Documentation

Index

Constants

View Source
const (
	Inbound  = true
	Outbound = false
)

Packet Directions

View Source
const (
	IncomingHost     = "IH"
	IncomingLAN      = "IL"
	IncomingInternet = "II"
	IncomingInvalid  = "IX"
	PeerHost         = "PH"
	PeerLAN          = "PL"
	PeerInternet     = "PI"
	PeerInvalid      = "PX"
)

Non-Domain Scopes

Variables

This section is empty.

Functions

func AddNetworkDebugData

func AddNetworkDebugData(di *debug.Info, profile, where string)

func GetUnusedLocalPort

func GetUnusedLocalPort(protocol uint8) (port uint16, ok bool)

GetUnusedLocalPort returns a local port of the specified protocol that is currently unused and is unlikely to be used within the next seconds.

func SaveOpenDNSRequest

func SaveOpenDNSRequest(conn *Connection)

SaveOpenDNSRequest saves a dns request connection that was allowed to proceed.

func SetDefaultFirewallHandler

func SetDefaultFirewallHandler(handler FirewallHandler)

SetDefaultFirewallHandler sets the default firewall handler.

Types

type Connection

type Connection struct {
	record.Base
	sync.Mutex

	// ID holds a unique request/connection id and is considered immutable after
	// creation.
	ID string
	// Type defines the connection type.
	Type ConnectionType
	// External defines if the connection represents an external request or
	// connection.
	External bool
	// Scope defines the scope of a connection. For DNS requests, the
	// scope is always set to the domain name. For direct packet
	// connections the scope consists of the involved network environment
	// and the packet direction. Once a connection object is created,
	// Scope is considered immutable.
	// Deprecated: This field holds duplicate information, which is accessible
	// clearer through other attributes. Please use conn.Type, conn.Inbound
	// and conn.Entity.Domain instead.
	Scope string
	// IPVersion is set to the packet IP version. It is not set (0) for
	// connections created from a DNS request.
	IPVersion packet.IPVersion
	// Inbound is set to true if the connection is incoming. Inbound is
	// only set when a connection object is created and is considered
	// immutable afterwards.
	Inbound bool
	// IPProtocol is set to the transport protocol used by the connection.
	// Is is considered immutable once a connection object has been
	// created. IPProtocol is not set for connections that have been
	// created from a DNS request.
	IPProtocol packet.IPProtocol
	// LocalIP holds the local IP address of the connection. It is not
	// set for connections created from DNS requests. LocalIP is
	// considered immutable once a connection object has been created.
	LocalIP net.IP
	// LocalIPScope holds the network scope of the local IP.
	LocalIPScope netutils.IPScope
	// LocalPort holds the local port of the connection. It is not
	// set for connections created from DNS requests. LocalPort is
	// considered immutable once a connection object has been created.
	LocalPort uint16
	// Entity describes the remote entity that the connection has been
	// established to. The entity might be changed or information might
	// be added to it during the livetime of a connection. Access to
	// entity must be guarded by the connection lock.
	Entity *intel.Entity
	// Resolver holds information about the resolver used to resolve
	// Entity.Domain.
	Resolver *resolver.ResolverInfo
	// Verdict is the final decision that has been made for a connection.
	// The verdict may change so any access to it must be guarded by the
	// connection lock.
	Verdict Verdict
	// Reason holds information justifying the verdict, as well as additional
	// information about the reason.
	// Access to Reason must be guarded by the connection lock.
	Reason Reason
	// Started holds the number of seconds in UNIX epoch time at which
	// the connection has been initated and first seen by the portmaster.
	// Started is only ever set when creating a new connection object
	// and is considered immutable afterwards.
	Started int64
	// Ended is set to the number of seconds in UNIX epoch time at which
	// the connection is considered terminated. Ended may be set at any
	// time so access must be guarded by the connection lock.
	Ended int64
	// VerdictPermanent is set to true if the final verdict is permanent
	// and the connection has been (or will be) handed back to the kernel.
	// VerdictPermanent may be changed together with the Verdict and Reason
	// properties and must be guarded using the connection lock.
	VerdictPermanent bool
	// Inspecting is set to true if the connection is being inspected
	// by one or more of the registered inspectors. This property may
	// be changed during the lifetime of a connection and must be guarded
	// using the connection lock.
	Inspecting bool
	// Tunneled is currently unused and MUST be ignored.
	Tunneled bool
	// Encrypted is currently unused and MUST be ignored.
	Encrypted bool
	// ProcessContext holds additional information about the process
	// that iniated the connection. It is set once when the connection
	// object is created and is considered immutable afterwards.
	ProcessContext ProcessContext
	// Internal is set to true if the connection is attributed as an
	// Portmaster internal connection. Internal may be set at different
	// points and access to it must be guarded by the connection lock.
	Internal bool

	// ProfileRevisionCounter is used to track changes to the process
	// profile and required for correct re-evaluation of a connections
	// verdict.
	ProfileRevisionCounter uint64
	// contains filtered or unexported fields
}

Connection describes a distinct physical network connection identified by the IP/Port pair.

func GetConnection

func GetConnection(id string) (*Connection, bool)

GetConnection fetches a Connection from the database.

func NewConnectionFromDNSRequest

func NewConnectionFromDNSRequest(ctx context.Context, fqdn string, cnames []string, connID string, localIP net.IP, localPort uint16) *Connection

NewConnectionFromDNSRequest returns a new connection based on the given dns request.

func NewConnectionFromExternalDNSRequest

func NewConnectionFromExternalDNSRequest(ctx context.Context, fqdn string, cnames []string, connID string, remoteIP net.IP) (*Connection, error)

func NewConnectionFromFirstPacket

func NewConnectionFromFirstPacket(pkt packet.Packet) *Connection

NewConnectionFromFirstPacket returns a new connection based on the given packet.

func (*Connection) Accept

func (conn *Connection) Accept(reason, reasonOptionKey string)

Accept is like AcceptWithContext but only accepts a reason.

func (*Connection) AcceptWithContext

func (conn *Connection) AcceptWithContext(reason, reasonOptionKey string, ctx interface{})

AcceptWithContext accepts the connection.

func (*Connection) Block

func (conn *Connection) Block(reason, reasonOptionKey string)

Block is like BlockWithContext but does only accepts a reason.

func (*Connection) BlockWithContext

func (conn *Connection) BlockWithContext(reason, reasonOptionKey string, ctx interface{})

BlockWithContext blocks the connection.

func (*Connection) Deny

func (conn *Connection) Deny(reason, reasonOptionKey string)

Deny is like DenyWithContext but only accepts a reason.

func (*Connection) DenyWithContext

func (conn *Connection) DenyWithContext(reason, reasonOptionKey string, ctx interface{})

DenyWithContext blocks or drops the link depending on the connection direction.

func (*Connection) Drop

func (conn *Connection) Drop(reason, reasonOptionKey string)

Drop is like DropWithContext but does only accepts a reason.

func (*Connection) DropWithContext

func (conn *Connection) DropWithContext(reason, reasonOptionKey string, ctx interface{})

DropWithContext drops the connection.

func (*Connection) Failed

func (conn *Connection) Failed(reason, reasonOptionKey string)

Failed is like FailedWithContext but only accepts a string.

func (*Connection) FailedWithContext

func (conn *Connection) FailedWithContext(reason, reasonOptionKey string, ctx interface{})

FailedWithContext marks the connection with VerdictFailed and stores the reason.

func (*Connection) GetActiveInspectors

func (conn *Connection) GetActiveInspectors() []bool

GetActiveInspectors returns the list of active inspectors.

func (*Connection) GetExtraRRs

func (conn *Connection) GetExtraRRs(ctx context.Context, request *dns.Msg) []dns.RR

GetExtraRRs returns a slice of RRs with additional informational records.

func (*Connection) GetInspectorData

func (conn *Connection) GetInspectorData() map[uint8]interface{}

GetInspectorData returns the list of inspector data.

func (*Connection) HandlePacket

func (conn *Connection) HandlePacket(pkt packet.Packet)

HandlePacket queues packet of Link for handling

func (*Connection) Process

func (conn *Connection) Process() *process.Process

Process returns the connection's process.

func (*Connection) ReplyWithDNS

func (conn *Connection) ReplyWithDNS(ctx context.Context, request *dns.Msg) *dns.Msg

ReplyWithDNS creates a new reply to the given request with the data from the RRCache, and additional informational records.

func (*Connection) Save

func (conn *Connection) Save()

Save saves the connection in the storage and propagates the change through the database system. Save may lock dnsConnsLock or connsLock in if Save() is called the first time. Callers must make sure to lock the connection itself before calling Save().

func (*Connection) SaveWhenFinished

func (conn *Connection) SaveWhenFinished()

SaveWhenFinished marks the connection for saving it after the firewall handler.

func (*Connection) SetActiveInspectors

func (conn *Connection) SetActiveInspectors(new []bool)

SetActiveInspectors sets the list of active inspectors.

func (*Connection) SetFirewallHandler

func (conn *Connection) SetFirewallHandler(handler FirewallHandler)

SetFirewallHandler sets the firewall handler for this link, and starts a worker to handle the packets.

func (*Connection) SetInspectorData

func (conn *Connection) SetInspectorData(new map[uint8]interface{})

SetInspectorData set the list of inspector data.

func (*Connection) SetLocalIP

func (conn *Connection) SetLocalIP(ip net.IP)

SetLocalIP sets the local IP address together with its network scope. The connection is not locked for this.

func (*Connection) SetVerdict

func (conn *Connection) SetVerdict(newVerdict Verdict, reason, reasonOptionKey string, reasonCtx interface{}) (ok bool)

SetVerdict sets a new verdict for the connection, making sure it does not interfere with previous verdicts.

func (*Connection) StopFirewallHandler

func (conn *Connection) StopFirewallHandler()

StopFirewallHandler unsets the firewall handler and stops the handler worker.

func (*Connection) String

func (conn *Connection) String() string

String returns a string representation of conn.

type ConnectionType

type ConnectionType int8
const (
	Undefined ConnectionType = iota
	IPConnection
	DNSRequest
)

type FirewallHandler

type FirewallHandler func(conn *Connection, pkt packet.Packet)

FirewallHandler defines the function signature for a firewall handle function. A firewall handler is responsible for finding a reasonable verdict for the connection conn. The connection is locked before the firewall handler is called.

type ProcessContext

type ProcessContext struct {
	// ProcessName is the name of the process.
	ProcessName string
	// ProfileName is the name of the profile.
	ProfileName string
	// BinaryPath is the path to the process binary.
	BinaryPath string
	// CmdLine holds the execution parameters.
	CmdLine string
	// PID is the process identifier.
	PID int
	// Profile is the ID of the main profile that
	// is applied to the process.
	Profile string
	// Source is the source of the profile.
	Source string
}

ProcessContext holds additional information about the process that iniated a connection.

type Reason

type Reason struct {
	// Msg is a human readable description of the reason.
	Msg string
	// OptionKey is the configuration option key of the setting that
	// was responsible for the verdict.
	OptionKey string
	// Profile is the database key of the profile that held the setting
	// that was responsible for the verdict.
	Profile string
	// ReasonContext may hold additional reason-specific information and
	// any access must be guarded by the connection lock.
	Context interface{}
}

Reason holds information justifying a verdict, as well as additional information about the reason.

type StorageInterface

type StorageInterface struct {
	storage.InjectBase
}

StorageInterface provices a storage.Interface to the configuration manager.

func (*StorageInterface) Get

func (s *StorageInterface) Get(key string) (record.Record, error)

Get returns a database record.

func (*StorageInterface) Query

func (s *StorageInterface) Query(q *query.Query, local, internal bool) (*iterator.Iterator, error)

Query returns a an iterator for the supplied query.

type Verdict

type Verdict int8

Verdict describes the decision made about a connection or link.

const (
	// VerdictUndecided is the default status of new connections.
	VerdictUndecided           Verdict = 0
	VerdictUndeterminable      Verdict = 1
	VerdictAccept              Verdict = 2
	VerdictBlock               Verdict = 3
	VerdictDrop                Verdict = 4
	VerdictRerouteToNameserver Verdict = 5
	VerdictRerouteToTunnel     Verdict = 6
	VerdictFailed              Verdict = 7
)

All possible verdicts that can be applied to a network connection.

func (Verdict) String

func (v Verdict) String() string

func (Verdict) Verb

func (v Verdict) Verb() string

Verb returns the verdict as a past tense verb.

Directories

Path Synopsis