Documentation

Index

Constants

View Source
const (
	Inbound  = true
	Outbound = false
)

    Packet Directions

    View Source
    const (
    	IncomingHost     = "IH"
    	IncomingLAN      = "IL"
    	IncomingInternet = "II"
    	IncomingInvalid  = "IX"
    	PeerHost         = "PH"
    	PeerLAN          = "PL"
    	PeerInternet     = "PI"
    	PeerInvalid      = "PX"
    )

      Non-Domain Scopes

      Variables

      This section is empty.

      Functions

      func SaveOpenDNSRequest

      func SaveOpenDNSRequest(conn *Connection)

        SaveOpenDNSRequest saves a dns request connection that was allowed to proceed.

        func SetDefaultFirewallHandler

        func SetDefaultFirewallHandler(handler FirewallHandler)

          SetDefaultFirewallHandler sets the default firewall handler.

          Types

          type Connection

          type Connection struct {
          	record.Base
          	sync.Mutex
          
          	// ID may hold unique connection id. It is only set for non-DNS
          	// request connections and is considered immutable after a
          	// connection object has been created.
          	ID string
          	// Scope defines the scope of a connection. For DNS requests, the
          	// scope is always set to the domain name. For direct packet
          	// connections the scope consists of the involved network environment
          	// and the packet direction. Once a connection object is created,
          	// Scope is considered immutable.
          	Scope string
          	// IPVersion is set to the packet IP version. It is not set (0) for
          	// connections created from a DNS request.
          	IPVersion packet.IPVersion
          	// Inbound is set to true if the connection is incoming. Inbound is
          	// only set when a connection object is created and is considered
          	// immutable afterwards.
          	Inbound bool
          	// IPProtocol is set to the transport protocol used by the connection.
          	// Is is considered immutable once a connection object has been
          	// created. IPProtocol is not set for connections that have been
          	// created from a DNS request.
          	IPProtocol packet.IPProtocol
          	// LocalIP holds the local IP address of the connection. It is not
          	// set for connections created from DNS requests. LocalIP is
          	// considered immutable once a connection object has been created.
          	LocalIP net.IP
          	// LocalPort holds the local port of the connection. It is not
          	// set for connections created from DNS requests. LocalPort is
          	// considered immutable once a connection object has been created.
          	LocalPort uint16
          	// Entity describes the remote entity that the connection has been
          	// established to. The entity might be changed or information might
          	// be added to it during the livetime of a connection. Access to
          	// entity must be guarded by the connection lock.
          	Entity *intel.Entity
          	// Verdict is the final decision that has been made for a connection.
          	// The verdict may change so any access to it must be guarded by the
          	// connection lock.
          	Verdict Verdict
          	// Reason holds information justifying the verdict, as well as additional
          	// information about the reason.
          	// Access to Reason must be guarded by the connection lock.
          	Reason Reason
          	// Started holds the number of seconds in UNIX epoch time at which
          	// the connection has been initated and first seen by the portmaster.
          	// Staretd is only every set when creating a new connection object
          	// and is considered immutable afterwards.
          	Started int64
          	// Ended is set to the number of seconds in UNIX epoch time at which
          	// the connection is considered terminated. Ended may be set at any
          	// time so access must be guarded by the connection lock.
          	Ended int64
          	// VerdictPermanent is set to true if the final verdict is permanent
          	// and the connection has been (or will be) handed back to the kernel.
          	// VerdictPermanent may be changed together with the Verdict and Reason
          	// properties and must be guarded using the connection lock.
          	VerdictPermanent bool
          	// Inspecting is set to true if the connection is being inspected
          	// by one or more of the registered inspectors. This property may
          	// be changed during the lifetime of a connection and must be guarded
          	// using the connection lock.
          	Inspecting bool
          	// Tunneled is currently unused and MUST be ignored.
          	Tunneled bool
          	// Encrypted is currently unused and MUST be ignored.
          	Encrypted bool
          	// ProcessContext holds additional information about the process
          	// that iniated the connection. It is set once when the connection
          	// object is created and is considered immutable afterwards.
          	ProcessContext ProcessContext
          	// Internal is set to true if the connection is attributed as an
          	// Portmaster internal connection. Internal may be set at different
          	// points and access to it must be guarded by the connection lock.
          	Internal bool
          
          	// ProfileRevisionCounter is used to track changes to the process
          	// profile and required for correct re-evaluation of a connections
          	// verdict.
          	ProfileRevisionCounter uint64
          	// contains filtered or unexported fields
          }

