events

package

v1.2.0 Latest Latest Go to latest Published: Apr 28, 2026 License: Apache-2.0 Imports: 14 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/code-cargo/cargowall

Links

Open Source Insights

Documentation ¶

Index ¶

func ProcessBlockedEvents(rd *ringbuf.Reader, configMgr *config.Manager, ...)
type AuditEvent
type AuditEventType
- func (et AuditEventType) IsConnectionAllowed() bool
type AuditLogger
- func NewAuditLogger(path string, auditMode bool) (*AuditLogger, error)
type BpfBlockedEvent
type FirewallUpdater
type NotificationTracker
- func NewNotificationTracker(smClient StateMachineClient, logger *slog.Logger) *NotificationTracker
- func (n *NotificationTracker) SendNotification(hostname, ip string, port uint16)
type StateMachineClient

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ProcessBlockedEvents ¶

func ProcessBlockedEvents(rd *ringbuf.Reader, configMgr *config.Manager, notificationTracker *NotificationTracker, auditLogger *AuditLogger, fw FirewallUpdater, logger *slog.Logger)

ProcessBlockedEvents processes blocked connection events

Types ¶

type AuditEvent ¶

type AuditEvent struct {
	Timestamp       time.Time      `json:"timestamp"`
	EventType       AuditEventType `json:"event_type"`
	SrcIP           string         `json:"src_ip,omitempty"`
	DstIP           string         `json:"dst_ip,omitempty"`
	DstHostname     string         `json:"dst_hostname,omitempty"`
	DstPort         uint16         `json:"dst_port,omitempty"`
	Protocol        string         `json:"protocol,omitempty"`
	Process         string         `json:"process,omitempty"`
	PID             uint32         `json:"pid,omitempty"`
	MatchedRule     string         `json:"matched_rule,omitempty"`
	AutoAllowedType string         `json:"auto_allowed_type,omitempty"`
	WouldDeny       bool           `json:"would_deny"` // true in audit mode (would have been denied)
	Blocked         bool           `json:"blocked"`    // true in enforce mode (actually blocked)
}

AuditEvent represents a network event for audit logging

type AuditEventType ¶

type AuditEventType string

AuditEventType represents the type of audit event

const (
	EventConnectionBlocked     AuditEventType = "connection_blocked"
	EventConnectionAllowed     AuditEventType = "connection_allowed"
	EventConnectionLateAllowed AuditEventType = "connection_late_allowed"
	EventProtocolBlocked       AuditEventType = "protocol_blocked"
	EventDNSBlocked            AuditEventType = "dns_blocked"
	EventExistingConnection    AuditEventType = "existing_connection"
)

func (AuditEventType) IsConnectionAllowed ¶ added in v1.2.0

func (et AuditEventType) IsConnectionAllowed() bool

IsConnectionAllowed reports whether the event type represents an allow outcome for a TCP/UDP connection — either a regular allow or a late-allowed retry after the BPF map missed.

type AuditLogger ¶

type AuditLogger struct {
	// contains filtered or unexported fields
}

AuditLogger writes audit events to a JSON file (one event per line)

func NewAuditLogger ¶

func NewAuditLogger(path string, auditMode bool) (*AuditLogger, error)

NewAuditLogger creates a new audit logger that writes to the specified file

func (*AuditLogger) Close ¶

func (a *AuditLogger) Close() error

Close flushes pending writes and closes the audit log file

func (*AuditLogger) IsAuditMode ¶

func (a *AuditLogger) IsAuditMode() bool

IsAuditMode returns true if running in audit mode

func (*AuditLogger) LogConnectionAllowed ¶

func (a *AuditLogger) LogConnectionAllowed(srcIP, dstIP, hostname string, dstPort uint16, process string, pid uint32, autoAllowedType, protocol string) error

LogConnectionAllowed logs an allowed TCP/UDP connection event. `protocol` is the L4 protocol from the BPF event (typically "TCP" or "UDP" — see getProtocolName); the field is shipped to the summary backend and feeds the dedup key, so a real value beats a hardcoded literal (auto-allowed DNS on :53 is the canonical UDP example).

