Documentation

Index

Constants

View Source
const (

	// RejectReported represents that flow was reported as rejected
	RejectReported bool = true

	// AcceptReported represents that flow was reported as accepted
	AcceptReported bool = false
)
View Source
const (
	// TCPAuthenticationOptionBaseLen specifies the length of base TCP Authentication Option packet
	TCPAuthenticationOptionBaseLen = 4
	// TCPAuthenticationOptionAckLen specifies the length of TCP Authentication Option in the ack packet
	TCPAuthenticationOptionAckLen = 20
	// PortNumberLabelString is the label to use for port numbers
	PortNumberLabelString = "$sys:port"
	// TransmitterLabel is the name of the label used to identify the Transmitter Context
	TransmitterLabel = "AporetoContextID"
	// DefaultNetwork to be used
	DefaultNetwork = "0.0.0.0/0"
)
View Source
const DefaultExternalIPTimeout = "500ms"

    DefaultExternalIPTimeout is the default used for the cache for External IPTimeout.

    Variables

    View Source
    var (
    	// TraceLogging provides very high level of detail logs for connections
    	TraceLogging int
    )

    Functions

    func TCPConnectionExpirationNotifier

    func TCPConnectionExpirationNotifier(c cache.DataStore, id interface{}, item interface{})

      TCPConnectionExpirationNotifier handles processing the expiration of an element

      Types

      type AuthInfo

      type AuthInfo struct {
      	LocalContext    []byte
      	RemoteContext   []byte
      	RemoteContextID string
      	RemotePublicKey interface{}
      	RemoteIP        string
      	RemotePort      string
      }

        AuthInfo keeps authentication information about a connection

        type Datapath

        type Datapath struct {
        	// contains filtered or unexported fields
        }

          Datapath is the structure holding all information about a connection filter

          func (*Datapath) Enforce

          func (d *Datapath) Enforce(contextID string, puInfo *policy.PUInfo) error

            Enforce implements the Enforce interface method and configures the data path for a new PU

            func (*Datapath) GetFilterQueue

            func (d *Datapath) GetFilterQueue() *fqconfig.FilterQueue

              GetFilterQueue returns the filter queues used by the data path

              func (*Datapath) Start

              func (d *Datapath) Start() error

                Start starts the application and network interceptors

                func (*Datapath) Stop

                func (d *Datapath) Stop() error

                  Stop stops the enforcer

                  func (*Datapath) Unenforce

                  func (d *Datapath) Unenforce(contextID string) error

                    Unenforce removes the configuration for the given PU

                    type PUContext

                    type PUContext struct {
                    	ID              string
                    	ManagementID    string
                    	Identity        *policy.TagStore
                    	Annotations     *policy.TagStore
                    	AcceptTxtRules  *lookup.PolicyDB
                    	RejectTxtRules  *lookup.PolicyDB
                    	AcceptRcvRules  *lookup.PolicyDB
                    	RejectRcvRules  *lookup.PolicyDB
                    	ApplicationACLs *acls.ACLCache
                    	NetworkACLS     *acls.ACLCache
                    
                    	Extension interface{}
                    	IP        string
                    	Mark      string
                    	Ports     []string
                    	PUType    constants.PUType
                    
                    	sync.Mutex
                    	// contains filtered or unexported fields
                    }

                      PUContext holds data indexed by the PU ID

                      type PacketProcessor

                      type PacketProcessor interface {
                      	// Initialize  initializes the secrets of the processor
                      	Initialize(s secrets.Secrets, fq *fqconfig.FilterQueue)
                      
                      	// PreProcessTCPAppPacket will be called for application packets and return value of false means drop packet.
                      	PreProcessTCPAppPacket(p *packet.Packet, context *PUContext, conn *TCPConnection) bool
                      
                      	// PostProcessTCPAppPacket will be called for application packets and return value of false means drop packet.
                      	PostProcessTCPAppPacket(p *packet.Packet, action interface{}, context *PUContext, conn *TCPConnection) bool
                      
                      	// PreProcessTCPNetPacket will be called for network packets and return value of false means drop packet
                      	PreProcessTCPNetPacket(p *packet.Packet, context *PUContext, conn *TCPConnection) bool
                      
                      	// PostProcessTCPNetPacket will be called for network packets and return value of false means drop packet
                      	PostProcessTCPNetPacket(p *packet.Packet, action interface{}, claims *tokens.ConnectionClaims, context *PUContext, conn *TCPConnection) bool
                      }

                        PacketProcessor is an interface implemented to stitch into our enforcer

                        type PolicyEnforcer

                        type PolicyEnforcer interface {
                        
                        	// Enforce starts enforcing policies for the given policy.PUInfo.
                        	Enforce(contextID string, puInfo *policy.PUInfo) error
                        
                        	// Unenforce stops enforcing policy for the given IP.
                        	Unenforce(contextID string) error
                        
                        	// GetFilterQueue returns the current FilterQueueConfig.
                        	GetFilterQueue() *fqconfig.FilterQueue
                        
                        	// Start starts the PolicyEnforcer.
                        	Start() error
                        
                        	// Stop stops the PolicyEnforcer.
                        	Stop() error
                        }

                          A PolicyEnforcer is implementing the enforcer that will modify//analyze the capture packets

                          func New

                          func New(
                          	mutualAuth bool,
                          	filterQueue *fqconfig.FilterQueue,
                          	collector collector.EventCollector,
                          	service PacketProcessor,
                          	secrets secrets.Secrets,
                          	serverID string,
                          	validity time.Duration,
                          	mode constants.ModeType,
                          	procMountPoint string,
                          	externalIPCacheTimeout time.Duration,
                          ) PolicyEnforcer

                            New will create a new data path structure. It instantiates the data stores needed to track sessions. The data path is started with a different call. Only required parameters must be provided. Rest a pre-populated with defaults.

                            func NewWithDefaults

                            func NewWithDefaults(
                            	serverID string,
                            	collector collector.EventCollector,
                            	service PacketProcessor,
                            	secrets secrets.Secrets,
                            	mode constants.ModeType,
                            	procMountPoint string,
                            ) PolicyEnforcer

                              NewWithDefaults create a new data path with most things used by default

                              type PublicKeyAdder

                              type PublicKeyAdder interface {
                              
                              	// PublicKeyAdd adds the given cert for the given host.
                              	PublicKeyAdd(host string, cert []byte) error
                              }

                                PublicKeyAdder register a publicKey for a Node.

                                type TCPConnection

                                type TCPConnection struct {
                                	sync.Mutex
                                
                                	Auth AuthInfo
                                
                                	// ServiceData allows services to associate state with a connection
                                	ServiceData interface{}
                                
                                	// Context is the PUContext that is associated with this connection
                                	// Minimizes the number of caches and lookups
                                	Context *PUContext
                                
                                	// TimeOut signals the timeout to be used by the state machines
                                	TimeOut time.Duration
                                
                                	// ServiceConnection indicates that this connection is handled by a service
                                	ServiceConnection bool
                                
                                	// FlowPolicy holds the last matched policy
                                	FlowPolicy *policy.FlowPolicy
                                	// contains filtered or unexported fields
                                }

                                  TCPConnection is information regarding TCP Connection

                                  func NewTCPConnection

                                  func NewTCPConnection() *TCPConnection

                                    NewTCPConnection returns a TCPConnection information struct

                                    func (*TCPConnection) Cleanup

                                    func (c *TCPConnection) Cleanup(expiration bool)

                                      Cleanup will provide information when a connection is removed by a timer.

                                      func (*TCPConnection) GetState

                                      func (c *TCPConnection) GetState() TCPFlowState

                                        GetState is used to return the state

                                        func (*TCPConnection) SetPacketInfo

                                        func (c *TCPConnection) SetPacketInfo(flowHash, tcpFlags string)

                                          SetPacketInfo is used to setup the state for the TCP connection

                                          func (*TCPConnection) SetReported

                                          func (c *TCPConnection) SetReported(flowState bool)

                                            SetReported is used to track if a flow is reported

                                            func (*TCPConnection) SetState

                                            func (c *TCPConnection) SetState(state TCPFlowState)

                                              SetState is used to setup the state for the TCP connection

                                              func (*TCPConnection) String

                                              func (c *TCPConnection) String() string

                                                String returns a printable version of connection

                                                type TCPFlowState

                                                type TCPFlowState int

                                                  TCPFlowState identifies the constants of the state of a TCP connectioncon

                                                  const (
                                                  
                                                  	// TCPSynSend is the state where the Syn packets has been send, but no response has been received
                                                  	TCPSynSend TCPFlowState = iota
                                                  
                                                  	// TCPSynReceived indicates that the syn packet has been received
                                                  	TCPSynReceived
                                                  
                                                  	// TCPSynAckSend indicates that the SynAck packet has been send
                                                  	TCPSynAckSend
                                                  
                                                  	// TCPSynAckReceived is the state where the SynAck has been received
                                                  	TCPSynAckReceived
                                                  
                                                  	// TCPAckSend indicates that the ack packets has been sent
                                                  	TCPAckSend
                                                  
                                                  	// TCPAckProcessed is the state that the negotiation has been completed
                                                  	TCPAckProcessed
                                                  
                                                  	// TCPData indicates that the packets are now data packets
                                                  	TCPData
                                                  )

                                                  type TestPolicyEnforcer

                                                  type TestPolicyEnforcer interface {
                                                  	PolicyEnforcer
                                                  	MockEnforce(t *testing.T, impl func(contextID string, puInfo *policy.PUInfo) error)
                                                  	MockUnenforce(t *testing.T, impl func(ip string) error)
                                                  	MockGetFilterQueue(t *testing.T, impl func() *fqconfig.FilterQueue)
                                                  	MockStart(t *testing.T, impl func() error)
                                                  	MockStop(t *testing.T, impl func() error)
                                                  }

                                                    TestPolicyEnforcer vxcv

                                                    func NewTestPolicyEnforcer

                                                    func NewTestPolicyEnforcer() TestPolicyEnforcer

                                                      NewTestPolicyEnforcer returns a new TestManipulator.

                                                      type TestPublicKeyAdder

                                                      type TestPublicKeyAdder interface {
                                                      	PublicKeyAdder
                                                      	MockPublicKeyAdd(t *testing.T, impl func(host string, cert []byte) error)
                                                      }

                                                        TestPublicKeyAdder vxcv

                                                        func NewTestPublicKeyAdder

                                                        func NewTestPublicKeyAdder() TestPublicKeyAdder

                                                          NewTestPublicKeyAdder returns a new TestManipulator.

                                                          Directories

                                                          Path Synopsis
                                                          Package enforcerproxy :: This is the implementation of the RPC client It implements the interface of Trireme Enforcer and forwards these requests to the actual remote enforcer instead of implementing locally
                                                          Package enforcerproxy :: This is the implementation of the RPC client It implements the interface of Trireme Enforcer and forwards these requests to the actual remote enforcer instead of implementing locally
                                                          utils
                                                          packet
                                                          Package packet support for TCP/IP packet manipulations needed by the Aporeto infrastructure.
                                                          Package packet support for TCP/IP packet manipulations needed by the Aporeto infrastructure.
                                                          packetgen
                                                          Package packetgen "PacketGen" is a Packet Generator library Current version: V1.0, Updates are coming soon
                                                          Package packetgen "PacketGen" is a Packet Generator library Current version: V1.0, Updates are coming soon