            Connection describes a distinct physical network connection identified by the IP/Port pair.

            func GetConnection

            func GetConnection(id string) (*Connection, bool)

              GetConnection fetches a Connection from the database.

              func NewConnectionFromDNSRequest

              func NewConnectionFromDNSRequest(ctx context.Context, fqdn string, cnames []string, localIP net.IP, localPort uint16) *Connection

                NewConnectionFromDNSRequest returns a new connection based on the given dns request.

                func NewConnectionFromExternalDNSRequest

                func NewConnectionFromExternalDNSRequest(ctx context.Context, fqdn string, cnames []string, remoteIP net.IP) (*Connection, error)

                func NewConnectionFromFirstPacket

                func NewConnectionFromFirstPacket(pkt packet.Packet) *Connection

                  NewConnectionFromFirstPacket returns a new connection based on the given packet.

                  func (*Connection) Accept

                  func (conn *Connection) Accept(reason, reasonOptionKey string)

                    Accept is like AcceptWithContext but only accepts a reason.

                    func (*Connection) AcceptWithContext

                    func (conn *Connection) AcceptWithContext(reason, reasonOptionKey string, ctx interface{})

                      AcceptWithContext accepts the connection.

                      func (*Connection) Block

                      func (conn *Connection) Block(reason, reasonOptionKey string)

                        Block is like BlockWithContext but does only accepts a reason.

                        func (*Connection) BlockWithContext

                        func (conn *Connection) BlockWithContext(reason, reasonOptionKey string, ctx interface{})

                          BlockWithContext blocks the connection.

                          func (*Connection) Deny

                          func (conn *Connection) Deny(reason, reasonOptionKey string)

                            Deny is like DenyWithContext but only accepts a reason.

                            func (*Connection) DenyWithContext

                            func (conn *Connection) DenyWithContext(reason, reasonOptionKey string, ctx interface{})

                              DenyWithContext blocks or drops the link depending on the connection direction.

                              func (*Connection) Drop

                              func (conn *Connection) Drop(reason, reasonOptionKey string)

                                Drop is like DropWithContext but does only accepts a reason.

                                func (*Connection) DropWithContext

                                func (conn *Connection) DropWithContext(reason, reasonOptionKey string, ctx interface{})

                                  DropWithContext drops the connection.

                                  func (*Connection) Failed

                                  func (conn *Connection) Failed(reason, reasonOptionKey string)

                                    Failed is like FailedWithContext but only accepts a string.

                                    func (*Connection) FailedWithContext

                                    func (conn *Connection) FailedWithContext(reason, reasonOptionKey string, ctx interface{})

                                      FailedWithContext marks the connection with VerdictFailed and stores the reason.

                                      func (*Connection) GetActiveInspectors

                                      func (conn *Connection) GetActiveInspectors() []bool

                                        GetActiveInspectors returns the list of active inspectors.

                                        func (*Connection) GetExtraRRs

                                        func (conn *Connection) GetExtraRRs(ctx context.Context, request *dns.Msg) []dns.RR

                                          GetExtraRRs returns a slice of RRs with additional informational records.

                                          func (*Connection) GetInspectorData

                                          func (conn *Connection) GetInspectorData() map[uint8]interface{}

                                            GetInspectorData returns the list of inspector data.

                                            func (*Connection) HandlePacket

                                            func (conn *Connection) HandlePacket(pkt packet.Packet)

                                              HandlePacket queues packet of Link for handling

                                              func (*Connection) Process

                                              func (conn *Connection) Process() *process.Process

                                                Process returns the connection's process.

                                                func (*Connection) ReplyWithDNS

                                                func (conn *Connection) ReplyWithDNS(ctx context.Context, request *dns.Msg) *dns.Msg

                                                  ReplyWithDNS creates a new reply to the given request with the data from the RRCache, and additional informational records.

                                                  func (*Connection) Save

                                                  func (conn *Connection) Save()

                                                    Save saves the connection in the storage and propagates the change through the database system. Save may lock dnsConnsLock or connsLock in if Save() is called the first time. Callers must make sure to lock the connection itself before calling Save().

                                                    func (*Connection) SaveWhenFinished

                                                    func (conn *Connection) SaveWhenFinished()

                                                      SaveWhenFinished marks the connection for saving it after the firewall handler.