func (*AuditLogger) LogConnectionBlocked ¶

func (a *AuditLogger) LogConnectionBlocked(srcIP, dstIP, hostname string, dstPort uint16, process string, pid uint32, protocol string) error

LogConnectionBlocked logs a blocked connection event. `protocol` is the L4 protocol of the dropped packet (typically "TCP" or "UDP" — see getProtocolName); the field is shipped to the summary backend and rendered in the UI's Baseline Entries table, so a real value beats a generic literal.

func (*AuditLogger) LogConnectionLateAllowed ¶ added in v1.2.0

func (a *AuditLogger) LogConnectionLateAllowed(srcIP, dstIP, hostname, matchedRule string, dstPort uint16, process string, pid uint32, protocol string) error

LogConnectionLateAllowed logs a connection that BPF initially dropped but that we then opened the firewall for after late hostname resolution matched an allow rule. The original SYN was lost, but the next retry will succeed. `protocol` is the L4 protocol of the dropped packet — see LogConnectionBlocked. `matchedRule` is the rule's Value (pattern string for glob rules, configured hostname for plain rules), which can differ from the resolved DstHostname (e.g. rule `*.compute-1.amazonaws.com` matching `ec2-1-2-3-4.compute-1...`).

func (*AuditLogger) LogDNSBlocked ¶

func (a *AuditLogger) LogDNSBlocked(domain string) error

LogDNSBlocked logs a blocked DNS query

func (*AuditLogger) LogEvent ¶

func (a *AuditLogger) LogEvent(event AuditEvent) error

LogEvent writes an audit event to the log file

func (*AuditLogger) LogExistingConnection ¶

func (a *AuditLogger) LogExistingConnection(ip, hostname, matchedRule string, allowed bool, autoAllowedType string) error

LogExistingConnection logs a pre-existing connection that was found at startup

func (*AuditLogger) LogProtocolBlocked ¶

func (a *AuditLogger) LogProtocolBlocked(srcIP, dstIP, hostname, protocol, process string, pid uint32) error

LogProtocolBlocked logs a blocked protocol event

func (*AuditLogger) SetAuditMode ¶

func (a *AuditLogger) SetAuditMode(auditMode bool)

SetAuditMode updates the audit mode flag at runtime.

type BpfBlockedEvent ¶

type BpfBlockedEvent struct {
	IpVersion uint8
	Allowed   uint8
	IpProto   uint8 // L4 protocol (unix.IPPROTO_TCP, _UDP, _ICMP, …)
	Pad1      uint8
	SrcIp     uint32 // IPv4 (used when IpVersion == 4)
	DstIp     uint32 // IPv4 (used when IpVersion == 4)
	SrcPort   uint16
	DstPort   uint16
	SrcIp6    [16]byte // IPv6 (used when IpVersion == 6)
	DstIp6    [16]byte // IPv6 (used when IpVersion == 6)
	Timestamp uint64
	Pid       uint32
	Pad2      uint32
}

BpfBlockedEvent matches the struct in tcbpf.c

type FirewallUpdater ¶

type FirewallUpdater interface {
	AddIP(ip net.IP, action config.Action, ports []config.Port) (bool, error)
}

FirewallUpdater allows the event processor to dynamically add IPs to the firewall when lazy reverse DNS reveals a blocked IP belongs to an allowed hostname.

type NotificationTracker ¶

type NotificationTracker struct {
	// contains filtered or unexported fields
}

NotificationTracker ensures we only send one notification per unique destination

func NewNotificationTracker ¶

func NewNotificationTracker(smClient StateMachineClient, logger *slog.Logger) *NotificationTracker

NewNotificationTracker creates a new notification tracker

func (*NotificationTracker) SendNotification ¶

func (n *NotificationTracker) SendNotification(hostname, ip string, port uint16)

SendNotification sends a block notification for each unique destination

type StateMachineClient ¶

type StateMachineClient interface {
	SendCargoWallBlockNotification(ctx context.Context, hostname, ip string, port uint32) error
}

StateMachineClient interface for sending notifications to state machines

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL