enforcer

package
v0.0.0-...-36f1a77 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 1, 2016 License: GPL-2.0 Imports: 16 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// TCPAuthenticationOptionBaseLen specifies the length of base TCP Authentication Option packet
	TCPAuthenticationOptionBaseLen = 4
	// TCPAuthenticationOptionAckLen specifies the length of TCP Authentication Option in the ack packet
	TCPAuthenticationOptionAckLen = 20
	// PortNumberLabelString is the label to use for port numbers
	PortNumberLabelString = "@port"
)
View Source 
const (
	// DefaultNumberOfQueues  is the default number of queues used in NFQUEUE
	DefaultNumberOfQueues = 4
	// DefaultApplicationQueue represents the queue for application packets
	DefaultApplicationQueue = 0
	// DefaultNetworkQueue represents the queue for the network packets
	DefaultNetworkQueue = 4
	// DefaultQueueSize is the size of the queues
	DefaultQueueSize = 100
)

Default parameters for the NFQUEUE configuration. Parameters can be changed after an isolator has been created and before its started. Change in parameters after the isolator is started has no effect

Variables

View Source 
var (
	// TransmitterLabel is the name of the label used to identify the Transmitter Context
	TransmitterLabel = "AporetoContextID"
)

Functions

This section is empty.

Types

type Connection 

type Connection struct {
	State           FlowState
	LocalContext    []byte
	RemoteContext   []byte
	LocalContextID  string
	RemoteContextID string
	RemotePublicKey interface{}
}

Connection keeps information about a connection

func NewConnection 

func NewConnection() *Connection

NewConnection creates the state information for a new connection

type FilterQueue 

type FilterQueue struct {
	// Network Queue is the queue number of the base queue for network packets
	NetworkQueue uint16
	// NetworkQueueSize is the size of the network queue
	NetworkQueueSize uint32
	// NumberOfNetworkQueues is the number of network queues allocated
	NumberOfNetworkQueues uint16
	// ApplicationQueue is the queue number of the first application queue
	ApplicationQueue uint16
	// ApplicationQueueSize is the size of the application queue
	ApplicationQueueSize uint32
	// NumberOfApplicationQueues is the number of queues that must be allocated
	NumberOfApplicationQueues uint16
}

FilterQueue captures all the configuration parameters of the NFQUEUEs

type FlowState 

type FlowState int

FlowState identifies the constants of the state of a connectioncon 

const (

	// SynSend is the state where the Syn packets has been send, but no response has been received
	SynSend FlowState = iota

	//SynReceived indicates that the syn packet has been received
	SynReceived

	//SynAckSend indicates that the SynAck packet has been send
	SynAckSend

	// SynAckReceived is the state where the SynAck has been received
	SynAckReceived

	// AckSend indicates that the ack packets has been send
	AckSend

	// AckProcessed is the state that the negotiation has been completed
	AckProcessed
)

type PUContext 

type PUContext struct {
	ID   string
	Tags policy.TagsMap

	Extension interface{}
	// contains filtered or unexported fields
}

PUContext holds data indexed by the docker ID

type PacketProcessor 

type PacketProcessor interface {

	// PreProcessTCPAppPacket will be called for application packets and return value of false means drop packet.
	PreProcessTCPAppPacket(pkt interface{}) bool

	// PostProcessTCPAppPacket will be called for application packets and return value of false means drop packet.
	PostProcessTCPAppPacket(pkt interface{}, action interface{}) bool

	// PreProcessTCPNetPacket will be called for network packets and return value of false means drop packet
	PreProcessTCPNetPacket(pkt interface{}) bool

	// PostProcessTCPNetPacket will be called for network packets and return value of false means drop packet
	PostProcessTCPNetPacket(pkt interface{}, action interface{}) bool
}

PacketProcessor is an interface implemented to stitch into our enforcer

type PacketStats 

type PacketStats struct {
	IncomingPackets uint32
	OutgoingPackets uint32

	CreateDropPackets      uint32
	AuthDropPackets        uint32
	ServicePreDropPackets  uint32
	ServicePostDropPackets uint32
}

PacketStats for interface

type PolicyEnforcer 

type PolicyEnforcer interface {

	// Enforce starts enforcing policies for the given policy.PUInfo.
	Enforce(contextID string, puInfo *policy.PUInfo) error

	// Unenforce stops enforcing policy for the given IP.
	Unenforce(contextID string) error

	// GetFilterQueue returns the current FilterQueueConfig.
	GetFilterQueue() *FilterQueue

	// Start starts the PolicyEnforcer.
	Start() error

	// Stop stops the PolicyEnforcer.
	Stop() error
}

A PolicyEnforcer is implementing the enforcer that will modify//analyze the capture packets

func NewDatapathEnforcer 

func NewDatapathEnforcer(
	mutualAuth bool,
	filterQueue *FilterQueue,
	collector collector.EventCollector,
	service PacketProcessor,
	secrets tokens.Secrets,
	serverID string,
	validity time.Duration,
) PolicyEnforcer

NewDatapathEnforcer will create a new data path structure. It instantiates the data stores needed to track sessions. The data path is started with a different call. Only required parameters must be provided. Rest a pre-populated with defaults.

func NewDefaultDatapathEnforcer 

func NewDefaultDatapathEnforcer(
	serverID string,
	collector collector.EventCollector,
	secrets tokens.Secrets,
) PolicyEnforcer

NewDefaultDatapathEnforcer create a new data path with most things used by default

type PublicKeyAdder 

type PublicKeyAdder interface {

	// PublicKeyAdd adds the given cert for the given host.
	PublicKeyAdd(host string, cert []byte) error
}

PublicKeyAdder register a publicKey for a Node.

type TestPolicyEnforcer 

type TestPolicyEnforcer interface {
	PolicyEnforcer
	MockEnforce(t *testing.T, impl func(contextID string, puInfo *policy.PUInfo) error)
	MockUnenforce(t *testing.T, impl func(ip string) error)
	MockGetFilterQueue(t *testing.T, impl func() *FilterQueue)
	MockStart(t *testing.T, impl func() error)
	MockStop(t *testing.T, impl func() error)
}

TestPolicyEnforcer vxcv

func NewTestPolicyEnforcer 

func NewTestPolicyEnforcer() TestPolicyEnforcer

NewTestPolicyEnforcer returns a new TestManipulator.

type TestPublicKeyAdder 

type TestPublicKeyAdder interface {
	PublicKeyAdder
	MockPublicKeyAdd(t *testing.T, impl func(host string, cert []byte) error)
}

TestPublicKeyAdder vxcv

func NewTestPublicKeyAdder 

func NewTestPublicKeyAdder() TestPublicKeyAdder

NewTestPublicKeyAdder returns a new TestManipulator.

Source Files

View all Source files

Directories

Path Synopsis
Package netfilter provides Go bindings for libnetfilter_queue This library provides access to packets in the IPTables netfilter queue (NFQUEUE).
 Package netfilter provides Go bindings for libnetfilter_queue This library provides access to packets in the IPTables netfilter queue (NFQUEUE).
Package packet support for TCP/IP packet manipulations needed by the Aporeto infrastructure.
 Package packet support for TCP/IP packet manipulations needed by the Aporeto infrastructure.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.