Back to

Package enforcer

Latest Go to latest

The latest major version is .

Published: Jul 8, 2020 | License: Apache-2.0 | Module:


type DebugInfo

type DebugInfo interface {
	//  EnableDatapathPacketTracing will enable tracing of packets received by the datapath for a particular PU. Setting Disabled as tracing direction will stop tracing for the contextID
	EnableDatapathPacketTracing(ctx context.Context, contextID string, direction packettracing.TracingDirection, interval time.Duration) error

	// EnablePacketTracing enable iptables -j trace for the particular pu and is much wider packet stream.
	EnableIPTablesPacketTracing(ctx context.Context, contextID string, interval time.Duration) error

	// Ping runs ping based on the given config.
	Ping(ctx context.Context, contextID string, pingConfig *policy.PingConfig) error

DebugInfo is interface to implement methods to configure datapath packet tracing in the nfqdatapath

type Enforcer

type Enforcer interface {

	// Enforce starts enforcing policies for the given policy.PUInfo.
	Enforce(contextID string, puInfo *policy.PUInfo) error

	// Unenforce stops enforcing policy for the given IP.
	Unenforce(contextID string) error

	// GetFilterQueue returns the current FilterQueueConfig.
	GetFilterQueue() *fqconfig.FilterQueue

	// GetBPFObject returns the bpf pobject
	GetBPFObject() ebpf.BPFModule

	// Run starts the PolicyEnforcer.
	Run(ctx context.Context) error

	// UpdateSecrets -- updates the secrets of running enforcers managed by trireme. Remote enforcers will get the secret updates with the next policy push
	UpdateSecrets(secrets secrets.Secrets) error

	// SetTargetNetworks sets the target network configuration of the controllers.
	SetTargetNetworks(cfg *runtime.Configuration) error

	// SetLogLevel sets log level.
	SetLogLevel(level constants.LogLevel) error

	// Cleanup request a clean up of the controllers.
	CleanUp() error


A Enforcer is an implementation of the enforcer datapath. The interface can be implemented by one or multiple datapaths.

func New

func New(
	mutualAuthorization bool,
	fqConfig *fqconfig.FilterQueue,
	collector collector.EventCollector,
	service packetprocessor.PacketProcessor,
	secrets secrets.Secrets,
	serverID string,
	validity time.Duration,
	mode constants.ModeType,
	procMountPoint string,
	externalIPCacheTimeout time.Duration,
	packetLogs bool,
	cfg *runtime.Configuration,
	tokenIssuer common.ServiceTokenIssuer,
	binaryTokens bool,
	aclmanager ipsetmanager.ACLManager,
	isBPFEnabled bool,
	agentVersion semver.Version,
) (Enforcer, error)

New returns a new policy enforcer that implements both the data paths.

func NewWithDefaults

func NewWithDefaults(
	serverID string,
	collector collector.EventCollector,
	service packetprocessor.PacketProcessor,
	secrets secrets.Secrets,
	mode constants.ModeType,
	procMountPoint string,
	targetNetworks []string,
	aclmanager ipsetmanager.ACLManager,
) Enforcer

NewWithDefaults create a new data path with most things used by default

Package Files

Documentation was rendered with GOOS=linux and GOARCH=amd64.

Jump to identifier

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to identifier