(buffer []byte) (int, error)
- type ActivityUpdater
- type AuthenticatedDataPackage
- type BurstMonitoredConn
- type CloseWriter
- type Closer
- type Conns
- type Dialer
- type FragmentorAccessor
- type GeoIPData
- type HTTPRoundTripper
- type IrregularIndicator
- type LRUConns
- type LRUConnsEntry
- type LogFields
- type LogTrace
- type Logger
- type MetricsSource
- type NetDialer
- type NoticeMetricsSource
- type PortList
- type RateLimits
- type ReloadableFile
- type Reloader
- type SubnetLookup
- type TLSClientSessionCacheWrapper
- type ThrottledConn
- type UnderlyingTCPAddrSource
- type UtlsClientSessionCacheWrapper
- type WriteTimeoutPacketConn
- type WriteTimeoutUDPConn
- func (conn *WriteTimeoutUDPConn) Write(b []byte) (int, error)
- func (conn *WriteTimeoutUDPConn) WriteMsgUDP(b, oob []byte, addr *net.UDPAddr) (int, int, error)
- func (conn *WriteTimeoutUDPConn) WriteMsgUDPAddrPort(b, oob []byte, addr netip.AddrPort) (int, int, error)
- func (conn *WriteTimeoutUDPConn) WriteTo(b []byte, addr net.Addr) (int, error)
- func (conn *WriteTimeoutUDPConn) WriteToUDP(b []byte, addr *net.UDPAddr) (int, error)
- func (conn *WriteTimeoutUDPConn) WriteToUDPAddrPort(b []byte, addr netip.AddrPort) (int, error)
Constants ¶
const IsRaceDetectorEnabled = false
const RFC3339Milli = "2006-01-02T15:04:05.000Z07:00"
const UDP_PACKET_WRITE_TIMEOUT = 1 * time.Second
Variables ¶
This section is empty.
Functions ¶
func Contains ¶
Contains is a helper function that returns true if the target string is in the list.
func ContainsAny ¶
ContainsAny returns true if any string in targets is present in the list.
func ContainsInt ¶
ContainsInt returns true if the target int is in the list.
func ContainsWildcard ¶
ContainsWildcard returns true if target matches any of the patterns. Patterns may contain the '*' wildcard.
func CopyBuffer ¶
CopyBuffer calls io.CopyBuffer, masking out any src.WriteTo or dst.ReadFrom to force use of the specified buf.
func CopyNBuffer ¶
func Decompress ¶
Decompress returns zlib decompressed data
func EscapeRedactIPAddressString ¶
EscapeRedactIPAddressString escapes the IP or IP:port addresses in the input in such a way that they won't be redacted when part of the input to RedactIPAddresses.
The escape encoding is not guaranteed to be reversable or suitable for machine processing; the goal is to simply ensure the original value is human readable.
func FileExists ¶
FileExists returns true if a file, or directory, exists at the given path.
func FormatByteCount ¶
FormatByteCount returns a string representation of the specified byte count in conventional, human-readable format.
func GenerateAuthenticatedDataPackageKeys ¶
GenerateAuthenticatedDataPackageKeys generates a key pair be used to sign and verify AuthenticatedDataPackages.
func GenerateWebServerCertificate ¶
GenerateWebServerCertificate creates a self-signed web server certificate, using the specified host name. The host name is used as the subject common name and a SAN DNS name.
This is primarily intended for use by MeekServer to generate on-the-fly, self-signed TLS certificates for fronted HTTPS mode. In this case, the nature of the certificate is non-circumvention; it only has to be acceptable to the front CDN making connections to meek. The same certificates are used for unfronted HTTPS meek. In this case, the certificates may be a fingerprint used to detect Vaipn servers or traffic. TODO: more effort to mitigate fingerprinting these certificates.
In addition, GenerateWebServerCertificate is used by GenerateConfig to create Vaipn web server certificates for test/example configurations. If these Vaipn web server certificates are used in production, the same caveats about fingerprints apply.
The verification pin return value is a hash of the certificate public key which is compatible with FrontingSpec.VerifyPins, and is intended for use in testing.
func GetCurrentTimestamp ¶
func GetCurrentTimestamp() string
GetCurrentTimestamp returns the current time in UTC as an RFC 3339 formatted string.
func GetInterfaceIPAddresses ¶
GetInterfaceIPAddresses takes an interface name, such as "eth0", and returns the first non-link local IPv4 and IPv6 addresses associated with it. Either of the IPv4 or IPv6 address may be nil. If neither type of address is found, an error is returned.
func GetRoutableInterfaceIPAddresses ¶
GetRoutableInterfaceIPAddresses returns GetInterfaceIPAddresses values for the first non-loopback, non-point-to-point network interface on the host that has an IP address.
func GetStringSlice ¶
GetStringSlice converts an interface{} which is of type []interace{}, and with the type of each element a string, to []string.
func IPAddressFromAddr ¶
IPAddressFromAddr is a helper which extracts an IP address from a net.Addr or returns "" if there is no IP address.
func IsBogon ¶
IsBogon checks if the specified IP is a bogon (loopback, private addresses, link-local addresses, etc.)
func MakeSecureRandomBytes ¶
MakeSecureRandomBytes is a helper function that wraps crypto/rand.Read.
func MaxDuration ¶
MaxDuration returns the maximum duration in durations or 0 if durations is empty.
func MergeContextCancel ¶
MergeContextCancel returns a context which has the properties of the 1st input content and merges in the cancellation signal of the 2nd context, so the returned context is cancelled when either input context is cancelled.
See (and adapted from): https://pkg.go.dev/context#example-AfterFunc-Merge
func NewAuthenticatedDataPackageReader ¶
func NewAuthenticatedDataPackageReader( dataPackage io.ReadSeeker, signingPublicKey string) (io.Reader, error)
NewAuthenticatedDataPackageReader extracts and verifies authenticated data from an AuthenticatedDataPackage stored in the specified file. The package must have been signed with the given key. NewAuthenticatedDataPackageReader does not load the entire package nor the entire data into memory. It streams the package while verifying, and returns an io.Reader that the caller may use to stream the authenticated data payload.
func ParseDNSQuestion ¶
ParseDNSQuestion parses a DNS message. When the message is a query, the first question, a fully-qualified domain name, is returned.
For other valid DNS messages, "" is returned. An error is returned only for invalid DNS messages.
Limitations:
- Only the first Question field is extracted.
- ParseDNSQuestion only functions for plaintext DNS and cannot extract domains from DNS-over-TLS/HTTPS, etc.
func PortFromAddr ¶
PortFromAddr is a helper which extracts a port number from a net.Addr or returns 0 if there is no port number.
func ReadAuthenticatedDataPackage ¶
func ReadAuthenticatedDataPackage( dataPackage []byte, isCompressed bool, signingPublicKey string) (string, error)
ReadAuthenticatedDataPackage extracts and verifies authenticated data from an AuthenticatedDataPackage. The package must have been signed with the given key.
Set isCompressed to false to read packages that are not compressed.
func RedactFilePaths ¶
RedactFilePaths returns a copy of the input with all file paths replaced by "[redacted]". First any occurrences of the provided file paths are replaced and then an attempt is made to replace any other file paths by searching with a heuristic. The latter is a best effort attempt it is not guaranteed that it will catch every file path.
func RedactFilePathsError ¶
RedactFilePathsError is RedactFilePaths for errors.
func RedactIPAddresses ¶
RedactIPAddresses returns a copy of the input with all IP addresses (and optional ports) replaced by "[redacted]". This is intended to be used to redact addresses from "net" package I/O error messages and otherwise avoid inadvertently recording direct server IPs via error message logs; and, in metrics, to reduce the error space due to superfluous source port data.
RedactIPAddresses uses a simple regex match which liberally matches IP address-like patterns and will match invalid addresses; for example, it will match port numbers greater than 65535. We err on the side of redaction and are not as concerned, in this context, with false positive matches. If a user configures an upstream proxy address with an invalid IP or port value, we prefer to redact it.
See the redactIPAddressAndPortRegex comment for some uncommon IP address representations that are not matched.
func RedactIPAddressesString ¶
RedactIPAddressesString is RedactIPAddresses for strings.
func RedactNetError ¶
RedactNetError removes network address information from a "net" package error message. Addresses may be domains or IP addresses.
Limitations: some non-address error context can be lost; this function makes assumptions about how the Go "net" package error messages are formatted and will fail to redact network addresses if this assumptions become untrue.
func RedactURLError ¶
RedactURLError transforms an error, when it is a url.Error, removing the URL value. This is to avoid logging private user data in cases where the URL may be a user input value. This function is used with errors returned by net/http and net/url, which are (currently) of type url.Error. In particular, the round trip function used by our HttpProxy, http.Client.Do, returns errors of type url.Error, with the URL being the url sent from the user's tunneled applications: https://github.com/golang/go/blob/release-branch.go1.4/src/net/http/client.go#L394
func RunNetworkConfigCommand ¶
func RunNetworkConfigCommand( logger Logger, useSudo bool, commandName string, commandArgs ...string) error
RunNetworkConfigCommand execs a network config command, such as "ifconfig" or "iptables". On platforms that support capabilities, the network config capabilities of the current process is made available to the command subprocess. Alternatively, "sudo" will be used when useSudo is true.
func SafeParseRequestURI ¶
SafeParseRequestURI wraps url.ParseRequestURI, stripping the input URL from any error message. This allows logging url.ParseRequestURI errors without unintentially logging PII that may appear in the input URL.
func SafeParseURL ¶
SafeParseURL wraps url.Parse, stripping the input URL from any error message. This allows logging url.Parse errors without unintentially logging PII that may appear in the input URL.
func SleepWithContext ¶
SleepWithContext returns after the specified duration or once the input ctx is done, whichever is first.
func SleepWithJitter ¶
SleepWithJitter returns after the specified duration, with random jitter applied, or once the input ctx is done, whichever is first.
func TerminateHTTPConnection ¶
func TerminateHTTPConnection( responseWriter http.ResponseWriter, request *http.Request)
TerminateHTTPConnection sends a 404 response to a client and also closes the persistent connection.
func TruncateTimestampToHour ¶
TruncateTimestampToHour truncates an RFC 3339 formatted string to hour granularity. If the input is not a valid format, the result is "".
func ValueOrDefault ¶
func ValueOrDefault[T comparable](value, defaultValue T) T
ValueOrDefault returns the input value, or, when value is the zero value of its type, defaultValue.
func WriteAuthenticatedDataPackage ¶
func WriteAuthenticatedDataPackage( data string, signingPublicKey, signingPrivateKey string) ([]byte, error)
WriteAuthenticatedDataPackage creates an AuthenticatedDataPackage containing the specified data and signed by the given key. The output conforms with the legacy format here: https://bitbucket.org/vaipn/vaipn-circumvention-system/src/c25d080f6827b141fe637050ce0d5bd0ae2e9db5/Automation/psi_ops_crypto_tools.py
func WriteRuntimeProfiles ¶
func WriteRuntimeProfiles( logger Logger, outputDirectory string, filenameSuffix string, blockSampleDurationSeconds int, cpuSampleDurationSeconds int)
WriteRuntimeProfiles writes Go runtime profile information to a set of files in the specified output directory. The profiles include "heap", "goroutine", and other selected profiles from: https://golang.org/pkg/runtime/pprof/#Profile.
The SampleDurationSeconds inputs determine how long to wait and sample profiles that require active sampling. When set to 0, these profiles are skipped.
Types ¶
type APIParameterLogFieldFormatter ¶
type APIParameterLogFieldFormatter func(string, GeoIPData, APIParameters) LogFields
APIParameterLogFieldFormatter is a function that returns formatted LogFields containing the given GeoIPData and APIParameters. An optional log field name prefix string, when specified, should be applied to the output LogFields names. When GeoIPData is the zero value, it should be omitted from LogFields.
type APIParameterValidator ¶
type APIParameterValidator func(APIParameters) error
APIParameterValidator is a function that validates API parameters for a particular request or context.
type APIParameters ¶
type APIParameters map[string]interface{}
APIParameters is a set of API parameter values, typically received from a Vaipn client and used/logged by the Vaipn server. The values are of varying types: strings, ints, arrays, structs, etc.
func (APIParameters) Add ¶
func (a APIParameters) Add(b APIParameters)
Add copies API parameters from b to a, skipping parameters which already exist, regardless of value, in a.
type ActivityMonitoredConn ¶
ActivityMonitoredConn wraps a net.Conn, adding logic to deal with events triggered by I/O activity.
ActivityMonitoredConn uses lock-free concurrency synronization, avoiding an additional mutex resource, making it suitable for wrapping many net.Conns (e.g, each Vaipn port forward).
When an inactivity timeout is specified, the network I/O will timeout after the specified period of read inactivity. Optionally, for the purpose of inactivity only, ActivityMonitoredConn will also consider the connection active when data is written to it.
When a LRUConnsEntry is specified, then the LRU entry is promoted on either a successful read or write.
When an ActivityUpdater is set, then its UpdateActivity method is called on each read and write with the number of bytes transferred. The durationNanoseconds, which is the time since the last read, is reported only on reads.
func NewActivityMonitoredConn ¶
func NewActivityMonitoredConn( conn net.Conn, inactivityTimeout time.Duration, activeOnWrite bool, lruEntry *LRUConnsEntry, activityUpdaters ...ActivityUpdater) (*ActivityMonitoredConn, error)
NewActivityMonitoredConn creates a new ActivityMonitoredConn.
func (*ActivityMonitoredConn) GetActiveDuration ¶
func (conn *ActivityMonitoredConn) GetActiveDuration() time.Duration
GetActiveDuration returns the time elapsed between the initialization of the ActivityMonitoredConn and the last Read. Only reads are used for this calculation since writes may succeed locally due to buffering.
func (*ActivityMonitoredConn) GetStartTime ¶
func (conn *ActivityMonitoredConn) GetStartTime() time.Time
GetStartTime gets the time when the ActivityMonitoredConn was initialized. Reported time is UTC.
func (*ActivityMonitoredConn) IsClosed ¶
func (conn *ActivityMonitoredConn) IsClosed() bool
IsClosed implements the Closer iterface. The return value indicates whether the underlying conn has been closed.
type ActivityUpdater ¶
type ActivityUpdater interface {
UpdateProgress(bytesRead, bytesWritten, durationNanoseconds int64)
}
ActivityUpdater defines an interface for receiving updates for ActivityMonitoredConn activity. Values passed to UpdateProgress are bytes transferred and conn duration since the previous UpdateProgress.
type AuthenticatedDataPackage ¶
type AuthenticatedDataPackage struct { Data string `json:"data"` SigningPublicKeyDigest []byte `json:"signingPublicKeyDigest"` Signature []byte `json:"signature"` }
AuthenticatedDataPackage is a JSON record containing some Vaipn data payload, such as list of Vaipn server entries. As it may be downloaded from various sources, it is digitally signed so that the data may be authenticated.
type BurstMonitoredConn ¶
BurstMonitoredConn wraps a net.Conn and monitors for data transfer bursts. Upstream (read) and downstream (write) bursts are tracked independently.
A burst is defined as a transfer of "target" bytes, possibly across multiple I/O operations, where the total time elapsed does not exceed "deadline". Both a non-zero deadline and theshold must be set to enable monitoring. Four bursts are reported: the first, the last, the min (by rate) and max.
The burst monitoring is heuristical in nature and may not capture all bursts. The reported rates will be more accurate for larger target values and shorter deadlines, but these settings may fail to register bursts on slower connections. Tune the deadline/target as required. The threshold should be set to account for buffering (e.g, the local host socket send/receive buffer) but this is not enforced by BurstMonitoredConn.
Overhead: BurstMonitoredConn adds mutexes but does not use timers.
func NewBurstMonitoredConn ¶
func NewBurstMonitoredConn( conn net.Conn, isServer bool, upstreamTargetBytes int64, upstreamDeadline time.Duration, downstreamTargetBytes int64, downstreamDeadline time.Duration) *BurstMonitoredConn
NewBurstMonitoredConn creates a new BurstMonitoredConn.
func (*BurstMonitoredConn) GetMetrics ¶
func (conn *BurstMonitoredConn) GetMetrics(baseTime time.Time) LogFields
GetMetrics returns log fields with burst metrics for the first, last, min (by rate), and max bursts for this conn. Time/duration values are reported in milliseconds. Rate is reported in bytes per second.
func (*BurstMonitoredConn) IsClosed ¶
func (conn *BurstMonitoredConn) IsClosed() bool
IsClosed implements the Closer iterface. The return value indicates whether the underlying conn has been closed.
type CloseWriter ¶
type CloseWriter interface {
CloseWrite() error
}
CloseWriter defines the interface to a type, typically a net.TCPConn, that implements CloseWrite.
type Closer ¶
type Closer interface {
IsClosed() bool
}
Closer defines the interface to a type, typically a net.Conn, that can be closed.
type Conns ¶
type Conns[T interface { comparable io.Closer }] struct { // contains filtered or unexported fields }
Conns is a synchronized list of Conns that is used to coordinate interrupting a set of goroutines establishing connections, or close a set of open connections, etc. Once the list is closed, no more items may be added to the list (unless it is reset).
type FragmentorAccessor ¶
type FragmentorAccessor interface { SetReplay(*prng.PRNG) GetReplay() (*prng.Seed, bool) StopFragmenting() }
FragmentorAccessor defines the interface for accessing properties of a fragmentor Conn.
type HTTPRoundTripper ¶
type HTTPRoundTripper struct {
// contains filtered or unexported fields
}
HTTPRoundTripper is an adapter that allows using a function as a http.RoundTripper.
func NewHTTPRoundTripper ¶
NewHTTPRoundTripper creates a new HTTPRoundTripper, using the specified roundTrip function for HTTP round trips.
type IrregularIndicator ¶
type IrregularIndicator interface {
IrregularTunnelError() error
}
IrregularIndicator defines the interface for a type, typically a net.Conn, that detects and reports irregular conditions during initial network connection establishment.
type LRUConns ¶
type LRUConns struct {
// contains filtered or unexported fields
}
LRUConns is a concurrency-safe list of net.Conns ordered by recent activity. Its purpose is to facilitate closing the oldest connection in a set of connections.
New connections added are referenced by a LRUConnsEntry, which is used to Touch() active connections, which promotes them to the front of the order and to Remove() connections that are no longer LRU candidates.
CloseOldest() will remove the oldest connection from the list and call net.Conn.Close() on the connection.
After an entry has been removed, LRUConnsEntry Touch() and Remove() will have no effect.
func (*LRUConns) Add ¶
func (conns *LRUConns) Add(conn net.Conn) *LRUConnsEntry
Add inserts a net.Conn as the freshest connection in a LRUConns and returns an LRUConnsEntry to be used to freshen the connection or remove the connection from the LRU list.
func (*LRUConns) CloseOldest ¶
func (conns *LRUConns) CloseOldest()
CloseOldest closes the oldest connection in a LRUConns. It calls net.Conn.Close() on the connection.
type LRUConnsEntry ¶
type LRUConnsEntry struct {
// contains filtered or unexported fields
}
LRUConnsEntry is an entry in a LRUConns list.
func (*LRUConnsEntry) Remove ¶
func (entry *LRUConnsEntry) Remove()
Remove deletes the connection referenced by the LRUConnsEntry from the associated LRUConns. Has no effect if the entry was not initialized or previously removed.
func (*LRUConnsEntry) Touch ¶
func (entry *LRUConnsEntry) Touch()
Touch promotes the connection referenced by the LRUConnsEntry to the front of the associated LRUConns. Has no effect if the entry was not initialized or previously removed.
type LogFields ¶
type LogFields map[string]interface{}
LogFields is type-compatible with vaipn/server.LogFields and logrus.LogFields.
type LogTrace ¶
type LogTrace interface { Debug(args ...interface{}) Info(args ...interface{}) Warning(args ...interface{}) Error(args ...interface{}) }
LogTrace is interface-compatible with the return values from vaipn/server.TraceLogger.WitTrace/WithTraceFields.
type Logger ¶
type Logger interface { WithTrace() LogTrace WithTraceFields(fields LogFields) LogTrace LogMetric(metric string, fields LogFields) // IsLogLevelDebug is used to skip formatting debug-level log messages in // cases where performance would be impacted. IsLogLevelDebug() bool }
Logger exposes a logging interface that's compatible with vaipn/server.TraceLogger. This interface allows packages to implement logging that will integrate with vaipn/server without importing that package. Other implementations of Logger may also be provided.
type MetricsSource ¶
type MetricsSource interface { // GetMetrics returns a LogFields populated with metrics from the // MetricsSource. GetMetrics() LogFields }
MetricsSource is an object that provides metrics to be logged.
type NetDialer ¶
type NetDialer interface { Dial(network, address string) (net.Conn, error) DialContext(ctx context.Context, network, address string) (net.Conn, error) }
NetDialer mimicks the net.Dialer interface.
type NoticeMetricsSource ¶
type NoticeMetricsSource interface { // GetNoticeMetrics returns a LogFields populated with metrics from // the NoticeMetricsSource. GetNoticeMetrics() LogFields }
NoticeMetricsSource is an object that provides metrics to be logged only in notices, for inclusion in diagnostics.
type PortList ¶
type PortList struct {
// contains filtered or unexported fields
}
PortList provides a lookup for a configured list of IP ports and port ranges. PortList is intended for use with JSON config files and is initialized via UnmarshalJSON.
A JSON port list field should look like:
"FieldName": [1, 2, 3, [10, 20], [30, 40]]
where the ports in the list are 1, 2, 3, 10-20, 30-40. UnmarshalJSON validates that each port is in the range 1-65535 and that ranges have two elements in increasing order. PortList is designed to be backwards compatible with existing JSON config files where port list fields were defined as `[]int`.
func (*PortList) Lookup ¶
Lookup returns true if the specified port is in the port list and false otherwise. Lookups on a nil PortList are allowed and return false.
func (*PortList) MarshalJSON ¶
MarshalJSON implements the json.Marshaler interface.
func (*PortList) OptimizeLookups ¶
func (p *PortList) OptimizeLookups()
OptimizeLookups converts the internal port list representation to use a map, which increases the performance of lookups for longer lists with an increased memory footprint tradeoff. OptimizeLookups is not safe to use concurrently with Lookup and should be called immediately after UnmarshalJSON and before performing lookups.
func (*PortList) UnmarshalJSON ¶
UnmarshalJSON implements the json.Unmarshaler interface.
type RateLimits ¶
type RateLimits struct { // ReadUnthrottledBytes specifies the number of bytes to // read, approximately, before starting rate limiting. ReadUnthrottledBytes int64 // ReadBytesPerSecond specifies a rate limit for read // data transfer. The default, 0, is no limit. ReadBytesPerSecond int64 // WriteUnthrottledBytes specifies the number of bytes to // write, approximately, before starting rate limiting. WriteUnthrottledBytes int64 // WriteBytesPerSecond specifies a rate limit for write // data transfer. The default, 0, is no limit. WriteBytesPerSecond int64 // CloseAfterExhausted indicates that the underlying // net.Conn should be closed once either the read or // write unthrottled bytes have been exhausted. In this // case, throttling is never applied. CloseAfterExhausted bool }
RateLimits specify the rate limits for a ThrottledConn.
type ReloadableFile ¶
ReloadableFile is a file-backed Reloader. This type is intended to be embedded in other types that add the actual reloadable data structures.
ReloadableFile has a multi-reader mutex for synchronization. Its Reload() function will obtain a write lock before reloading the data structures. The actual reloading action is to be provided via the reloadAction callback, which receives the content of reloaded files, along with file modification time, and must process the new data (for example, unmarshall the contents into data structures). All read access to the data structures should be guarded by RLocks on the ReloadableFile mutex.
reloadAction must ensure that data structures revert to their previous state when a reload fails.
func NewReloadableFile ¶
func NewReloadableFile( filename string, loadFileContent bool, reloadAction func([]byte, time.Time) error) ReloadableFile
NewReloadableFile initializes a new ReloadableFile.
When loadFileContent is true, the file content is loaded and passed to reloadAction; otherwise, reloadAction receives a nil argument and is responsible for loading the file. The latter option allows for cases where the file contents must be streamed, memory mapped, etc.
func (*ReloadableFile) LogDescription ¶
func (reloadable *ReloadableFile) LogDescription() string
func (*ReloadableFile) Reload ¶
func (reloadable *ReloadableFile) Reload() (bool, error)
Reload checks if the underlying file has changed and, when changed, invokes the reloadAction callback which should reload the in-memory data structures.
In some case (e.g., traffic rules and OSL), there are penalties associated with proceeding with reload, so care is taken to not invoke the reload action unless the contents have changed.
The file content is loaded and a checksum is taken to determine whether it has changed. Neither file size (may not change when content changes) nor modified date (may change when identical file is repaved) is a sufficient indicator.
All data structure readers should be blocked by the ReloadableFile mutex.
Reload must not be called from multiple concurrent goroutines.
func (*ReloadableFile) WillReload ¶
func (reloadable *ReloadableFile) WillReload() bool
WillReload indicates whether the ReloadableFile is capable of reloading.
type Reloader ¶
type Reloader interface { // Reload reloads the data object. Reload returns a flag indicating if the // reloadable target has changed and reloaded or remains unchanged. By // convention, when reloading fails the Reloader should revert to its previous // in-memory state. Reload() (bool, error) // WillReload indicates if the data object is capable of reloading. WillReload() bool // LogDescription returns a description to be used for logging // events related to the Reloader. LogDescription() string }
Reloader represents a read-only, in-memory reloadable data object. For example, a JSON data file that is loaded into memory and accessed for read-only lookups; and from time to time may be reloaded from the same file, updating the memory copy.
type SubnetLookup ¶
SubnetLookup provides an efficient lookup for individual IPv4 addresses within a list of subnets.
func NewSubnetLookup ¶
func NewSubnetLookup(CIDRs []string) (SubnetLookup, error)
NewSubnetLookup creates a SubnetLookup from a list of subnet CIDRs.
func NewSubnetLookupFromRoutes ¶
func NewSubnetLookupFromRoutes(routesData []byte) (SubnetLookup, error)
NewSubnetLookupFromRoutes creates a SubnetLookup from text routes data. The input format is expected to be text lines where each line is, e.g., "1.2.3.0\t255.255.255.0\n"
func (SubnetLookup) ContainsIPAddress ¶
func (lookup SubnetLookup) ContainsIPAddress(addr net.IP) bool
ContainsIPAddress performs a binary search on the sorted subnet list to find a network containing the candidate IP address.
func (SubnetLookup) Less ¶
func (lookup SubnetLookup) Less(i, j int) bool
Less implements Sort.Interface
type TLSClientSessionCacheWrapper ¶
type TLSClientSessionCacheWrapper struct { tls.ClientSessionCache // contains filtered or unexported fields }
TLSClientSessionCacheWrapper is a wrapper around tls.ClientSessionCache that provides a hard-coded key for the cache. It implements the TLSClientSessionCacheWrapper interface.
func WrapClientSessionCache ¶
func WrapClientSessionCache( cache tls.ClientSessionCache, hardCodedSessionKey string, ) *TLSClientSessionCacheWrapper
WrapClientSessionCache wraps a tls.ClientSessionCache with an alternative key, ignoring the SNI-based key that crypto/tls passes to Put/Get, which may be incompatible with SNI obfuscation transforms.
func (*TLSClientSessionCacheWrapper) Get ¶
func (c *TLSClientSessionCacheWrapper) Get(_ string) (session *tls.ClientSessionState, ok bool)
func (*TLSClientSessionCacheWrapper) Put ¶
func (c *TLSClientSessionCacheWrapper) Put(_ string, cs *tls.ClientSessionState)
func (*TLSClientSessionCacheWrapper) RemoveCacheEntry ¶
func (c *TLSClientSessionCacheWrapper) RemoveCacheEntry()
type ThrottledConn ¶
ThrottledConn wraps a net.Conn with read and write rate limiters. Rates are specified as bytes per second. Optional unlimited byte counts allow for a number of bytes to read or write before applying rate limiting. Specify limit values of 0 to set no rate limit (unlimited counts are ignored in this case). The underlying rate limiter uses the token bucket algorithm to calculate delay times for read and write operations.
func NewThrottledConn ¶
func NewThrottledConn( conn net.Conn, isStream bool, limits RateLimits) *ThrottledConn
NewThrottledConn initializes a new ThrottledConn.
Set isStreamConn to true when conn is stream-oriented, such as TCP, and false when the conn is packet-oriented, such as UDP. When conn is a stream, reads and writes may be split to accomodate rate limits.
func (*ThrottledConn) Close ¶
func (conn *ThrottledConn) Close() error
func (*ThrottledConn) SetLimits ¶
func (conn *ThrottledConn) SetLimits(limits RateLimits)
SetLimits modifies the rate limits of an existing ThrottledConn. It is safe to call SetLimits while other goroutines are calling Read/Write. This function will not block, and the new rate limits will be applied within Read/Write, but not necessarily until some further I/O at previous rates.
type UnderlyingTCPAddrSource ¶
type UnderlyingTCPAddrSource interface { // GetUnderlyingTCPAddrs returns the LocalAddr and RemoteAddr properties of // the underlying TCP conn. GetUnderlyingTCPAddrs() (*net.TCPAddr, *net.TCPAddr, bool) }
UnderlyingTCPAddrSource defines the interface for a type, typically a net.Conn, such as a server meek Conn, which has an underlying TCP conn(s), providing access to the LocalAddr and RemoteAddr properties of the underlying TCP conn.
type UtlsClientSessionCacheWrapper ¶
type UtlsClientSessionCacheWrapper struct { utls.ClientSessionCache // contains filtered or unexported fields }
UtlClientSessionCacheWrapper is a wrapper around utls.ClientSessionCache that provides a hard-coded key for the cache. It implements the TLSClientSessionCacheWrapper interface.
func WrapUtlsClientSessionCache ¶
func WrapUtlsClientSessionCache( cache utls.ClientSessionCache, hardCodedSessionKey string, ) *UtlsClientSessionCacheWrapper
WrapUtlsClientSessionCache wraps a utls.ClientSessionCache with an alternative key, ignoring the SNI-based key that crypto/tls passes to Put/Get, which may be incompatible with SNI obfuscation transforms.
func (*UtlsClientSessionCacheWrapper) Get ¶
func (c *UtlsClientSessionCacheWrapper) Get(_ string) (session *utls.ClientSessionState, ok bool)
func (*UtlsClientSessionCacheWrapper) Put ¶
func (c *UtlsClientSessionCacheWrapper) Put(_ string, cs *utls.ClientSessionState)
func (*UtlsClientSessionCacheWrapper) RemoveCacheEntry ¶
func (c *UtlsClientSessionCacheWrapper) RemoveCacheEntry()
type WriteTimeoutPacketConn ¶
type WriteTimeoutPacketConn struct {
net.PacketConn
}
WriteTimeoutPacketConn is the equivilent of WriteTimeoutUDPConn for non-*net.UDPConns.
func (*WriteTimeoutPacketConn) GetMetrics ¶
func (conn *WriteTimeoutPacketConn) GetMetrics() LogFields
GetMetrics implements the common.MetricsSource interface.
type WriteTimeoutUDPConn ¶
WriteTimeoutUDPConn sets write deadlines before each UDP packet write.
Generally, a UDP packet write doesn't block. However, Go's internal/poll.FD.WriteMsg continues to loop when syscall.SendmsgN fails with EAGAIN, which indicates that an OS socket buffer is currently full; in certain OS states this may cause WriteMsgUDP/etc. to block indefinitely. In this scenario, we want to instead behave as if the packet were dropped, so we set a write deadline which will eventually interrupt any EAGAIN loop.
func (*WriteTimeoutUDPConn) WriteMsgUDP ¶
func (*WriteTimeoutUDPConn) WriteMsgUDPAddrPort ¶
func (*WriteTimeoutUDPConn) WriteToUDP ¶
func (*WriteTimeoutUDPConn) WriteToUDPAddrPort ¶
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package accesscontrol implements an access control authorization scheme based on digital signatures.
|
Package accesscontrol implements an access control authorization scheme based on digital signatures. |
crypto
|
|
nacl/secretbox
Package secretbox encrypts and authenticates small messages.
|
Package secretbox encrypts and authenticates small messages. |
ssh
Package ssh implements an SSH client and server.
|
Package ssh implements an SSH client and server. |
ssh/agent
Package agent implements the ssh-agent protocol, and provides both a client and a server.
|
Package agent implements the ssh-agent protocol, and provides both a client and a server. |
ssh/knownhosts
Package knownhosts implements a parser for the OpenSSH known_hosts host key database, and provides utility functions for writing OpenSSH compliant known_hosts files.
|
Package knownhosts implements a parser for the OpenSSH known_hosts host key database, and provides utility functions for writing OpenSSH compliant known_hosts files. |
ssh/terminal
Package terminal provides support functions for dealing with terminals, as commonly found on UNIX systems.
|
Package terminal provides support functions for dealing with terminals, as commonly found on UNIX systems. |
ssh/test
Package test contains integration tests for the github.com/payske-dev/vaipn-tunnel-core/vaipn/common/crypto/ssh package.
|
Package test contains integration tests for the github.com/payske-dev/vaipn-tunnel-core/vaipn/common/crypto/ssh package. |
Package errors provides error wrapping helpers that add inline, single frame stack trace information to error messages.
|
Package errors provides error wrapping helpers that add inline, single frame stack trace information to error messages. |
Package inproxy enables 3rd party, ephemeral proxies to help Vaipn clients connect to the Vaipn network.
|
Package inproxy enables 3rd party, ephemeral proxies to help Vaipn clients connect to the Vaipn network. |
Package monotime provides a fast monotonic clock source.
|
Package monotime provides a fast monotonic clock source. |
Package osl implements the Obfuscated Server List (OSL) mechanism.
|
Package osl implements the Obfuscated Server List (OSL) mechanism. |
Package packetman implements low-level manipulation of TCP packets, enabling a variety of strategies to evade network censorship.
|
Package packetman implements low-level manipulation of TCP packets, enabling a variety of strategies to evade network censorship. |
Package parameters implements dynamic, concurrency-safe parameters that determine Vaipn client and server behaviors.
|
Package parameters implements dynamic, concurrency-safe parameters that determine Vaipn client and server behaviors. |
Package prng implements a seeded, unbiased PRNG that is suitable for use cases including obfuscation, network jitter, load balancing.
|
Package prng implements a seeded, unbiased PRNG that is suitable for use cases including obfuscation, network jitter, load balancing. |
Package quic wraps github.com/lucas-clemente/quic-go with net.Listener and net.Conn types that provide a drop-in replacement for net.TCPConn.
|
Package quic wraps github.com/lucas-clemente/quic-go with net.Listener and net.Conn types that provide a drop-in replacement for net.TCPConn. |
Package regen is a library for generating random strings from regular expressions.
|
Package regen is a library for generating random strings from regular expressions. |
Package resolver implements a DNS stub resolver, or DNS client, which resolves domain names.
|
Package resolver implements a DNS stub resolver, or DNS client, which resolves domain names. |
Package sss implements Shamir's Secret Sharing algorithm over GF(2^8).
|
Package sss implements Shamir's Secret Sharing algorithm over GF(2^8). |
Package stacktrace provides helpers for handling stack trace information.
|
Package stacktrace provides helpers for handling stack trace information. |
Package tactics provides dynamic Vaipn client configuration based on GeoIP attributes, API parameters, and speed test data.
|
Package tactics provides dynamic Vaipn client configuration based on GeoIP attributes, API parameters, and speed test data. |
Package transforms provides a mechanism to define and apply string data transformations, with the transformations defined by regular expressions to match data to be transformed, and regular expression generators to specify additional or replacement data.
|
Package transforms provides a mechanism to define and apply string data transformations, with the transformations defined by regular expressions to match data to be transformed, and regular expression generators to specify additional or replacement data. |
Package tun is an IP packet tunnel server and client.
|
Package tun is an IP packet tunnel server and client. |
Package values provides a mechanism for specifying and selecting dynamic values employed by the Vaipn client and server.
|
Package values provides a mechanism for specifying and selecting dynamic values employed by the Vaipn client and server. |
Package wildcard implements a very simple wildcard matcher which supports only the term '*', which matches any sequence of characters.
|
Package wildcard implements a very simple wildcard matcher which supports only the term '*', which matches any sequence of characters. |