                                                      func (*Connection) SetActiveInspectors

                                                      func (conn *Connection) SetActiveInspectors(new []bool)

                                                        SetActiveInspectors sets the list of active inspectors.

                                                        func (*Connection) SetFirewallHandler

                                                        func (conn *Connection) SetFirewallHandler(handler FirewallHandler)

                                                          SetFirewallHandler sets the firewall handler for this link, and starts a worker to handle the packets.

                                                          func (*Connection) SetInspectorData

                                                          func (conn *Connection) SetInspectorData(new map[uint8]interface{})

                                                            SetInspectorData set the list of inspector data.

                                                            func (*Connection) SetVerdict

                                                            func (conn *Connection) SetVerdict(newVerdict Verdict, reason, reasonOptionKey string, reasonCtx interface{}) (ok bool)

                                                              SetVerdict sets a new verdict for the connection, making sure it does not interfere with previous verdicts.

                                                              func (*Connection) StopFirewallHandler

                                                              func (conn *Connection) StopFirewallHandler()

                                                                StopFirewallHandler unsets the firewall handler and stops the handler worker.

                                                                func (*Connection) String

                                                                func (conn *Connection) String() string

                                                                  String returns a string representation of conn.

                                                                  type FirewallHandler

                                                                  type FirewallHandler func(conn *Connection, pkt packet.Packet)

                                                                    FirewallHandler defines the function signature for a firewall handle function. A firewall handler is responsible for finding a reasonable verdict for the connection conn. The connection is locked before the firewall handler is called.

                                                                    type ProcessContext

                                                                    type ProcessContext struct {
                                                                    	// ProcessName is the name of the process.
                                                                    	ProcessName string
                                                                    	//ProfileName is the name of the profile.
                                                                    	ProfileName string
                                                                    	// BinaryPath is the path to the process binary.
                                                                    	BinaryPath string
                                                                    	// PID i the process identifier.
                                                                    	PID int
                                                                    	// Profile is the ID of the main profile that
                                                                    	// is applied to the process.
                                                                    	Profile string
                                                                    	// Source is the source of the profile.
                                                                    	Source string
                                                                    }

                                                                      ProcessContext holds additional information about the process that iniated a connection.

                                                                      type Reason

                                                                      type Reason struct {
                                                                      	// Msg is a human readable description of the reason.
                                                                      	Msg string
                                                                      	// OptionKey is the configuration option key of the setting that
                                                                      	// was responsible for the verdict.
                                                                      	OptionKey string
                                                                      	// Profile is the database key of the profile that held the setting
                                                                      	// that was responsible for the verdict.
                                                                      	Profile string
                                                                      	// ReasonContext may hold additional reason-specific information and
                                                                      	// any access must be guarded by the connection lock.
                                                                      	Context interface{}
                                                                      }

                                                                        Reason holds information justifying a verdict, as well as additional information about the reason.

                                                                        type StorageInterface

                                                                        type StorageInterface struct {
                                                                        	storage.InjectBase
                                                                        }

                                                                          StorageInterface provices a storage.Interface to the configuration manager.

                                                                          func (*StorageInterface) Get

                                                                          func (s *StorageInterface) Get(key string) (record.Record, error)

                                                                            Get returns a database record.

                                                                            func (*StorageInterface) Query

                                                                            func (s *StorageInterface) Query(q *query.Query, local, internal bool) (*iterator.Iterator, error)

                                                                              Query returns a an iterator for the supplied query.

                                                                              type Verdict

                                                                              type Verdict int8

                                                                                Verdict describes the decision made about a connection or link.

                                                                                const (
                                                                                	// VerdictUndecided is the default status of new connections.
                                                                                	VerdictUndecided           Verdict = 0
                                                                                	VerdictUndeterminable      Verdict = 1
                                                                                	VerdictAccept              Verdict = 2
                                                                                	VerdictBlock               Verdict = 3
                                                                                	VerdictDrop                Verdict = 4
                                                                                	VerdictRerouteToNameserver Verdict = 5
                                                                                	VerdictRerouteToTunnel     Verdict = 6
                                                                                	VerdictFailed              Verdict = 7
                                                                                )

                                                                                  All possible verdicts that can be applied to a network connection.

                                                                                  func (Verdict) String

                                                                                  func (v Verdict) String() string

                                                                                  func (Verdict) Verb

                                                                                  func (v Verdict) Verb() string

                                                                                    Verb returns the verdict as a past tense verb.

                                                                                    Directories

                                                                                    Path Synopsis