network

package
v1.4.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 11, 2023 License: AGPL-3.0 Imports: 40 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// DeleteConnsAfterEndedThreshold defines the amount of time after which
	// ended connections should be removed from the internal connection state.
	DeleteConnsAfterEndedThreshold = 10 * time.Minute

	// DeleteIncompleteConnsAfterStartedThreshold defines the amount of time after
	// which incomplete connections should be removed from the internal
	// connection state.
	DeleteIncompleteConnsAfterStartedThreshold = 1 * time.Minute
)
View Source
const (
	Inbound  = true
	Outbound = false
)

Packet Directions.

View Source
const (
	IncomingHost     = "IH"
	IncomingLAN      = "IL"
	IncomingInternet = "II"
	IncomingInvalid  = "IX"
	PeerHost         = "PH"
	PeerLAN          = "PL"
	PeerInternet     = "PI"
	PeerInvalid      = "PX"
)

Non-Domain Scopes.

Variables

This section is empty.

Functions

func AddNetworkDebugData added in v0.6.6

func AddNetworkDebugData(di *debug.Info, profile, where string)

AddNetworkDebugData adds the network debug data of the given profile to the debug data.

func GetUnusedLocalPort added in v0.6.10

func GetUnusedLocalPort(protocol uint8) (port uint16, ok bool)

GetUnusedLocalPort returns a local port of the specified protocol that is currently unused and is unlikely to be used within the next seconds.

func IsSupportDNSRecordType added in v1.3.4

func IsSupportDNSRecordType(rrType uint16) bool

IsSupportDNSRecordType returns whether the given DSN RR type is supported by the network package, as in the requests are specially handled and can be "merged" into the resulting connection.

func SaveOpenDNSRequest added in v0.4.0

func SaveOpenDNSRequest(q *resolver.Query, rrCache *resolver.RRCache, conn *Connection)

SaveOpenDNSRequest saves a dns request connection that was allowed to proceed.

func SetDefaultFirewallHandler added in v0.4.0

func SetDefaultFirewallHandler(handler FirewallHandler)

SetDefaultFirewallHandler sets the default firewall handler.

Types

type Connection

type Connection struct {
	record.Base
	sync.Mutex

	// ID holds a unique request/connection id and is considered immutable after
	// creation.
	ID string
	// Type defines the connection type.
	Type ConnectionType
	// External defines if the connection represents an external request or
	// connection.
	External bool
	// Scope defines the scope of a connection. For DNS requests, the
	// scope is always set to the domain name. For direct packet
	// connections the scope consists of the involved network environment
	// and the packet direction. Once a connection object is created,
	// Scope is considered immutable.
	// Deprecated: This field holds duplicate information, which is accessible
	// clearer through other attributes. Please use conn.Type, conn.Inbound
	// and conn.Entity.Domain instead.
	Scope string
	// IPVersion is set to the packet IP version. It is not set (0) for
	// connections created from a DNS request.
	IPVersion packet.IPVersion
	// Inbound is set to true if the connection is incoming. Inbound is
	// only set when a connection object is created and is considered
	// immutable afterwards.
	Inbound bool
	// IPProtocol is set to the transport protocol used by the connection.
	// Is is considered immutable once a connection object has been
	// created. IPProtocol is not set for connections that have been
	// created from a DNS request.
	IPProtocol packet.IPProtocol
	// LocalIP holds the local IP address of the connection. It is not
	// set for connections created from DNS requests. LocalIP is
	// considered immutable once a connection object has been created.
	LocalIP net.IP
	// LocalIPScope holds the network scope of the local IP.
	LocalIPScope netutils.IPScope
	// LocalPort holds the local port of the connection. It is not
	// set for connections created from DNS requests. LocalPort is
	// considered immutable once a connection object has been created.
	LocalPort uint16
	// PID holds the PID of the owning process.
	PID int
	// Entity describes the remote entity that the connection has been
	// established to. The entity might be changed or information might
	// be added to it during the livetime of a connection. Access to
	// entity must be guarded by the connection lock.
	Entity *intel.Entity
	// Resolver holds information about the resolver used to resolve
	// Entity.Domain.
	Resolver *resolver.ResolverInfo
	// Verdict holds the decisions that are made for a connection
	// The verdict may change so any access to it must be guarded by the
	// connection lock.
	Verdict struct {
		// Worst verdict holds the worst verdict that was assigned to this
		// connection from a privacy/security perspective.
		Worst Verdict
		// Active verdict holds the verdict that Portmaster will respond with.
		// This is different from the Firewall verdict in order to guarantee proper
		// transition between verdicts that need the connection to be re-established.
		Active Verdict
		// Firewall holds the last (most recent) decision by the firewall.
		Firewall Verdict
	}
	// Reason holds information justifying the verdict, as well as additional
	// information about the reason.
	// Access to Reason must be guarded by the connection lock.
	Reason Reason
	// Started holds the number of seconds in UNIX epoch time at which
	// the connection has been initiated and first seen by the portmaster.
	// Started is only ever set when creating a new connection object
	// and is considered immutable afterwards.
	Started int64
	// Ended is set to the number of seconds in UNIX epoch time at which
	// the connection is considered terminated. Ended may be set at any
	// time so access must be guarded by the connection lock.
	Ended int64
	// VerdictPermanent is set to true if the final verdict is permanent
	// and the connection has been (or will be) handed back to the kernel.
	// VerdictPermanent may be changed together with the Verdict and Reason
	// properties and must be guarded using the connection lock.
	VerdictPermanent bool
	// Inspecting is set to true if the connection is being inspected
	// by one or more of the registered inspectors. This property may
	// be changed during the lifetime of a connection and must be guarded
	// using the connection lock.
	Inspecting bool
	// Tunneled is set to true when the connection has been routed through the
	// SPN.
	Tunneled bool
	// Encrypted is currently unused and MUST be ignored.
	Encrypted bool
	// TunnelOpts holds options for tunneling the connection.
	TunnelOpts *navigator.Options
	// ProcessContext holds additional information about the process
	// that initiated the connection. It is set once when the connection
	// object is created and is considered immutable afterwards.
	ProcessContext ProcessContext
	// DNSContext holds additional information about the DNS request that was
	// probably used to resolve the IP of this connection.
	DNSContext *resolver.DNSRequestContext
	// TunnelContext holds additional information about the tunnel that this
	// connection is using.
	TunnelContext interface {
		GetExitNodeID() string
		StopTunnel() error
	}

	// HistoryEnabled is set to true when the connection should be persisted
	// in the history database.
	HistoryEnabled bool
	// BanwidthEnabled is set to true if connection bandwidth data should be persisted
	// in netquery.
	BandwidthEnabled bool

	// BytesReceived holds the observed received bytes of the connection.
	BytesReceived uint64
	// BytesSent holds the observed sent bytes of the connection.
	BytesSent uint64

	// Internal is set to true if the connection is attributed as an
	// Portmaster internal connection. Internal may be set at different
	// points and access to it must be guarded by the connection lock.
	Internal bool

	// ProfileRevisionCounter is used to track changes to the process
	// profile and required for correct re-evaluation of a connections
	// verdict.
	ProfileRevisionCounter uint64
	// contains filtered or unexported fields
}

Connection describes a distinct physical network connection identified by the IP/Port pair.

func GetAllConnections added in v0.9.8

func GetAllConnections() []*Connection

GetAllConnections Gets all connection.

func GetConnection

func GetConnection(connID string) (*Connection, bool)

GetConnection fetches a Connection from the database.

func GetMulticastRequestConn added in v0.8.13

func GetMulticastRequestConn(responseConn *Connection, responseFromNet *net.IPNet) *Connection

GetMulticastRequestConn searches for and returns the requesting connnection of a possible multicast/broadcast response.

func NewConnectionFromDNSRequest added in v0.4.0

func NewConnectionFromDNSRequest(ctx context.Context, fqdn string, cnames []string, connID string, localIP net.IP, localPort uint16) *Connection

NewConnectionFromDNSRequest returns a new connection based on the given dns request.

func NewConnectionFromExternalDNSRequest added in v0.6.5

func NewConnectionFromExternalDNSRequest(ctx context.Context, fqdn string, cnames []string, connID string, remoteIP net.IP) (*Connection, error)

NewConnectionFromExternalDNSRequest returns a connection for an external DNS request.

func NewIncompleteConnection added in v1.2.0

func NewIncompleteConnection(pkt packet.Packet) *Connection

NewIncompleteConnection creates a new incomplete connection with only minimal information.

func (*Connection) Accept

func (conn *Connection) Accept(reason, reasonOptionKey string)

Accept is like AcceptWithContext but only accepts a reason.

func (*Connection) AcceptWithContext added in v0.4.1

func (conn *Connection) AcceptWithContext(reason, reasonOptionKey string, ctx interface{})

AcceptWithContext accepts the connection.

func (*Connection) Block

func (conn *Connection) Block(reason, reasonOptionKey string)

Block is like BlockWithContext but does only accepts a reason.

func (*Connection) BlockWithContext added in v0.4.1

func (conn *Connection) BlockWithContext(reason, reasonOptionKey string, ctx interface{})

BlockWithContext blocks the connection.

func (*Connection) DataIsComplete added in v1.2.0

func (conn *Connection) DataIsComplete() bool

DataIsComplete returns whether all information about the connection is available and an actual packet has been seen. As long as this flag is not set, the connection may not be evaluated for a verdict and may not be sent to the UI.

func (*Connection) Deny

func (conn *Connection) Deny(reason, reasonOptionKey string)

Deny is like DenyWithContext but only accepts a reason.

func (*Connection) DenyWithContext added in v0.4.1

func (conn *Connection) DenyWithContext(reason, reasonOptionKey string, ctx interface{})

DenyWithContext blocks or drops the link depending on the connection direction.

func (*Connection) Drop

func (conn *Connection) Drop(reason, reasonOptionKey string)

Drop is like DropWithContext but does only accepts a reason.

func (*Connection) DropWithContext added in v0.4.1

func (conn *Connection) DropWithContext(reason, reasonOptionKey string, ctx interface{})

DropWithContext drops the connection.

func (*Connection) Failed added in v0.4.0

func (conn *Connection) Failed(reason, reasonOptionKey string)

Failed is like FailedWithContext but only accepts a string.

func (*Connection) FailedWithContext added in v0.4.1

func (conn *Connection) FailedWithContext(reason, reasonOptionKey string, ctx interface{})

FailedWithContext marks the connection with VerdictFailed and stores the reason.

func (*Connection) GatherConnectionInfo added in v1.2.0

func (conn *Connection) GatherConnectionInfo(pkt packet.Packet) (err error)

GatherConnectionInfo gathers information on the process and remote entity.

func (*Connection) GetActiveInspectors added in v0.4.0

func (conn *Connection) GetActiveInspectors() []bool

GetActiveInspectors returns the list of active inspectors.

func (*Connection) GetExtraRRs added in v0.5.5

func (conn *Connection) GetExtraRRs(ctx context.Context, request *dns.Msg) []dns.RR

GetExtraRRs returns a slice of RRs with additional informational records.

func (*Connection) GetInspectorData added in v0.4.0

func (conn *Connection) GetInspectorData() map[uint8]interface{}

GetInspectorData returns the list of inspector data.

func (*Connection) HandlePacket added in v0.4.0

func (conn *Connection) HandlePacket(pkt packet.Packet)

HandlePacket queues packet of Link for handling.

func (*Connection) Process

func (conn *Connection) Process() *process.Process

Process returns the connection's process.

func (*Connection) ReplyWithDNS added in v0.5.5

func (conn *Connection) ReplyWithDNS(ctx context.Context, request *dns.Msg) *dns.Msg

ReplyWithDNS creates a new reply to the given request with the data from the RRCache, and additional informational records.

func (*Connection) Save

func (conn *Connection) Save()

Save saves the connection in the storage and propagates the change through the database system. Save may lock dnsConnsLock or connsLock in if Save() is called the first time. Callers must make sure to lock the connection itself before calling Save().

func (*Connection) SaveWhenFinished added in v0.4.0

func (conn *Connection) SaveWhenFinished()

SaveWhenFinished marks the connection for saving it after the firewall handler.

func (*Connection) SetActiveInspectors added in v0.4.0

func (conn *Connection) SetActiveInspectors(newInspectors []bool)

SetActiveInspectors sets the list of active inspectors.

func (*Connection) SetFirewallHandler added in v0.4.0

func (conn *Connection) SetFirewallHandler(handler FirewallHandler)

SetFirewallHandler sets the firewall handler for this link, and starts a worker to handle the packets. The caller needs to hold a lock on the connection. Cannot be called with "nil" handler. Call StopFirewallHandler() instead.

func (*Connection) SetInspectorData added in v0.4.0

func (conn *Connection) SetInspectorData(newInspectorData map[uint8]interface{})

SetInspectorData set the list of inspector data.

