conntrack

package
v1.11.0-cni-plu...-aa3fb74 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 20, 2024 License: Apache-2.0, Apache-2.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	TypeNormal uint8 = iota
	TypeNATForward
	TypeNATReverse
)
View Source 
const (
	ProtoICMP  = 1
	ProtoTCP   = 6
	ProtoUDP   = 17
	ProtoICMP6 = 58
)
View Source 
const KeySize = curVer.KeySize
View Source 
const KeyV6Size = curVer.KeyV6Size
View Source 
const MaxEntries = curVer.MaxEntries
View Source 
const ValueSize = curVer.ValueSize
View Source 
const ValueV6Size = curVer.ValueV6Size

Variables

View Source 
var MapParams = curVer.MapParams
View Source 
var MapParamsV6 = curVer.MapParamsV6

Functions

func GetKeyValueTypeFromVersion 

func GetKeyValueTypeFromVersion(version int, k, v []byte) (maps.Upgradable, maps.Upgradable)

func GetMapParams 

func GetMapParams(version int) maps.MapParameters

func Map 

func Map() maps.Map

func MapMemIter 

func MapMemIter(m MapMem) func(k, v []byte)

MapMemIter returns maps.MapIter that loads the provided MapMem

func MapMemIterV6 

func MapMemIterV6(m MapMemV6) func(k, v []byte)

MapMemIter returns maps.MapIter that loads the provided MapMem

func MapV2 

func MapV2() maps.Map

func MapV6 

func MapV6() maps.Map

func SetCleanupMapSize 

func SetCleanupMapSize(size int)

func SetMapSize 

func SetMapSize(size int)

Types

type BPFLogLevel 

type BPFLogLevel string
const (
	BPFLogLevelDebug BPFLogLevel = "debug"
	BPFLogLevelNone  BPFLogLevel = "no_log"
)

type BPFProgLivenessScanner 

type BPFProgLivenessScanner struct {
	// contains filtered or unexported fields
}

BPFProgLivenessScanner is a scanner that uses a BPF program to scan the conntrack table for expired entries. The BPF program does the entry deletion, taking care to delete forward and reverse NAT entries together, thus minimising the window where only one entry is present.

Note: the tests for this object are largely in the bpf/ut package, since we require a privileged environment to test the BPF program.

func NewBPFProgLivenessScanner 

func NewBPFProgLivenessScanner(
	ipVersion int,
	timeouts Timeouts,
	bpfLogLevel BPFLogLevel,
) (*BPFProgLivenessScanner, error)

func (*BPFProgLivenessScanner) Check 

func (s *BPFProgLivenessScanner) Check(
	keyInterface KeyInterface,
	valueInterface ValueInterface,
	get EntryGet,
) ScanVerdict

func (*BPFProgLivenessScanner) Close 

func (s *BPFProgLivenessScanner) Close() error

func (*BPFProgLivenessScanner) IterationEnd 

func (s *BPFProgLivenessScanner) IterationEnd()

func (*BPFProgLivenessScanner) IterationStart 

func (s *BPFProgLivenessScanner) IterationStart()

func (*BPFProgLivenessScanner) RunBPFExpiryProgram 

func (s *BPFProgLivenessScanner) RunBPFExpiryProgram(opts ...RunOpt) error

type CleanupContext 

type CleanupContext struct {
	StartTime uint64
	EndTime   uint64

	NumKVsSeenNormal     uint64
	NumKVsSeenNATForward uint64
	NumKVsSeenNATReverse uint64

	NumKVsDeletedNormal     uint64
	NumKVsDeletedNATForward uint64
	NumKVsDeletedNATReverse uint64
}

CleanupContext is the result of running the BPF cleanup program.

WARNING: this struct needs to match struct ct_iter_ctx in conntrack_cleanup.c.

type EntryGet 

type EntryGet func(KeyInterface) (ValueInterface, error)

EntryGet is a function prototype provided to EntryScanner in case it needs to evaluate other entries to make a verdict

type EntryScanner 

type EntryScanner interface {
	Check(KeyInterface, ValueInterface, EntryGet) ScanVerdict
}

EntryScanner is a function prototype to be called on every entry by the scanner

type EntryScannerSynced 

type EntryScannerSynced interface {
	EntryScanner
	IterationStart()
	IterationEnd()
}

EntryScannerSynced is a scanner synchronized with the iteration start/end.

type Key 

type Key = curVer.Key

func BytesToKey 

func BytesToKey(bytes []byte) Key

BytesToKey turns a slice of bytes into a Key

func NewKey 

func NewKey(proto uint8, ipA net.IP, portA uint16, ipB net.IP, portB uint16) Key

func StringToKey 

func StringToKey(str string) Key

StringToKey turns a string into a Key

type KeyInterface 

type KeyInterface = curVer.KeyInterface

func KeyFromBytes 

func KeyFromBytes(k []byte) KeyInterface

func KeyV6FromBytes 

func KeyV6FromBytes(k []byte) KeyInterface

type KeyV6 

type KeyV6 = curVer.KeyV6

func BytesToKeyV6 

func BytesToKeyV6(bytes []byte) KeyV6

BytesToKeyV6 turns a slice of bytes into a KeyV6

func NewKeyV6 

func NewKeyV6(proto uint8, ipA net.IP, portA uint16, ipB net.IP, portB uint16) KeyV6

func StringToKeyV6 

func StringToKeyV6(str string) KeyV6

StringToKeyV6 turns a string into a KeyV6

type Leg 

type Leg = curVer.Leg

type LivenessScanner 

type LivenessScanner struct {
	// contains filtered or unexported fields
}

func NewLivenessScanner 

func NewLivenessScanner(timeouts Timeouts, dsr bool, opts ...LivenessScannerOpt) *LivenessScanner

func (*LivenessScanner) Check 

func (l *LivenessScanner) Check(ctKey KeyInterface, ctVal ValueInterface, get EntryGet) ScanVerdict

type LivenessScannerOpt 

type LivenessScannerOpt func(ls *LivenessScanner)

func WithTimeShim 

func WithTimeShim(shim timeshim.Interface) LivenessScannerOpt

type MapMem 

type MapMem = curVer.MapMem

func LoadMapMem 

func LoadMapMem(m maps.Map) (MapMem, error)

LoadMapMem loads ConntrackMap into memory

type MapMemV6 

type MapMemV6 = curVer.MapMemV6

func LoadMapMemV6 

func LoadMapMemV6(m maps.Map) (MapMemV6, error)

LoadMapMem loads ConntrackMap into memory

type NATChecker 

type NATChecker interface {
	ConntrackScanStart()
	ConntrackScanEnd()
	ConntrackFrontendHasBackend(ip net.IP, port uint16, backendIP net.IP, backendPort uint16, proto uint8) bool
}

NATChecker returns true a given combination of frontend-backend exists

type RunOpt 

type RunOpt func(result *CleanupContext)

func WithStartTime 

func WithStartTime(t uint64) RunOpt

type ScanVerdict 

type ScanVerdict int

ScanVerdict represents the set of values returned by EntryScan 

const (
	// ScanVerdictOK means entry is fine and should remain
	ScanVerdictOK ScanVerdict = iota
	// ScanVerdictDelete means entry should be deleted
	ScanVerdictDelete

	// ScanPeriod determines how often we iterate over the conntrack table.
	ScanPeriod = 10 * time.Second
)

type Scanner 

type Scanner struct {
	// contains filtered or unexported fields
}

Scanner iterates over a provided conntrack map and call a set of EntryScanner functions on each entry in the order as they were passed to NewScanner. If any of the EntryScanner returns ScanVerdictDelete, it deletes the entry, does not call any other EntryScanner and continues the iteration.

It provides a delete-save iteration over the conntrack table for multiple evaluation functions, to keep their implementation simpler.

func NewScanner 

func NewScanner(ctMap maps.Map, kfb func([]byte) KeyInterface, vfb func([]byte) ValueInterface,
	scanners ...EntryScanner) *Scanner

NewScanner returns a scanner for the given conntrack map and the set of EntryScanner. They are executed in the provided order on each entry.

func (*Scanner) AddUnlocked 

func (s *Scanner) AddUnlocked(scanner EntryScanner)

AddUnlocked adds an additional EntryScanner to a non-running Scanner

func (*Scanner) Scan 

func (s *Scanner) Scan()

Scan executes a scanning iteration

func (*Scanner) Start 

func (s *Scanner) Start()

Start the periodic scanner

func (*Scanner) Stop 

func (s *Scanner) Stop()

Stop stops the Scanner and waits for it finishing.

type StaleNATScanner 

type StaleNATScanner struct {
	// contains filtered or unexported fields
}

StaleNATScanner removes any entries to frontend that do not have the backend anymore.

func NewStaleNATScanner 

func NewStaleNATScanner(frontendHasBackend NATChecker) *StaleNATScanner

NewStaleNATScanner returns an EntryScanner that checks if entries have existing NAT entries using the provided NATChecker and if not, it deletes them.

func (*StaleNATScanner) Check 

func (sns *StaleNATScanner) Check(k KeyInterface, v ValueInterface, get EntryGet) ScanVerdict

Check checks the conntrack entry

func (*StaleNATScanner) IterationEnd 

func (sns *StaleNATScanner) IterationEnd()

IterationEnd satisfies EntryScannerSynced

func (*StaleNATScanner) IterationStart 

func (sns *StaleNATScanner) IterationStart()

IterationStart satisfies EntryScannerSynced

type Timeouts 

type Timeouts struct {
	CreationGracePeriod time.Duration

	TCPPreEstablished time.Duration
	TCPEstablished    time.Duration
	TCPFinsSeen       time.Duration
	TCPResetSeen      time.Duration

	UDPLastSeen time.Duration

	// GenericIPLastSeen is the timeout for IP protocols that we don't know.
	GenericIPLastSeen time.Duration

	ICMPLastSeen time.Duration
}

func DefaultTimeouts 

func DefaultTimeouts() Timeouts

func (*Timeouts) EntryExpired 

func (t *Timeouts) EntryExpired(nowNanos int64, proto uint8, entry ValueInterface) (reason string, expired bool)

EntryExpired checks whether a given conntrack table entry for a given protocol and time, is expired.

WARNING: this implementation is duplicated in the conntrack_cleanup.c BPF program.

type Value 

type Value = curVer.Value

func BytesToValue 

func BytesToValue(bytes []byte) Value

BytesToValue turns a slice of bytes into a value

func NewValueNATForward 

func NewValueNATForward(created, lastSeen time.Duration, flags uint16, revKey Key) Value

NewValueNATForward creates a new Value of type TypeNATForward for the given arguments and the reverse key

func NewValueNATReverse 

func NewValueNATReverse(
	created, lastSeen time.Duration, flags uint16, legA, legB Leg,
	tunnelIP, origIP net.IP, origPort uint16,
) Value

NewValueNATReverse creates a new Value of type TypeNATReverse for the given arguments and reverse parameters

func NewValueNATReverseSNAT 

func NewValueNATReverseSNAT(
	created, lastSeen time.Duration, flags uint16, legA, legB Leg,
	tunnelIP, origIP, origSrcIP net.IP, origPort uint16,
) Value

NewValueNATReverseSNAT in addition to NewValueNATReverse sets the orig source IP

func NewValueNormal 

func NewValueNormal(created, lastSeen time.Duration, flags uint16, legA, legB Leg) Value

NewValueNormal creates a new Value of type TypeNormal based on the given parameters

func StringToValue 

func StringToValue(str string) Value

StringToValue turns a string into a Value

type ValueInterface 

type ValueInterface = curVer.ValueInterface

func ValueFromBytes 

func ValueFromBytes(v []byte) ValueInterface

func ValueV6FromBytes 

func ValueV6FromBytes(v []byte) ValueInterface

type ValueV6 

type ValueV6 = curVer.ValueV6

func BytesToValueV6 

func BytesToValueV6(bytes []byte) ValueV6

BytesToValueV6 turns a slice of bytes into a value

func NewValueV6NATForward 

func NewValueV6NATForward(created, lastSeen time.Duration, flags uint16, revKey KeyV6) ValueV6

NewValueV6NATForward creates a new ValueV6 of type TypeNATForward for the given arguments and the reverse key

func NewValueV6NATReverse 

func NewValueV6NATReverse(
	created, lastSeen time.Duration, flags uint16, legA, legB Leg,
	tunnelIP, origIP net.IP, origPort uint16,
) ValueV6

NewValueV6NATReverse creates a new ValueV6 of type TypeNATReverse for the given arguments and reverse parameters

func NewValueV6NATReverseSNAT 

func NewValueV6NATReverseSNAT(
	created, lastSeen time.Duration, flags uint16, legA, legB Leg,
	tunnelIP, origIP, origSrcIP net.IP, origPort uint16,
) ValueV6

NewValueV6NATReverseSNAT in addition to NewValueV6NATReverse sets the orig source IP

func NewValueV6Normal 

func NewValueV6Normal(created, lastSeen time.Duration, flags uint16, legA, legB Leg) ValueV6

NewValueV6Normal creates a new ValueV6 of type TypeNormal based on the given parameters

func StringToValueV6 

func StringToValueV6(str string) ValueV6

StringToValueV6 turns a string into a ValueV6

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.