func (*Connection) SetLocalIP added in v0.6.7

func (conn *Connection) SetLocalIP(ip net.IP)

SetLocalIP sets the local IP address together with its network scope. The connection is not locked for this.

func (*Connection) SetVerdict added in v0.4.0

func (conn *Connection) SetVerdict(newVerdict Verdict, reason, reasonOptionKey string, reasonCtx interface{}) (ok bool)

SetVerdict sets a new verdict for the connection.

func (*Connection) SetVerdictDirectly added in v0.9.8

func (conn *Connection) SetVerdictDirectly(newVerdict Verdict)

SetVerdictDirectly sets the firewall verdict.

func (*Connection) StopFirewallHandler added in v0.4.0

func (conn *Connection) StopFirewallHandler()

StopFirewallHandler unsets the firewall handler and stops the handler worker. The caller needs to hold a lock on the connection.

func (*Connection) String

func (conn *Connection) String() string

String returns a string representation of conn.

func (*Connection) UpdateFeatures added in v1.3.5

func (conn *Connection) UpdateFeatures() error

UpdateFeatures checks which connection related features may and should be used and sets the flags accordingly. The caller must hold a lock on the connection.

func (*Connection) UpdateFirewallHandler added in v1.2.0

func (conn *Connection) UpdateFirewallHandler(handler FirewallHandler)

UpdateFirewallHandler sets the firewall handler if it already set and the given handler is not nil. The caller needs to hold a lock on the connection.

func (*Connection) VerdictVerb added in v0.9.8

func (conn *Connection) VerdictVerb() string

VerdictVerb returns the verdict as a verb, while taking any special states into account.

type ConnectionType added in v0.6.7

type ConnectionType int8

ConnectionType is a type of connection.

const (
	Undefined ConnectionType = iota
	IPConnection
	DNSRequest
)

Connection Types.

type FirewallHandler

type FirewallHandler func(conn *Connection, pkt packet.Packet)

FirewallHandler defines the function signature for a firewall handle function. A firewall handler is responsible for finding a reasonable verdict for the connection conn. The connection is locked before the firewall handler is called.

type ProcessContext added in v0.6.0

type ProcessContext struct {
	// ProcessName is the name of the process.
	ProcessName string
	// ProfileName is the name of the profile.
	ProfileName string
	// BinaryPath is the path to the process binary.
	BinaryPath string
	// CmdLine holds the execution parameters.
	CmdLine string
	// PID is the process identifier.
	PID int
	// CreatedAt the time when the process was created.
	CreatedAt int64
	// Profile is the ID of the main profile that
	// is applied to the process.
	Profile string
	// Source is the source of the profile.
	Source string
}

ProcessContext holds additional information about the process that initiated a connection.

type Reason added in v0.6.0

type Reason struct {
	// Msg is a human readable description of the reason.
	Msg string
	// OptionKey is the configuration option key of the setting that
	// was responsible for the verdict.
	OptionKey string
	// Profile is the database key of the profile that held the setting
	// that was responsible for the verdict.
	Profile string
	// ReasonContext may hold additional reason-specific information and
	// any access must be guarded by the connection lock.
	Context interface{}
}

Reason holds information justifying a verdict, as well as additional information about the reason.

type StorageInterface

type StorageInterface struct {
	storage.InjectBase
}

StorageInterface provices a storage.Interface to the configuration manager.

func (*StorageInterface) Get

func (s *StorageInterface) Get(key string) (record.Record, error)

Get returns a database record.

func (*StorageInterface) Query

func (s *StorageInterface) Query(q *query.Query, local, internal bool) (*iterator.Iterator, error)

Query returns a an iterator for the supplied query.

type Verdict

type Verdict int8

Verdict describes the decision made about a connection or link.

const (
	// VerdictUndecided is the default status of new connections.
	VerdictUndecided           Verdict = 0
	VerdictUndeterminable      Verdict = 1
	VerdictAccept              Verdict = 2
	VerdictBlock               Verdict = 3
	VerdictDrop                Verdict = 4
	VerdictRerouteToNameserver Verdict = 5
	VerdictRerouteToTunnel     Verdict = 6
	VerdictFailed              Verdict = 7
)

All possible verdicts that can be applied to a network connection.

func (Verdict) String added in v0.2.5

func (v Verdict) String() string

func (Verdict) Verb added in v0.5.5

func (v Verdict) Verb() string

Verb returns the verdict as a past tense verb.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL