Showing preview only (4,177K chars total). Download the full file or copy to clipboard to get everything.
Repository: aporeto-inc/trireme
Branch: master
Commit: e77251373ca9
Files: 549
Total size: 3.9 MB
Directory structure:
gitextract_oai4eol3/
├── .github/
│ ├── ISSUE_TEMPLATE.md
│ └── PULL_REQUEST_TEMPLATE.md
├── .gitignore
├── .lint.windows.sh
├── .test.sh
├── .test.windows.sh
├── .travis.yml
├── CONTRIBUTING.md
├── Gopkg.toml
├── LICENSE
├── Makefile
├── NOTICE
├── README.md
├── buildflags/
│ ├── buildflags.go
│ └── buildflags_rhel.go
├── cmd/
│ └── systemdutil/
│ ├── exec.go
│ ├── exec_windows.go
│ └── systemdutil.go
├── collector/
│ ├── default.go
│ ├── default_test.go
│ ├── interfaces.go
│ └── mockcollector/
│ └── mockcollector.go
├── common/
│ ├── events.go
│ ├── hooks.go
│ ├── oauthtokens.go
│ └── service.go
├── controller/
│ ├── config.go
│ ├── config_nonwindows.go
│ ├── config_windows.go
│ ├── constants/
│ │ ├── constants.go
│ │ ├── constants_nonrhel6.go
│ │ ├── constants_rhel6.go
│ │ └── constants_test.go
│ ├── controller.go
│ ├── helpers.go
│ ├── interfaces.go
│ ├── internal/
│ │ ├── enforcer/
│ │ │ ├── acls/
│ │ │ │ ├── acl.go
│ │ │ │ ├── acl_test.go
│ │ │ │ ├── aclcache.go
│ │ │ │ ├── aclcache_test.go
│ │ │ │ ├── icmpacl.go
│ │ │ │ ├── ports.go
│ │ │ │ ├── ports_test.go
│ │ │ │ ├── utils.go
│ │ │ │ └── utils_test.go
│ │ │ ├── apiauth/
│ │ │ │ ├── apiauth.go
│ │ │ │ ├── apiauth_test.go
│ │ │ │ └── types.go
│ │ │ ├── applicationproxy/
│ │ │ │ ├── applicationproxy.go
│ │ │ │ ├── common/
│ │ │ │ │ └── common.go
│ │ │ │ ├── http/
│ │ │ │ │ ├── error_handler.go
│ │ │ │ │ ├── http.go
│ │ │ │ │ ├── ping_http.go
│ │ │ │ │ └── transport.go
│ │ │ │ ├── markedconn/
│ │ │ │ │ ├── mark_linux.go
│ │ │ │ │ ├── mark_windows.go
│ │ │ │ │ ├── markedconn.go
│ │ │ │ │ ├── markedconn_darwin.go
│ │ │ │ │ ├── markedconn_test.go
│ │ │ │ │ ├── markedconn_windows_test.go
│ │ │ │ │ ├── origdest_linux.go
│ │ │ │ │ ├── origdest_windows.go
│ │ │ │ │ ├── platformdata.go
│ │ │ │ │ ├── platformdata_test.go
│ │ │ │ │ └── platformdata_windows.go
│ │ │ │ ├── pingrequest/
│ │ │ │ │ └── pingrequest.go
│ │ │ │ ├── protomux/
│ │ │ │ │ ├── protomux.go
│ │ │ │ │ └── protomux_test.go
│ │ │ │ ├── servicecache/
│ │ │ │ │ ├── servicecache.go
│ │ │ │ │ └── servicecache_test.go
│ │ │ │ ├── serviceregistry/
│ │ │ │ │ ├── serviceregistry.go
│ │ │ │ │ └── serviceregistry_test.go
│ │ │ │ ├── tcp/
│ │ │ │ │ ├── lookup.go
│ │ │ │ │ ├── ping_tcp.go
│ │ │ │ │ ├── tcp.go
│ │ │ │ │ ├── tcp_test.go
│ │ │ │ │ └── verifier/
│ │ │ │ │ ├── testdata/
│ │ │ │ │ │ ├── generate-certs.sh
│ │ │ │ │ │ ├── myca-cert.pem
│ │ │ │ │ │ ├── myclient-bad-cert.pem
│ │ │ │ │ │ ├── myclient-dns-cert.pem
│ │ │ │ │ │ ├── myclient-ip-cert.pem
│ │ │ │ │ │ └── myserver-cert.pem
│ │ │ │ │ ├── verifier.go
│ │ │ │ │ └── verifier_test.go
│ │ │ │ └── tlshelper/
│ │ │ │ └── tlshelper.go
│ │ │ ├── constants/
│ │ │ │ └── constants.go
│ │ │ ├── dnsproxy/
│ │ │ │ ├── common.go
│ │ │ │ ├── dns.go
│ │ │ │ ├── dns_darwin.go
│ │ │ │ ├── dns_linux.go
│ │ │ │ ├── dns_linux_test.go
│ │ │ │ ├── dns_report.go
│ │ │ │ ├── dns_test.go
│ │ │ │ ├── dns_unsupported.go
│ │ │ │ ├── dns_windows.go
│ │ │ │ ├── dns_windows_test.go
│ │ │ │ ├── dnsproxy.go
│ │ │ │ ├── mockdnsproxy/
│ │ │ │ │ └── mockdnsproxy.go
│ │ │ │ └── mutex_map.go
│ │ │ ├── enforcer.go
│ │ │ ├── envoyauthorizer/
│ │ │ │ ├── envoyauthorizerenforcer.go
│ │ │ │ └── envoyproxy/
│ │ │ │ ├── auth_server.go
│ │ │ │ └── sds_server.go
│ │ │ ├── flowstats/
│ │ │ │ └── state.go
│ │ │ ├── lookup/
│ │ │ │ ├── lookup.go
│ │ │ │ └── lookup_test.go
│ │ │ ├── metadata/
│ │ │ │ └── metadata.go
│ │ │ ├── mockenforcer/
│ │ │ │ └── mockenforcer.go
│ │ │ ├── nfqdatapath/
│ │ │ │ ├── afinetrawsocket/
│ │ │ │ │ ├── afinetrawsocket.go
│ │ │ │ │ ├── afinetrawsocket_osx.go
│ │ │ │ │ └── afinetrawsocket_windows.go
│ │ │ │ ├── autoport.go
│ │ │ │ ├── autoport_nonwindows.go
│ │ │ │ ├── autoport_windows.go
│ │ │ │ ├── countererrors.go
│ │ │ │ ├── datapath.go
│ │ │ │ ├── datapath_common_test.go
│ │ │ │ ├── datapath_darwin.go
│ │ │ │ ├── datapath_icmp.go
│ │ │ │ ├── datapath_linux.go
│ │ │ │ ├── datapath_tcp.go
│ │ │ │ ├── datapath_test.go
│ │ │ │ ├── datapath_udp.go
│ │ │ │ ├── datapath_windows.go
│ │ │ │ ├── diagnostics_tcp.go
│ │ │ │ ├── interfaces.go
│ │ │ │ ├── nflog/
│ │ │ │ │ ├── nflog_common.go
│ │ │ │ │ ├── nflog_darwin.go
│ │ │ │ │ ├── nflog_linux.go
│ │ │ │ │ ├── nflog_test.go
│ │ │ │ │ └── nflog_windows.go
│ │ │ │ ├── nfq_darwin.go
│ │ │ │ ├── nfq_linux.go
│ │ │ │ ├── nfq_windows.go
│ │ │ │ ├── nfq_windows_test.go
│ │ │ │ ├── ping_tcp.go
│ │ │ │ ├── ping_test.go
│ │ │ │ ├── test_utils.go
│ │ │ │ ├── test_utils_linux.go
│ │ │ │ ├── tokenaccessor/
│ │ │ │ │ ├── interfaces.go
│ │ │ │ │ ├── mocktokenaccessor/
│ │ │ │ │ │ └── mocktokenaccessor.go
│ │ │ │ │ ├── tokenaccessor.go
│ │ │ │ │ └── tokenaccessor_test.go
│ │ │ │ ├── utils.go
│ │ │ │ └── utils_test.go
│ │ │ ├── proxy/
│ │ │ │ ├── enforcerproxy.go
│ │ │ │ ├── enforcerproxy_test.go
│ │ │ │ └── rpcserver.go
│ │ │ ├── secretsproxy/
│ │ │ │ ├── secretsproxy.go
│ │ │ │ ├── secretsproxy_windows.go
│ │ │ │ └── transformer.go
│ │ │ └── utils/
│ │ │ ├── ephemeralkeys/
│ │ │ │ ├── ephemeralkeys.go
│ │ │ │ ├── interfaces.go
│ │ │ │ └── mockephemeralkeys/
│ │ │ │ └── mockephemeralkeys.go
│ │ │ ├── nsenter/
│ │ │ │ ├── nsenter.c
│ │ │ │ ├── nsenter.go
│ │ │ │ └── nsenter_linux.go
│ │ │ ├── packetgen/
│ │ │ │ ├── interfaces.go
│ │ │ │ ├── packet_gen.go
│ │ │ │ ├── packet_gen_test.go
│ │ │ │ └── packet_templates.go
│ │ │ └── rpcwrapper/
│ │ │ ├── interfaces.go
│ │ │ ├── mockrpcwrapper/
│ │ │ │ └── mockrpcwrapper.go
│ │ │ ├── rpc_handle.go
│ │ │ ├── rpc_handlemock.go
│ │ │ ├── rpc_handletest.go
│ │ │ ├── rpc_testhelper.go
│ │ │ └── types.go
│ │ ├── processmon/
│ │ │ ├── interfaces.go
│ │ │ ├── mockprocessmon/
│ │ │ │ └── mockprocessmon.go
│ │ │ ├── processmon.go
│ │ │ ├── processmon_linux_test.go
│ │ │ ├── processmon_test.go
│ │ │ ├── processmon_windows.go
│ │ │ └── testbinary/
│ │ │ └── testbinary.go
│ │ ├── supervisor/
│ │ │ ├── interfaces.go
│ │ │ ├── iptablesctrl/
│ │ │ │ ├── acls.go
│ │ │ │ ├── acls_darwin.go
│ │ │ │ ├── acls_linux.go
│ │ │ │ ├── acls_nonwindows.go
│ │ │ │ ├── acls_rhel6.go
│ │ │ │ ├── acls_windows.go
│ │ │ │ ├── acls_windows_test.go
│ │ │ │ ├── comparators.go
│ │ │ │ ├── constants_nonwindows.go
│ │ │ │ ├── constants_windows.go
│ │ │ │ ├── icmp_linux.go
│ │ │ │ ├── icmp_linux_test.go
│ │ │ │ ├── icmp_rhel6.go
│ │ │ │ ├── icmp_windows.go
│ │ │ │ ├── instance.go
│ │ │ │ ├── ipsets.go
│ │ │ │ ├── iptables.go
│ │ │ │ ├── iptablesV4_test.go
│ │ │ │ ├── iptablesV6_test.go
│ │ │ │ ├── iptables_linux_test.go
│ │ │ │ ├── iptables_rhel6_test.go
│ │ │ │ ├── iptables_windows_test.go
│ │ │ │ ├── ipv4.go
│ │ │ │ ├── ipv6.go
│ │ │ │ ├── ipv6_nonwindows.go
│ │ │ │ ├── ipv6_windows.go
│ │ │ │ ├── legacyacls.go
│ │ │ │ ├── portset.go
│ │ │ │ ├── rules.go
│ │ │ │ ├── rules_rhel6.go
│ │ │ │ ├── rules_windows.go
│ │ │ │ ├── templates.go
│ │ │ │ └── templates_test.go
│ │ │ ├── mocksupervisor/
│ │ │ │ └── mocksupervisor.go
│ │ │ ├── noop/
│ │ │ │ └── supervisornoop.go
│ │ │ ├── supervisor.go
│ │ │ └── supervisor_test.go
│ │ └── windows/
│ │ ├── rulespec_windows.go
│ │ ├── rulespec_windows_test.go
│ │ └── utils.go
│ ├── mockcontroller/
│ │ └── mocktrireme.go
│ ├── pkg/
│ │ ├── aclprovider/
│ │ │ ├── ipsetprovider.go
│ │ │ ├── ipsetprovider_windows.go
│ │ │ ├── ipsetprovidermock.go
│ │ │ ├── iptablesprovider.go
│ │ │ ├── iptablesprovider_test.go
│ │ │ ├── iptablesprovider_windows.go
│ │ │ └── iptablesprovidermock.go
│ │ ├── auth/
│ │ │ └── auth.go
│ │ ├── bufferpool/
│ │ │ └── bufferpool.go
│ │ ├── claimsheader/
│ │ │ ├── bytes.go
│ │ │ ├── bytes_test.go
│ │ │ ├── claimsheader.go
│ │ │ ├── claimsheader_test.go
│ │ │ ├── constants.go
│ │ │ ├── ct.go
│ │ │ ├── datapath_version.go
│ │ │ ├── options.go
│ │ │ ├── ping_type.go
│ │ │ └── types.go
│ │ ├── cleaner/
│ │ │ └── cleaner.go
│ │ ├── connection/
│ │ │ ├── connection.go
│ │ │ ├── connection_test.go
│ │ │ └── connectioncache.go
│ │ ├── counters/
│ │ │ ├── counters.go
│ │ │ ├── counters_test.go
│ │ │ ├── countertype_string.go
│ │ │ ├── default.go
│ │ │ ├── default_test.go
│ │ │ └── types.go
│ │ ├── dmesgparser/
│ │ │ └── dmesgparser.go
│ │ ├── ebpf/
│ │ │ ├── bpfbuild/
│ │ │ │ └── socket-filter-bpf.go
│ │ │ ├── ebpf_darwin.go
│ │ │ ├── ebpf_linux.go
│ │ │ ├── ebpf_rhel6.go
│ │ │ ├── ebpf_windows.go
│ │ │ └── interface.go
│ │ ├── env/
│ │ │ └── parameters.go
│ │ ├── flowtracking/
│ │ │ ├── flowtracking.go
│ │ │ ├── flowtracking_nonlinux.go
│ │ │ ├── interfaces.go
│ │ │ └── mockflowclient/
│ │ │ └── mockflowclient.go
│ │ ├── fqconfig/
│ │ │ ├── fqconfig.go
│ │ │ └── fqconfig_test.go
│ │ ├── ipsetmanager/
│ │ │ ├── constants_nonwindows.go
│ │ │ ├── constants_windows.go
│ │ │ ├── helpers.go
│ │ │ ├── ipsetmanager.go
│ │ │ ├── ipsetmanager_test.go
│ │ │ ├── ipsetprovider.go
│ │ │ ├── ipsetprovider_windows.go
│ │ │ ├── ipsetprovidermock.go
│ │ │ ├── ipsets.go
│ │ │ └── mock_ipsetmanager/
│ │ │ └── ipsetmanagermock.go
│ │ ├── packet/
│ │ │ ├── constants.go
│ │ │ ├── helpers.go
│ │ │ ├── packet.go
│ │ │ ├── packet_test.go
│ │ │ └── types.go
│ │ ├── packetprocessor/
│ │ │ └── packetprocessor.go
│ │ ├── packettracing/
│ │ │ └── packettracing.go
│ │ ├── pingconfig/
│ │ │ ├── pingconfig.go
│ │ │ └── pingconfig_test.go
│ │ ├── pkiverifier/
│ │ │ ├── pkiverifier.go
│ │ │ └── pkiverifier_test.go
│ │ ├── pucontext/
│ │ │ ├── pucontext.go
│ │ │ └── pucontext_test.go
│ │ ├── remoteenforcer/
│ │ │ ├── interfaces.go
│ │ │ ├── internal/
│ │ │ │ ├── client/
│ │ │ │ │ ├── interfaces.go
│ │ │ │ │ ├── mockclient/
│ │ │ │ │ │ └── mockclient.go
│ │ │ │ │ ├── reportsclient/
│ │ │ │ │ │ └── client.go
│ │ │ │ │ └── statsclient/
│ │ │ │ │ └── client.go
│ │ │ │ ├── statscollector/
│ │ │ │ │ ├── collector.go
│ │ │ │ │ ├── collector_reader.go
│ │ │ │ │ ├── collector_test.go
│ │ │ │ │ ├── collector_trireme.go
│ │ │ │ │ ├── interfaces.go
│ │ │ │ │ └── mockstatscollector/
│ │ │ │ │ └── mockstatscollector.go
│ │ │ │ └── tokenissuer/
│ │ │ │ ├── mocktokenclient/
│ │ │ │ │ └── mocktokenclient.go
│ │ │ │ └── tokenissuer.go
│ │ │ ├── mockremoteenforcer/
│ │ │ │ └── mockremoteenforcer.go
│ │ │ ├── remoteenforcer_linux.go
│ │ │ ├── remoteenforcer_stub.go
│ │ │ ├── remoteenforcer_test.go
│ │ │ └── type.go
│ │ ├── secrets/
│ │ │ ├── compactpki/
│ │ │ │ ├── compactpki.go
│ │ │ │ └── compactpki_test.go
│ │ │ ├── compactpki.go
│ │ │ ├── compactpki_test.go
│ │ │ ├── interfaces.go
│ │ │ ├── mocksecrets/
│ │ │ │ └── mocksecrets.go
│ │ │ ├── null.go
│ │ │ ├── rpc/
│ │ │ │ └── rpc.go
│ │ │ ├── secrets.go
│ │ │ ├── test_utils.go
│ │ │ └── testhelper/
│ │ │ └── testhelper.go
│ │ ├── servicetokens/
│ │ │ └── servicetokens.go
│ │ ├── tokens/
│ │ │ ├── binarycodec.go
│ │ │ ├── binaryjwt.go
│ │ │ ├── binaryjwt314.go
│ │ │ ├── binaryjwt500.go
│ │ │ ├── binaryjwt_test.go
│ │ │ ├── binaryjwtclaimtypes.go
│ │ │ ├── errors.go
│ │ │ ├── jwt.go
│ │ │ ├── jwt_test.go
│ │ │ ├── mocktokens/
│ │ │ │ └── mocktokens.go
│ │ │ └── tokens.go
│ │ ├── urisearch/
│ │ │ ├── urisearch.go
│ │ │ └── urisearch_test.go
│ │ └── usertokens/
│ │ ├── common/
│ │ │ ├── common.go
│ │ │ └── common_test.go
│ │ ├── mockusertokens/
│ │ │ └── mockusertokens.go
│ │ ├── oidc/
│ │ │ └── oidc.go
│ │ ├── pkitokens/
│ │ │ ├── jwt.go
│ │ │ ├── jwt_test.go
│ │ │ ├── publickeys.go
│ │ │ └── publickeys_test.go
│ │ └── usertokens.go
│ └── runtime/
│ └── runtime.go
├── doc.go
├── docs/
│ ├── README.md
│ ├── docker_host_networks.md
│ ├── linux_processes.md
│ ├── policy_design.md
│ ├── secure-application_segmentation.md
│ └── trireme_architecture.md
├── fix_bpf
├── mockgen.sh
├── monitor/
│ ├── api/
│ │ └── spec/
│ │ ├── Makefile
│ │ └── protos/
│ │ ├── monitor.pb.go
│ │ └── monitor.proto
│ ├── config/
│ │ └── config.go
│ ├── constants/
│ │ └── constants.go
│ ├── external/
│ │ ├── interfaces.go
│ │ └── mockexternal/
│ │ └── mockinterfaces.go
│ ├── extractors/
│ │ ├── constants.go
│ │ ├── constants_windows.go
│ │ ├── docker.go
│ │ ├── docker_test.go
│ │ ├── error.go
│ │ ├── error_test.go
│ │ ├── interface.go
│ │ ├── kubernetes.go
│ │ ├── kubernetes_test.go
│ │ ├── linux.go
│ │ ├── linux_test.go
│ │ ├── ssh.go
│ │ ├── ssh_test.go
│ │ ├── testdata/
│ │ │ └── curl
│ │ ├── uid.go
│ │ ├── uid_test.go
│ │ ├── util.go
│ │ ├── windows.go
│ │ └── windows_test.go
│ ├── interfaces.go
│ ├── internal/
│ │ ├── cni/
│ │ │ ├── extractor.go
│ │ │ ├── monitor.go
│ │ │ └── processor.go
│ │ ├── docker/
│ │ │ ├── config.go
│ │ │ ├── helpers.go
│ │ │ ├── helpers_test.go
│ │ │ ├── mockdocker/
│ │ │ │ └── mockdocker.go
│ │ │ ├── monitor.go
│ │ │ ├── monitor_linux_test.go
│ │ │ ├── monitor_test.go
│ │ │ └── types.go
│ │ ├── k8s/
│ │ │ ├── config.go
│ │ │ ├── event_handler.go
│ │ │ ├── event_handler_test.go
│ │ │ ├── event_retry_handler.go
│ │ │ ├── event_retry_handler_test.go
│ │ │ ├── helpers_test.go
│ │ │ ├── mocks_pod_cache_test.go
│ │ │ ├── mocks_runtime_cache_test.go
│ │ │ ├── monitor.go
│ │ │ ├── monitor_test.go
│ │ │ ├── on_startup.go
│ │ │ ├── on_startup_test.go
│ │ │ ├── pod_cache.go
│ │ │ ├── pod_cache_test.go
│ │ │ ├── runtime_cache.go
│ │ │ ├── runtime_cache_linux.go
│ │ │ ├── runtime_cache_test.go
│ │ │ ├── runtime_cache_unsupported.go
│ │ │ ├── runtime_cache_windows.go
│ │ │ └── testdata/
│ │ │ └── kubeconfig
│ │ ├── kubernetes/
│ │ │ ├── DEPRECATED.txt
│ │ │ ├── cache.go
│ │ │ ├── cache_test.go
│ │ │ ├── client.go
│ │ │ ├── client_test.go
│ │ │ ├── config.go
│ │ │ ├── handler.go
│ │ │ ├── handler_test.go
│ │ │ ├── kubernetes.go
│ │ │ ├── monitor.go
│ │ │ └── monitor_test.go
│ │ ├── linux/
│ │ │ ├── config.go
│ │ │ ├── monitor.go
│ │ │ ├── processor.go
│ │ │ └── processor_test.go
│ │ ├── pod/
│ │ │ ├── config.go
│ │ │ ├── config_test.go
│ │ │ ├── controller.go
│ │ │ ├── controller_test.go
│ │ │ ├── delete_controller.go
│ │ │ ├── delete_controller_test.go
│ │ │ ├── mockcache_test.go
│ │ │ ├── mockclient_test.go
│ │ │ ├── mockinformer_test.go
│ │ │ ├── mockmanager_test.go
│ │ │ ├── mockzapcore_test.go
│ │ │ ├── monitor.go
│ │ │ ├── monitor_test.go
│ │ │ ├── resync.go
│ │ │ ├── resync_test.go
│ │ │ ├── testdata/
│ │ │ │ └── kubeconfig
│ │ │ ├── watcher.go
│ │ │ └── watcher_test.go
│ │ ├── uid/
│ │ │ ├── config.go
│ │ │ ├── monitor.go
│ │ │ └── processor.go
│ │ └── windows/
│ │ ├── config.go
│ │ ├── monitor.go
│ │ ├── processor.go
│ │ └── processor_test.go
│ ├── mockmonitor/
│ │ └── mockmonitor.go
│ ├── monitor.go
│ ├── monitor_windows.go
│ ├── options.go
│ ├── options_windows.go
│ ├── processor/
│ │ ├── interfaces.go
│ │ └── mockprocessor/
│ │ └── mockprocessor.go
│ ├── registerer/
│ │ ├── interfaces.go
│ │ ├── registerer.go
│ │ └── registerer_test.go
│ ├── remoteapi/
│ │ ├── client/
│ │ │ ├── client.go
│ │ │ ├── client_nonwindows.go
│ │ │ ├── client_windows.go
│ │ │ ├── interfaces.go
│ │ │ └── mockclient/
│ │ │ └── mockclient.go
│ │ └── server/
│ │ ├── interfaces.go
│ │ ├── server.go
│ │ ├── server_nonwindows.go
│ │ ├── server_test.go
│ │ ├── server_windows.go
│ │ ├── uidlistener.go
│ │ └── uidlistener_nonlinux.go
│ └── server/
│ ├── pipe.go
│ ├── pipe_windows.go
│ └── server.go
├── plugins/
│ └── pam/
│ ├── README.md
│ ├── uidmonitorpam.go
│ └── uidmonitorpam_c.go
├── policy/
│ ├── apiservices.go
│ ├── interfaces.go
│ ├── mockpolicy/
│ │ └── mockpolicy.go
│ ├── policy.go
│ ├── policy_test.go
│ ├── policyerror.go
│ ├── policyerror_test.go
│ ├── puinfo.go
│ ├── runtime.go
│ ├── runtime_test.go
│ ├── tagstore.go
│ ├── tagstore_test.go
│ ├── types.go
│ └── types_test.go
├── protogen.sh
├── scripts/
│ ├── fix_bpf
│ ├── lint.sh
│ ├── lint.windows.sh
│ ├── test.sh
│ └── test.windows.sh
├── third_party/
│ └── generated/
│ └── envoyproxy/
│ └── data-plane-api/
│ └── envoy/
│ ├── api/
│ │ └── v2/
│ │ ├── core/
│ │ │ ├── address.pb.go
│ │ │ ├── base.pb.go
│ │ │ └── http_uri.pb.go
│ │ └── discovery.pb.go
│ ├── service/
│ │ ├── auth/
│ │ │ └── v2/
│ │ │ ├── attribute_context.pb.go
│ │ │ └── external_auth.pb.go
│ │ └── discovery/
│ │ └── v2/
│ │ └── sds.pb.go
│ └── type/
│ ├── http_status.pb.go
│ └── percent.pb.go
└── utils/
├── README.md
├── allocator/
│ ├── allocator.go
│ └── interfaces.go
├── cache/
│ ├── cache.go
│ └── cache_test.go
├── cgnetcls/
│ ├── cgnetcls.go
│ ├── cgnetcls_osx.go
│ ├── cgnetcls_test.go
│ ├── cgnetcls_windows.go
│ ├── constants.go
│ ├── constants_nonwindows.go
│ ├── interfaces.go
│ ├── mockcgnetcls/
│ │ └── mockcgnetcls.go
│ └── netcls.go
├── constants/
│ ├── constants.go
│ ├── constants_linux.go
│ └── constants_rhel6.go
├── cri/
│ ├── common.go
│ ├── cri_client_setup.go
│ ├── cri_client_setup_linux.go
│ ├── cri_client_setup_linux_test.go
│ ├── cri_client_setup_unsupported.go
│ ├── cri_client_setup_windows.go
│ ├── cri_runtime_wrapper.go
│ ├── cri_runtime_wrapper_test.go
│ ├── interface.go
│ └── mockcri/
│ ├── mock_runtime_service.go
│ └── mockinterface.go
├── crypto/
│ ├── crypto.go
│ └── crypto_test.go
├── fqdn/
│ ├── fqdn.go
│ └── fqdn_test.go
├── frontman/
│ ├── driver_windows.go
│ ├── driver_windows_test.go
│ ├── rulecleanup_windows.go
│ ├── rulecleanup_windows_test.go
│ ├── utils_windows.go
│ └── wrapper_windows.go
├── ipprefix/
│ ├── ipprefix.go
│ └── ipprefix_test.go
├── netinterfaces/
│ └── netinterfaces.go
├── nfqparser/
│ ├── constants.go
│ ├── nfqlayout.go
│ ├── nfqparser.go
│ └── nfqparser_test.go
├── portcache/
│ ├── portcache.go
│ └── portcache_test.go
└── portspec/
├── portspec.go
└── portspec_test.go
================================================
FILE CONTENTS
================================================
================================================
FILE: .github/ISSUE_TEMPLATE.md
================================================
#### Actual behavior
*Description of the actual behavior.*
#### Expected behavior
*Description of the expected behavior.*
#### Steps to reproduce
*Description of the various steps required to reproduce the error.*
#### Solution proposal
*Description of what you thingk would need to be done.*
#### Installation type
- [ ] console.aporeto.com
- [ ] on-prem
- [ ] dev
> Version: ?
> Customer: ?
> ETA: ?
================================================
FILE: .github/PULL_REQUEST_TEMPLATE.md
================================================
#### Description
*Changes proposed in this pull request.*
#### Test plan
*Outline the test plan used to test this change before merging it.*
> Fixes #.
================================================
FILE: .gitignore
================================================
.DS_Store
example/example
vendor
coverage.txt
controller/internal/processmon/testbinary/testbinary
Gopkg.lock
profile.out
================================================
FILE: .lint.windows.sh
================================================
#!/usr/bin/env bash
# goimports and gofmt complain about cr-lf line endings, so don't run them on
# a Windows machine where git is configured to auto-convert line endings
OS=`uname -s`
if [[ $OS == *"NT-"* ]]; then
GOIMPORTS_OPTION=
GOFMT_OPTION=
else
GOIMPORTS_OPTION=--enable=goimports
GOFMT_OPTION=--enable=gofmt
fi
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 golangci-lint run --deadline=10m --disable-all --exclude-use-default=false --enable=errcheck --enable=ineffassign --enable=govet --enable=golint --enable=unused --enable=structcheck --enable=varcheck --enable=deadcode --enable=unconvert --enable=goconst --enable=gosimple --enable=misspell --enable=staticcheck --enable=unparam --enable=prealloc --enable=nakedret --enable=typecheck $GOIMPORTS_OPTION $GOFMT_OPTION --skip-dirs=vendor/github.com/iovisor ./...
================================================
FILE: .test.sh
================================================
#!/usr/bin/env bash
set -e
echo "" > coverage.txt
./mockgen.sh
./fix_bpf
## FIX ME. go1.14 automatically enables unsafe ptr checks when doing race checks,
## and it is not clear if this is compatible (it is disabled on Windows)
##
## This needs to be revisited and maybe remove "-gcflags=all=-d=checkptr=0" below
## for go1.14 once we determine if there is a real pointer issue in the tests.
##
## this is the file that fails when ptr checking is enabled:
## go.aporeto.io/trireme-lib/controller/internal/enforcer/applicationproxy/markedconn_test.go
##
## to see the failure, test that package individually setting "checkptr=1"
case "$(go version)" in
*1.13*) CHECKPTR="" ;;
*) CHECKPTR="-gcflags=all=-d=checkptr=0" ;;
esac
for d in $(go list ./... | grep -v 'mock|bpf'); do
go test ${CHECKPTR} -race -tags test -coverprofile=profile.out -covermode=atomic $d
if [ -f profile.out ]; then
cat profile.out >> coverage.txt
rm profile.out
fi
done
================================================
FILE: .test.windows.sh
================================================
#!/usr/bin/env bash
# use wine to execute if not running tests on a Windows machine
OS=`uname -s`
if [[ $OS == *"NT-"* ]]; then
WINE_EXEC=
else
WINE_EXEC="-exec wine"
fi
set -e
echo "" > coverage.windows.txt
for d in $(CGO_ENABLED=0 go list ./... | grep -v remoteenforcer | grep -v remoteapi | grep -v "plugins/pam"); do
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go test -tags test $WINE_EXEC -coverprofile=profile.windows.out -covermode=atomic $d
if [ -f profile.windows.out ]; then
cat profile.windows.out >> coverage.windows.txt
rm profile.windows.out
fi
done
================================================
FILE: .travis.yml
================================================
language: go
sudo: required
dist: bionic
go_import_path: go.aporeto.io/trireme-lib
matrix:
include:
- go: "1.13.x"
- go: "1.14.x"
- go: master
allow_failures:
- go: master
fast_finish: true
addons:
apt:
packages:
- libnetfilter-queue-dev
- libnetfilter-log-dev
- iptables
- ipset
- wine-stable
env:
global:
- TOOLS_CMD=golang.org/x/tools/cmd
- PATH=$GOROOT/bin:$PATH
- SUDO_PERMITTED=1
before_install:
- GO111MODULE=on go get github.com/golangci/golangci-lint/cmd/golangci-lint@v1.21.0
- GO111MODULE=off go get github.com/golang/dep/cmd/dep
- sudo apt-get -y install wine32
install:
- dep ensure
- ./fix_bpf
- dep status || true
script:
- GO111MODULE=off ./.test.sh
- golangci-lint run --deadline=10m --disable-all --exclude-use-default=false --enable=errcheck --enable=goimports --enable=ineffassign --enable=govet --enable=golint --enable=unused --enable=structcheck --enable=varcheck --enable=deadcode --enable=unconvert --enable=goconst --enable=gosimple --enable=misspell --enable=staticcheck --enable=unparam --enable=prealloc --enable=nakedret --enable=gofmt --enable=typecheck --skip-dirs=vendor/github.com/iovisor ./...
- GO111MODULE=off ./.lint.windows.sh
- GO111MODULE=off ./.test.windows.sh
================================================
FILE: CONTRIBUTING.md
================================================
Contributing
------------
As an open source project, your contributions are important to the future of Trireme. Whether you're looking to write code, add new documentation, or just report a bug, you'll be helping everyone who uses Trireme in the future.
### Reporting Bugs
Filing issues is a simple but very important part of contributing to Trireme. It provides a metric for measuring progress and allows the community to know what is being worked on. "Issues" in the context of the project refer to everything from broken aspects of the framework, to regressions and unimplemented features. Trireme uses [GitHub Issues](https://github.com/aporeto-inc/trireme-lib/issues) for tracking issues!
When opening an issue or a pull request, labels will be applied to it. You can check the Issue and Pull Request Lifecycle [here](https://github.com/aporeto-inc/trireme-lib/wiki/Issue-and-Pull-Request-Lifecycle).
### Contributing to the project
There are always bugs to be fixed and features to be implemented, some large, some small. Fixing even the smallest bug is enormously helpful! If you have something in mind, don't hesitate to create a pull request [here](https://github.com/aporeto-inc/trireme-lib/pulls)!
When contributing to a project you must propose a pull request for each modifications you do.
To do a PR, please follow this instructions :
```bash
git checkout master #make sure your base is the master
git checkout -b nameOfYourNewBranch #create a new branch and start to work locally on this branch
... #do your change
./.test.sh
git add yourFile* #add the files to the commit
git commit #create a beautiful messages for the commit, please follow the guideline below
git push origin nameOfYourNewBranch #push the branch on the remote origin
```
Then we advise to create your PR from the github website, make sure to read your changes again.
More documentation here : https://git-scm.com/documentation
Pull requests will not be accepted if the tests are not passing and if the coverage of the tests has dicreased.
### Coding Guidelines
Go Coding Style Guidelines
You must follow the golint, gofmt guide style when coding in Go. You must also know by heart Effective Go.
Install the linter on your system and add it to your pre-commit hook.
### Do's and don'ts
DO
* Be consistent.
* Use symmetry. If you provide a way to do something, provide a way to undo it.
* All public methods and functions must be commented.
* A comment has a space between // and the first letter.
* A comment starts with a capitalized letter and ends with a final dot.
* Be careful with the commenting. This could be released to GoDoc at anytime.
* An interface or a struct Thing comment should be in the form of "// A Thing is a thing", not "// Thing is a thing"
* Code must go straight to the point. Do not over engineer by thinking "maybe one day". If that day comes, update your code.
* Use short explicit name for variables. "objectThatMayBeCreatedIfEverythingIsFine" is overkill. "obj" is enough. Use best judgement.
* A function must do what its name says. "catchPokemon(pokeball) bool" should not get an int as parameters, and do an addition.
* Organize your packages consistently.
* Skip a line between the function declaration and the first line of code.
* A constructor must use the "return &Struct{a: 1}" pattern, not "newthing:= &Struct{}; thing.a = 1; return a".
* Always provide a way to understand what went wrong or what went well in a function/method. A log is useless.
* A function or method that starts by "Is" or "Are" must return a boolean.
* Order of appearance of methods should be consistent:
* Imports
* Constants (if any)
* Variables (if any)
* Helper functions (if any)
* Main structure
* Constructor (if any)
* Implemented interface methods (if any)
* Public methods (if any)
* Private methods (if any)
DON'T
* Do not write more than a main structure per file.
* Do not ignore returned errors. Never. Handle them, or pass them back. You can use github.com/kisielk/errcheck to help you find them.
* Do not over log. Go philosophy is "no news, good news". Carefully minimize all logs above the "debug" level.
* Do not put logs in a helper functions. Return an error and let the main program decide what to do.
* Don't use new().
* Do not pass entire structure down, because at some point you need one value. Just pass the value. (see "maybe one day" point)
* Do not export methods if they are not used outside of the package (see "maybe one day" point)
* Do not let an unused function in the code, delete it. Use Go Oracle to find the referrers if needed. (if we need it later, git is our friend)
* Do not let Todos hanging in the code forever. Fix them asap.
* Do not overuse wrappers. If a library provides a structure that matches what you need, use it (see "maybe one day" point).
* Do not store duplicate information: a.Name = b.Name, a.B = b. a.B.Name is enough
* Don't use strings. Strings are bad for anything else than giving information to a human. Use a constant or a structure.
* Do not copy and paste business logic code. If you need the same code twice, write a function.
* Do not use map[string]map[string]chan map[string]bool, create a Type.
* Do not pass information through maps. Maps content cannot be controlled by the compiler (see "don't use string" point)
* Do not overused go routines. Remember that if someone wants to thread something, he can use "go" himself. Leave the guy a choice.
* Do not let old naming. If a structure doesn't do what it did in the beginning, rename it. gorename is our friend here.
* Do not paste StackOverflow code without understanding exactly what it does. You should also add a backlink.
### Commit Messages
The style and format of your commit messages are very important to the health of the project. A good commit message helps not only users reading the release notes, but also your fellow developers as they review git log or git blame to figure out what you were doing.
Commit messages should be in the following format:
```
#comments
<type>: <summary>
<body>
<footer>
<transition-state >
```
### Types
* Allowed type values are:
* New — A new feature has been implemented
* Fixed — A bug has been fixed
* Docs — Documentation has been added or tweaked
* Formatting — Code has been reformatted to conform to style guidelines
* Test — Test cases have been added
* Task — A build task has been added or updated
### Message summary
The summary is one of the most important parts of the commit message, because that is what we see when scanning through a list of commits, and it is also what we use to generate change logs.
The summary should be a concise description of the commit, preferably 72 characters or less (so we can see the entire description in github), beginning with a lowercase letter and with a terminating period. It should describe only the core issue addressed by the commit. If you find that the summary needs to be very long, your commit is probably too big! Smaller commits are better.
For a New commit, the summary should answer the question, “What is new and where?” For a Fixed commit, the summary should answer the question, “What was fixed?”, for example “Wrong Python version in Kafka Dockerfile”. It should not answer the question, “What was done to fix it?” That belongs in the body.
Do not simply reference another issue or pull request by number in the summary. First of all, we want to know what was actually changed and why, which may not be fully explained in the referenced issue. Second, github will not create a link to the referenced issue in the commit summary.
### Message body
The details of the commit go in the body. Specifically, the body should include the motivation for the change for New, Fixed and Task types. For Fixed commits, you should also contrast behavior before the commit with behavior after the commit.
If the summary can completely express everything, there is no need for a message body.
### Message footer
If the commit closes an issue by fixing the bug, implementing a feature, or rendering it obsolete, or if it references an issue without closing it, that should be indicated in the message footer.
Issues closed by a commit should be listed on a separate line in the footer with an appropriate prefix:
"Fixes" for Fixed commit types
"Closes" for all other commit types
For example:
```
Fixes #1234
```
or in the case of multiple issues, like this:
```
Fixes 1234, 2345
```
Issues that a commit references without closing them should be listed on a separate line in the footer with the prefix "Refs", like this:
```
Refs #1234
```
or in the case of multiple issues, like this:
```
Refs #1234, #2345
```
If a commit changes the API or behavior in such a way that existing code may break, a description of the change, what might break, and how existing code should be modified must be noted in the footer like this:
```
BREAKING CHANGE:
Dockerfile of Kafka has been changed, you must generate a new image of Kafka.
```
### Examples
```
Fixed: Wrong Python version in Kafka Dockerfile
Previously, the Kafka's Dockerfile installed the version 3.0 of Python. This version of Python
did not work with the lib configobj.
We now make sure to install the version 2.7 of Python by specifying the version when installing
Python.
Fixes 1234
```
================================================
FILE: Gopkg.toml
================================================
required = ["github.com/docker/distribution"]
[[constraint]]
branch = "master"
name = "github.com/aporeto-inc/go-ipset"
[[constraint]]
name = "github.com/docker/docker"
version = "v17.05.0-ce-rc3"
[[constraint]]
name = "github.com/docker/distribution"
revision = "b38e5838b7b2f2ad48e06ec4b500011976080621"
[[override]]
name = "github.com/ti-mo/netfilter"
version = "=0.3.0"
# as per github.com/ti-mo/netfilter go.mod file
[[constraint]]
name = "github.com/mdlayher/netlink"
revision = "a1644773bc99cfd147417f646434a663b5892505"
#
# The most significant dependency for the Kubernetes monitor: the controller-runtime
# NOTE: change with care and always adjust the Kubernetes dependencies below
#
[[override]]
name = "sigs.k8s.io/controller-runtime"
version = "v0.1.10"
#
# Kubernetes dependencies
# NOTE: always match exactly to what controller-runtime uses
#
[[constraint]]
name = "k8s.io/api"
version = "kubernetes-1.13.1"
[[override]]
name = "k8s.io/apiextensions-apiserver"
version = "kubernetes-1.13.1"
[[override]]
name = "k8s.io/apimachinery"
version = "kubernetes-1.13.1"
[[override]]
name = "k8s.io/apiserver"
version = "kubernetes-1.13.1"
[[constraint]]
name = "k8s.io/client-go"
version = "kubernetes-1.13.1"
[[override]]
name = "k8s.io/code-generator"
version = "kubernetes-1.13.1"
[[override]]
name = "k8s.io/gengo"
branch = "master"
[[constraint]]
name = "github.com/envoyproxy/go-control-plane"
version = "v0.9.0"
[[constraint]]
name = "github.com/aporeto-inc/oxy"
branch = "sirupsen"
[[constraint]]
name = "go.aporeto.io/netlink-go"
branch = "master"
[[constraint]]
name = "go.aporeto.io/tg"
branch = "master"
[[constraint]]
name = "github.com/hashicorp/go-version"
version = "v1.0.0"
[prune]
go-tests = true
unused-packages = true
================================================
FILE: LICENSE
================================================
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
================================================
FILE: Makefile
================================================
## all: default is to show the help text
.PHONY: all help
all: help
ci: test lint
## vet: run go vet on the source
vet:
go vet ./...
## test: test with race checks
test:
@ scripts/test.sh
## lint: run the linter
lint:
@ scripts/lint.sh
#
# help uses all the ## marks for help text
#
.PHONY: help
## help: prints this help message
help:
@ echo "Usage: "
@ echo
@ echo "Run 'make <target>' where <target> is one of:"
@ echo
@ sed -n 's/^##//p' ${MAKEFILE_LIST} | column -t -s ':' | sed -e 's/^/ /' | sort
================================================
FILE: NOTICE
================================================
Trirem Project -
Copyright (c) 2016 Aporeto, Inc. All Rights Reserved
This product includes software developed at Aporeto Inc.
================================================
FILE: README.md
================================================
# Trireme
<img src="docs/trireme.png" width="400">
[](https://travis-ci.org/aporeto-inc/trireme-lib) [](https://codecov.io/gh/aporeto-inc/trireme-lib) [](https://twitter.com/aporeto_trireme) [](https://triremehq.slack.com/messages/general/) [](https://www.gnu.org/licenses/gpl-2.0.html) [](https://godoc.org/go.aporeto.io/trireme-lib) [](https://goreportcard.com/report/go.aporeto.io/trireme-lib)
Welcome to Trireme, an open-source library curated by Aporeto to provide cryptographic isolation for cloud-native applications. Trireme-lib is a Zero-Trust networking
library that makes it possible to setup security policies and segment applications by enforcing end-to-end authentication and authorization without the need
for complex control planes or IP/port-centric ACLs and east-west firewalls.
Trireme-lib supports both containers and Linux processes as well user-based activation, and it allows security policy enforcement between any of these entities.
# TL;DR
Trireme-lib is a library. The following projects use it:
* [Trireme as a set of simple examples to get started](https://github.com/aporeto-inc/trireme-example)
* [Trireme implementing NetworkPolicies on Kubernetes](https://github.com/aporeto-inc/trireme-kubernetes/tree/master/deployment)
# Description
In the Trireme world, a processing unit (PU) end-point can be a container, Kubernetes POD, or a general Linux process. It can also be a user session
to a particular server. We will be referring to processing units as PUs throughout this discussion.
The technology behind Trireme is streamlined, elegant, and simple. It is based on the concepts of Zero-Trust networking:
1. The identity is the set of attributes and metadata that describes the container as key/value pairs. Trireme provides an extensible interface for defining these identities. Users can choose customized methods appropriate to their environment for establishing PU identity. For example, in a Kubernetes environment, the identity can be the set of labels identifying a POD.
2. There is an authorization policy that defines when PUs with different types of identity attributes can interact or exchange traffic. The authorization policy implements an Attribute-Based Access Control (ABAC) mechanism (https://en.wikipedia.org/wiki/Attribute-Based_Access_Control), where the policy describes relationships between identity attributes.
3. Every communication between two PUs is controlled through a cryptographic end-to-end authentication and authorization step, by overlaying an authorization function over the TCP negotiation. The authorization steps are performed during the `SYN`/`SYNACK`/`ACK` negotiation.
The result of this approach is the decoupling of network security from the underlying network infrastructure because this approach is centered on workload identity attributes and interactions between workloads. Network security can be achieved simply by managing application identity and authorization policy. Segmentation granularity can be adjusted based on the needs of the platform.
Trireme is a node-centric library. Each node participating in the Trireme cluster must spawn one instance of a process that uses this library to transparently insert the authentication and authorization step. Trireme provides the data path functions but does not implement either the identity management or the policy resolution function. Function implementation depends on the particular operational environment. Users have to provide PolicyLogic (ABAC “rules”) to Trireme for well-defined PUs, such as containers.
# Existing implementation using Trireme library
* [This example](https://github.com/aporeto-inc/trireme-example) is a straightforward implementation of the PolicyLogic for a simple use-case.
* [Kubernetes-Integration](https://github.com/aporeto-inc/kubernetes-integration) is a full implementation of PolicyLogic that follows the Kubernetes Network Policies model.
* [Bare-Metal-Integration](https://github.com/aporeto-inc/trireme-bare-metal) is an implementation of Trireme for Kubernetes on-prem, with a Cumulus agent that allows you to have a very simple networking model (routes are advertised by Cumulus) together with Trireme for policy enforcement.
# Security Model
Trireme is a Zero-Trust networking library. The security model behind Zero-trust networking is:
* The Network is always untrusted. It doesn't matter if you are inside or outside your enterprise.
* Every Flow/Connection needs to be authenticated and authorized by the endpoints.
* The network information (IP/Port) is completely irrelevant to the authorization/authentication.
With Trireme, there is no need to define any security rules with IPs, port numbers, or ACLs. Everything is based on identity attributes; your IP and port allocation scheme is not relevant to Trireme and it is compatible with most underlying networking technologies. The end-to-end authentication and authorization approach is also compatible with NATs and IPv4/IPv6 translations.
A PU is a logical unit of control to which you attach identity and authorization policies. It provides a simple mechanism where the identity is derived out of the Docker manifest; however, other mechanisms are possible for more sophisticated identity definition. For instance, you may want to tag your 3-tier container application as "frontend," "backend," and "database." By associating corresponding labels and containers, these labels become "the identity." A policy for the “backend” containers can simply accept traffic only from “frontend” containers. Alternatively, an orchestration system might define a composite identity for each container and implement more sophisticated policies.
PolicyLogic defines the set of authorization rules as a function of the identity of attributes and loads these rules into Trireme when a container is instantiated. Authorization rules describe the set of identities with which a particular container is allowed to interact. We provide an example of this integration logic with Kubernetes [here](https://github.com/aporeto-inc/kubernetes-integration). Furthermore, we provide an example of a simple policy where two containers can only talk to each other if they have matching labels in [this example](https://github.com/aporeto-inc/trireme-lib/tree/master/example). Each rule defines a match based on the identity attributes. PolicyLogic assumes a whitelist model where everything is dropped unless explicitly allowed by the authorization policy.
PU identities are cryptographically signed with a node-specific secret and sent as part of a TCP connection setup negotiation. Trireme supports both mutual and receiver-only authorization. Moreover, it supports two authentication and signing modes: (1) A pre-shared key and (2) a PKI mechanism based on ECDSA. In the case of ECDSA, public keys are either transmitted on the wire or pre-populated through an out-of-band mechanism to improve efficiency. Trireme also supports two identity encoding mechanisms: (1) A signed JSON Web Token (JWT) and (2) a custom binary mapping mechanism.
With these mechanisms, the Trireme run-time on each node will only allow communication after an end-to-end authentication and authorization step is performed between the containers.
# Trireme Architecture
Trireme-lib is built as a set of modules (Go packages) that provide a default implementation for each component. It is simple to swap the default implementation of each of those modules with custom-built ones for more complex and specific features.
Conceptually, Trireme acts on PU events. In the default implementation, the PU is a Docker container. Trireme can be easily extended to other PUs such as processes, files, sockets, and so forth.
Trireme consists of two main packages:
* The `Monitor` listens to a well-defined PU creation module. The built-in monitor listens to Docker events and generates a standard Trireme PU runtime representation. Additional monitors provided can listen to events on creation of Linux processes or user sessions from the Linux PAM module. The `Monitor` hands over the PU runtime to an external `Resolver`.
* The `Resolver` is implemented outside of Trireme and is not part of the library. The `Resolver` depends on the orchestration system used for managing identity and policy. If you plan to implement your own policy with Trireme, you will essentially need to implement a `Resolver`.
* The `Controller` receives instructions from the `Resolver` and enforces the policy by analyzing the redirected packets and enforcing the identity and policy rules.
# Defining Your Own Policy
Trireme allows you to define any type of identity attribute or policy to associate with the PUs.
In order to define your own policies and identities, you need to implement a `Resolver` interface that will receive policy requests from Trireme whenever a policy resolution is required.
# Resolver Implementation
```go
// A Resolver must be implemented by a policy engine that receives monitor events.
type Resolver interface {
// HandlePUEvent is called by all monitors when a PU event is generated. The implementer
// is responsible to update all components by explicitly adding a new PU.
HandlePUEvent(ctx context.Context, puID string, event common.Event, runtime RuntimeReader) error
}
```
Each container event generates a call to `HandlePUEvent`
The `Resolver` can then issue explicit calls to the `Controller` in order to implement the policy decision. The `Controller` interface is consumed by the `Resolver` and it is described below:
```go
// TriremeController is the main API of the Trireme controller
type TriremeController interface {
// Run initializes and runs the controller.
Run(ctx context.Context) error
// CleanUp cleans all the supervisors and ACLs for a clean exit
CleanUp() error
// Enforce asks the controller to enforce policy on a processing unit
Enforce(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime) (err error)
// UnEnforce asks the controller to un-enforce policy on a processing unit
UnEnforce(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime) (err error)
// UpdatePolicy updates the policy of the isolator for a container.
UpdatePolicy(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime) error
// UpdateSecrets updates the secrets of running enforcers managed by trireme. Remote enforcers will get the secret updates with the next policy push
UpdateSecrets(secrets secrets.Secrets) error
// UpdateConfiguration updates the configuration of the controller. Only specific configuration
// parameters can be updated during run time.
UpdateConfiguration(networks []string) error
}
```
# Prerequisites
* Trireme-lib requires IPTables with access to the `Mangle` module.
* Trireme-lib requires access to the Docker event API socket (`/var/run/docker.sock` by default).
* Trireme-lib requires privileged access.
* Trireme-lib requires to run in the Host PID namespace.
[](https://github.com/igrigorik/ga-beacon)
================================================
FILE: buildflags/buildflags.go
================================================
// +build !rhel6
package buildflags
// Distro constants
const (
Rhel6 = ""
Rhel5 = ""
)
// IsRHEL6 returns true if the build flag was set for rhel6
func IsRHEL6() bool {
return false
}
// IsRHEL5 returns true if the build flag was set for rhel5
func IsRHEL5() bool {
return false
}
// IsLegacyKernel returns true if the build flag was set for rhel5/rhel6
func IsLegacyKernel() bool {
return false
}
================================================
FILE: buildflags/buildflags_rhel.go
================================================
// +build rhel6
package buildflags
// Distro constants
const (
Rhel6 = "rhel6"
Rhel5 = "rhel5"
)
// IsRHEL6 returns true if the build flag was set for rhel6
func IsRHEL6() bool {
return true
}
// IsRHEL5 returns true if the build flag was set for rhel5
func IsRHEL5() bool {
return false
}
// IsLegacyKernel returns true if the build flag was set for rhel5/rhel6
func IsLegacyKernel() bool {
return true
}
================================================
FILE: cmd/systemdutil/exec.go
================================================
// +build !windows
package systemdutil
import (
"syscall"
"go.aporeto.io/enforcerd/trireme-lib/common"
)
func execve(c *CLIRequest, env []string) error {
return syscall.Exec(c.Executable, append([]string{c.Executable}, c.Parameters...), env)
}
func getPUType() common.PUType {
return common.LinuxProcessPU
}
================================================
FILE: cmd/systemdutil/exec_windows.go
================================================
package systemdutil
import (
"os"
"os/exec"
"go.aporeto.io/enforcerd/trireme-lib/common"
)
// execve does not exist in Windows, so we do the best we can.
func execve(c *CLIRequest, env []string) error {
cmd := exec.Command(c.Executable, c.Parameters...)
cmd.Env = env
cmd.Stdin = os.Stdin
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
return cmd.Run()
}
func getPUType() common.PUType {
return common.WindowsProcessPU
}
================================================
FILE: cmd/systemdutil/systemdutil.go
================================================
package systemdutil
import (
"encoding/hex"
"errors"
"fmt"
"os"
"os/exec"
"path"
"regexp"
"strings"
"go.aporeto.io/enforcerd/trireme-lib/common"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
"go.aporeto.io/enforcerd/trireme-lib/monitor/extractors"
"go.aporeto.io/enforcerd/trireme-lib/monitor/remoteapi/client"
"go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
)
// ExecuteCommandFromArguments processes the command from the arguments
func ExecuteCommandFromArguments(arguments map[string]interface{}) error {
p := NewRequestProcessor()
c, err := p.ParseCommand(arguments)
if err != nil {
return err
}
return p.ExecuteRequest(c)
}
// RequestType is the type of the request
type RequestType int
const (
// CreateRequest requests a create event
CreateRequest RequestType = iota
// DeleteCgroupRequest requests deletion based on the cgroup - issued by the kernel
DeleteCgroupRequest
// DeleteServiceRequest requests deletion by the service ID
DeleteServiceRequest
)
// CLIRequest captures all CLI parameters
type CLIRequest struct {
// Request is the type of the request
Request RequestType
// Cgroup is only provided for delete cgroup requests
Cgroup string
// Executable is the path to the executable
Executable string
// Parameters are the parameters of the executable
Parameters []string
// Labels are the user labels attached to the request
Labels []string
// ServiceName is a user defined service name
ServiceName string
// Services are the user defined services (protocol, port)
Services []common.Service
// HostPolicy indicates that this is a host policy
HostPolicy bool
// NetworkOnly indicates that the request is only for traffic coming from the network
NetworkOnly bool
// AutoPort indicates that auto port feature is enabled for the PU
AutoPort bool
}
// RequestProcessor is an instance of the processor
type RequestProcessor struct {
address string
}
// NewRequestProcessor creates a default request processor
func NewRequestProcessor() *RequestProcessor {
return &RequestProcessor{
address: common.TriremeSocket,
}
}
// NewCustomRequestProcessor creates a new request processor
func NewCustomRequestProcessor(address string) *RequestProcessor {
r := NewRequestProcessor()
if address != "" {
r.address = address
}
return r
}
// Generic command line arguments
// Assumes a command like that:
// usage = `Trireme Client Command
//
// Usage: enforcerd -h | --help
// trireme -v | --version
// trireme run
// [--service-name=<sname>]
// [[--ports=<ports>]...]
// [[--label=<keyvalue>]...]
// [--networkonly]
// [--hostpolicy]
// [--uidpolicy]
// [<command> [--] [<params>...]]
// trireme rm
// [--service-name=<sname>]
// [--hostpolicy]
// [--uidpolicy]
// trireme <cgroup>
//
// Run Client Options:
// --service-name=<sname> Service name for the executed command [default ].
// --ports=<ports> Ports that the executed service is listening to [default ].
// --label=<keyvalue> Label (key/value pair) attached to the service [default ].
// --networkonly Control traffic from the network only and not from applications [default false].
// --hostpolicy Default control of the base namespace [default false].
// --uidpolicy Default control of the base namespace [default false].
//
// `
// ParseCommand parses a command based on the above specification
// This is a helper function for CLIs like in Trireme Example.
// Proper use is through the CLIRequest structure
func (r *RequestProcessor) ParseCommand(arguments map[string]interface{}) (*CLIRequest, error) {
c := &CLIRequest{}
// First parse a command that only provides the cgroup
// The kernel will only send us a command with one argument
if value, ok := arguments["<cgroup>"]; ok && value != nil {
c.Cgroup = value.(string)
c.Request = DeleteCgroupRequest
return c, nil
}
if value, ok := arguments["--service-name"]; ok && value != nil {
c.ServiceName = value.(string)
}
if value, ok := arguments["--hostpolicy"]; ok && value != nil {
c.HostPolicy = value.(bool)
}
// If the command is remove use hostpolicy and service-id
if arguments["rm"].(bool) {
c.Request = DeleteServiceRequest
return c, nil
}
// Process the rest of the arguments of the run command
if value, ok := arguments["run"]; !ok || value == nil {
return nil, errors.New("invalid command")
}
// This is a create request - proceed
c.Request = CreateRequest
if value, ok := arguments["<command>"]; ok && value != nil {
c.Executable = value.(string)
}
if value, ok := arguments["--label"]; ok && value != nil {
c.Labels = value.([]string)
}
if value, ok := arguments["<params>"]; ok && value != nil {
c.Parameters = value.([]string)
}
if value, ok := arguments["--ports"]; ok && value != nil {
services, err := ParseServices(value.([]string))
if err != nil {
return nil, err
}
c.Services = services
}
if value, ok := arguments["--autoport"]; ok && value != nil {
c.AutoPort = value.(bool)
}
if value, ok := arguments["--networkonly"]; ok && value != nil {
c.NetworkOnly = value.(bool)
}
return c, nil
}
// CreateAndRun creates a processing unit
func (r *RequestProcessor) CreateAndRun(c *CLIRequest) error {
var err error
// If its not hostPolicy and the command doesn't exist we return an error
if !c.HostPolicy {
if c.Executable == "" {
return errors.New("command must be provided")
}
if !path.IsAbs(c.Executable) {
c.Executable, err = exec.LookPath(c.Executable)
if err != nil {
return err
}
}
if c.ServiceName == "" {
c.ServiceName = c.Executable
}
}
puType := getPUType()
if c.NetworkOnly {
puType = common.HostNetworkPU
} else if c.HostPolicy {
puType = common.HostPU
}
exeTags := executableTags(c)
c.Labels = append(c.Labels, exeTags...)
// This is added since the release_notification comes in this format
// Easier to massage it while creation rather than change at the receiving end depending on event
request := &common.EventInfo{
PUType: puType,
Name: c.ServiceName,
Executable: c.Executable,
Tags: c.Labels,
PID: int32(os.Getpid()),
EventType: common.EventStart,
Services: c.Services,
NetworkOnlyTraffic: c.NetworkOnly,
HostService: c.HostPolicy,
AutoPort: c.AutoPort,
}
if err := sendRequest(r.address, request); err != nil {
return err
}
if c.HostPolicy {
return nil
}
env := os.Environ()
env = append(env, "APORETO_WRAP=1")
return execve(c, env)
}
// DeleteService will issue a delete command
func (r *RequestProcessor) DeleteService(c *CLIRequest) error {
request := &common.EventInfo{
PUType: getPUType(),
PUID: c.ServiceName,
EventType: common.EventStop,
HostService: c.HostPolicy,
}
// Send Stop request
if err := sendRequest(r.address, request); err != nil {
return err
}
// Send destroy request
request.EventType = common.EventDestroy
return sendRequest(r.address, request)
}
// DeleteCgroup will issue a delete command based on the cgroup
// This is used mainly by the cleaner.
func (r *RequestProcessor) DeleteCgroup(c *CLIRequest) error {
regexCgroup := regexp.MustCompile(`^/trireme/(ssh-)?[a-zA-Z0-9_\-:.$%]{1,64}$`)
if !regexCgroup.Match([]byte(c.Cgroup)) {
return fmt.Errorf("invalid cgroup: %s", c.Cgroup)
}
var eventPUID string
var eventType common.PUType
if strings.HasPrefix(c.Cgroup, common.TriremeCgroupPath) {
eventType = getPUType()
eventPUID = c.Cgroup[len(common.TriremeCgroupPath):]
} else {
// Not our Cgroup
return nil
}
request := &common.EventInfo{
PUType: eventType,
PUID: eventPUID,
EventType: common.EventStop,
}
// Send Stop request
if err := sendRequest(r.address, request); err != nil {
return err
}
// Send destroy request
request.EventType = common.EventDestroy
return sendRequest(r.address, request)
}
// ExecuteRequest executes the command with an RPC request
func (r *RequestProcessor) ExecuteRequest(c *CLIRequest) error {
switch c.Request {
case CreateRequest:
return r.CreateAndRun(c)
case DeleteCgroupRequest:
return r.DeleteCgroup(c)
case DeleteServiceRequest:
return r.DeleteService(c)
default:
return fmt.Errorf("unknown request: %d", c.Request)
}
}
// sendRequest sends an RPC request to the provided address
func sendRequest(address string, event *common.EventInfo) error {
client, err := client.NewClient(address)
if err != nil {
return err
}
return client.SendRequest(event)
}
func executableTags(c *CLIRequest) []string {
tags := []string{}
if fileMd5, err := extractors.ComputeFileMd5(c.Executable); err == nil {
tags = append(tags, fmt.Sprintf("@app:%s:filechecksum=%s", extractors.OSHostString, hex.EncodeToString(fileMd5)))
}
depends := extractors.Libs(c.ServiceName)
for _, lib := range depends {
tags = append(tags, fmt.Sprintf("@app:%s:lib:%s=true", extractors.OSHostString, lib))
}
return tags
}
// ParseServices parses strings with the services and returns them in an
// validated slice
func ParseServices(ports []string) ([]common.Service, error) {
// If no ports are provided, we add the default 0 port
if len(ports) == 0 {
ports = append(ports, "0")
}
// Parse the ports and create the services. Cleanup any bad ports
services := []common.Service{}
protocol := packet.IPProtocolTCP
for _, p := range ports {
// check for port string of form port#/udp eg 8085/udp
portProtocolPair := strings.Split(p, "/")
if len(portProtocolPair) > 2 || len(portProtocolPair) <= 0 {
return nil, fmt.Errorf("Invalid port format. Expected format is of form 80 or 8085/udp")
}
if len(portProtocolPair) == 2 {
if portProtocolPair[1] == "tcp" {
protocol = packet.IPProtocolTCP
} else if portProtocolPair[1] == "udp" {
protocol = packet.IPProtocolUDP
} else {
return nil, fmt.Errorf("Invalid protocol specified. Only tcp/udp accepted")
}
}
s, err := portspec.NewPortSpecFromString(portProtocolPair[0], nil)
if err != nil {
return nil, fmt.Errorf("Invalid port spec: %s ", err)
}
services = append(services, common.Service{
Protocol: uint8(protocol),
Ports: s,
})
}
return services, nil
}
================================================
FILE: collector/default.go
================================================
package collector
import (
"encoding/binary"
"github.com/cespare/xxhash"
"go.aporeto.io/underwater/core/policy/services"
)
// DefaultCollector implements a default collector infrastructure to syslog
type DefaultCollector struct{}
// NewDefaultCollector returns a default implementation of an EventCollector
func NewDefaultCollector() EventCollector {
return &DefaultCollector{}
}
// CollectFlowEvent is part of the EventCollector interface.
func (d *DefaultCollector) CollectFlowEvent(record *FlowRecord) {}
// CollectContainerEvent is part of the EventCollector interface.
func (d *DefaultCollector) CollectContainerEvent(record *ContainerRecord) {}
// CollectUserEvent is part of the EventCollector interface.
func (d *DefaultCollector) CollectUserEvent(record *UserRecord) {}
// CollectTraceEvent collects iptables trace events
func (d *DefaultCollector) CollectTraceEvent(records []string) {}
// CollectPacketEvent collects packet events from the datapath
func (d *DefaultCollector) CollectPacketEvent(report *PacketReport) {}
// CollectCounterEvent collect counters from the datapath
func (d *DefaultCollector) CollectCounterEvent(report *CounterReport) {}
// CollectDNSRequests collect counters from the datapath
func (d *DefaultCollector) CollectDNSRequests(report *DNSRequestReport) {}
// CollectPingEvent collects ping events from the datapath
func (d *DefaultCollector) CollectPingEvent(report *PingReport) {}
// CollectConnectionExceptionReport collects the connection exception report
func (d *DefaultCollector) CollectConnectionExceptionReport(report *ConnectionExceptionReport) {}
// StatsFlowHash is a hash function to hash flows. Ignores source ports. Returns two hashes
// flowhash - minimal with SIP/DIP/Dport
// contenthash - hash with all contents to compare quickly and report when changes are observed
func StatsFlowHash(r *FlowRecord) (flowhash, contenthash uint64) {
hash := xxhash.New()
hash.Write([]byte(r.Source.ID)) // nolint errcheck
hash.Write([]byte(r.Destination.ID)) // nolint errcheck
hash.Write([]byte(r.Destination.URI)) // nolint errcheck
hash.Write([]byte(r.Source.IP)) // nolint errcheck
hash.Write([]byte(r.Destination.IP)) // nolint errcheck
port := make([]byte, 2)
binary.BigEndian.PutUint16(port, r.Destination.Port)
hash.Write(port) // nolint errcheck
flowhash = hash.Sum64()
hash.Write([]byte(r.Action.String())) // nolint errcheck
hash.Write([]byte(r.ObservedAction.String())) // nolint errcheck
hash.Write([]byte(r.DropReason)) // nolint errcheck
hash.Write([]byte(r.PolicyID)) // nolint errcheck
return flowhash, hash.Sum64()
}
// StatsFlowContentHash is a hash function to hash flows. Ignores source ports. Returns
// contenthash - hash with all contents to compare quickly and report when changes are observed
func StatsFlowContentHash(r *FlowRecord) (contenthash uint64) {
_, contenthash = StatsFlowHash(r)
return contenthash
}
// StatsUserHash is a hash function to hash user records.
func StatsUserHash(r *UserRecord) error {
hash, err := services.HashClaims(r.Claims, r.Namespace)
if err != nil {
return err
}
r.ID = hash
return nil
}
// ConnectionExceptionReportHash is a hash function to hash connection exception reports.
func ConnectionExceptionReportHash(r *ConnectionExceptionReport) uint64 {
hash := xxhash.New()
hash.Write([]byte(r.PUID)) // nolint errcheck
hash.Write([]byte(r.SourceIP)) // nolint errcheck
hash.Write([]byte(r.DestinationIP)) // nolint errcheck
hash.Write([]byte(r.Reason)) // nolint errcheck
hash.Write([]byte(r.State)) // nolint errcheck
port := make([]byte, 2)
binary.BigEndian.PutUint16(port, r.DestinationPort)
hash.Write(port) // nolint errcheck
return hash.Sum64()
}
================================================
FILE: collector/default_test.go
================================================
package collector
import (
"testing"
"go.aporeto.io/enforcerd/trireme-lib/policy"
)
func TestStatsUserHash(t *testing.T) {
type args struct {
userRecord *UserRecord
hash string
}
tests := []struct {
name string
args args
wantErr bool
}{
{
name: "Test_StatsUserHash1",
args: args{
userRecord: &UserRecord{
Namespace: "/_apotests",
Claims: []string{
"CN=b01a6042-437-allow",
"O=b01a6042-437-allow",
},
},
hash: "14815208496714115169",
},
wantErr: false,
},
{
name: "Test_StatsUserHash2",
args: args{
userRecord: &UserRecord{
Namespace: "/_apotests",
Claims: []string{
"CN=apotests-master-staging2 Root CA",
"O=_apotests/b01a6042-437c-44ab-a17f-e14f6f915b87",
"OU=aporeto-enforcerd",
},
},
hash: "3750309273572959404",
},
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if err := StatsUserHash(tt.args.userRecord); (err != nil) != tt.wantErr {
t.Errorf("StatsUserHash() error = %v, wantErr %v", err, tt.wantErr)
}
if tt.args.hash != tt.args.userRecord.ID {
t.Errorf("Wanted %s but got %s", tt.args.hash, tt.args.userRecord.ID)
}
})
}
}
func TestStatsFlowHash(t *testing.T) {
type args struct {
r *FlowRecord
}
tests := []struct {
name string
args args
wantFlowhash uint64
wantContenthash uint64
}{
{
name: "basic hash",
args: args{
r: &FlowRecord{
ContextID: "context",
Namespace: "ns",
Source: EndPoint{},
Destination: EndPoint{},
Tags: []string{"tag=val"},
DropReason: "none",
PolicyID: "default",
ObservedPolicyID: "default",
ServiceType: policy.ServiceL3,
ServiceID: "svc",
Count: 1,
Action: policy.Accept,
ObservedAction: policy.Accept,
ObservedActionType: policy.ObserveContinue,
L4Protocol: 7,
SourceController: "src-controller",
DestinationController: "dst-controller",
RuleName: "1",
},
},
wantFlowhash: 11145182160106660097,
wantContenthash: 5951126184511352450,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
gotFlowhash, gotContenthash := StatsFlowHash(tt.args.r)
if gotFlowhash != tt.wantFlowhash {
t.Errorf("StatsFlowHash() gotFlowhash = %v, want %v", gotFlowhash, tt.wantFlowhash)
}
if gotContenthash != tt.wantContenthash {
t.Errorf("StatsFlowHash() gotContenthash = %v, want %v", gotContenthash, tt.wantContenthash)
}
gothash := StatsFlowContentHash(tt.args.r)
if gothash != tt.wantContenthash {
t.Errorf("StatsFlowHash() gothash = %v, want %v", gothash, tt.wantContenthash)
}
})
}
}
================================================
FILE: collector/interfaces.go
================================================
package collector
import (
"fmt"
"time"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packettracing"
"go.aporeto.io/enforcerd/trireme-lib/policy"
"go.aporeto.io/gaia"
)
// Flow event description
const (
// FlowReject indicates that a flow was rejected
FlowReject = "reject"
// FlowAccept logs that a flow is accepted
FlowAccept = "accept"
// MissingToken indicates that the token was missing
MissingToken = "missingtoken"
// InvalidToken indicates that the token was invalid
InvalidToken = "token"
// InvalidFormat indicates that the packet metadata were not correct
InvalidFormat = "format"
// InvalidHeader indicates that the TCP header was not there.
InvalidHeader = "header"
// InvalidPayload indicates that the TCP payload was not there or bad.
InvalidPayload = "payload"
// InvalidContext indicates that there was no context in the metadata
InvalidContext = "context"
// InvalidConnection indicates that there was no connection found
InvalidConnection = "connection"
// InvalidState indicates that a packet was received without proper state information
InvalidState = "state"
// InvalidNonse indicates that the nonse check failed
InvalidNonse = "nonse"
// PolicyDrop indicates that the flow is rejected because of the policy decision
PolicyDrop = "policy"
// APIPolicyDrop indicates that the request was dropped because of failed API validation.
APIPolicyDrop = "api"
// UnableToDial indicates that the proxy cannot dial out the connection
UnableToDial = "dial"
// CompressedTagMismatch indicates that the compressed tag version is dissimilar
CompressedTagMismatch = "compressedtagmismatch"
// EncryptionMismatch indicates that the policy encryption varies between client and server enforcer
EncryptionMismatch = "encryptionmismatch"
// DatapathVersionMismatch indicates that the datapath version is dissimilar
DatapathVersionMismatch = "datapathversionmismatch"
// PacketDrop indicate a single packet drop
PacketDrop = "packetdrop"
)
// Container event description
const (
// ContainerStart indicates a container start event
ContainerStart = "start"
// ContainerStop indicates a container stop event
ContainerStop = "stop"
// ContainerCreate indicates a container create event
ContainerCreate = "create"
// ContainerDelete indicates a container delete event
ContainerDelete = "delete"
// ContainerUpdate indicates a container policy update event
ContainerUpdate = "update"
// ContainerFailed indicates an event that a container was stopped because of policy issues
ContainerFailed = "forcestop"
// ContainerIgnored indicates that the container will be ignored by Trireme
ContainerIgnored = "ignore"
// ContainerDeleteUnknown indicates that policy for an unknown container was deleted
ContainerDeleteUnknown = "unknowncontainer"
)
const (
// PolicyValid Normal flow accept
PolicyValid = "V"
// DefaultEndPoint provides a string for unknown container sources
DefaultEndPoint = "default"
// SomeClaimsSource provides a string for some claims flow source.
SomeClaimsSource = "some-claims"
)
// EventCollector is the interface for collecting events.
type EventCollector interface {
// CollectFlowEvent collect a flow event.
CollectFlowEvent(record *FlowRecord)
// CollectContainerEvent collects a container events
CollectContainerEvent(record *ContainerRecord)
// CollectUserEvent collects a user event
CollectUserEvent(record *UserRecord)
// CollectTraceEvent collects a set of trace messages generated with Iptables trace command
CollectTraceEvent(records []string)
// CollectPacketEvent collects packet event from nfqdatapath
CollectPacketEvent(report *PacketReport)
// CollectCounterEvent collects the counters from
CollectCounterEvent(counterReport *CounterReport)
// CollectDNSRequests collects the dns requests
CollectDNSRequests(request *DNSRequestReport)
// CollectPingEvent collects the ping events
CollectPingEvent(report *PingReport)
// CollectConnectionExceptionReport collects the connection exception report
CollectConnectionExceptionReport(report *ConnectionExceptionReport)
}
// EndPointType is the type of an endpoint (PU or an external IP address )
type EndPointType byte
const (
// EndPointTypeExternalIP indicates that the endpoint is an external IP address
EndPointTypeExternalIP EndPointType = iota
// EndPointTypePU indicates that the endpoint is a PU.
EndPointTypePU
// EndPointTypeClaims indicates that the endpoint is of type claims.
EndPointTypeClaims
)
func (e *EndPointType) String() string {
switch *e {
case EndPointTypeExternalIP:
return "ext"
case EndPointTypePU:
return "pu"
case EndPointTypeClaims:
return "claims"
}
return "pu" // backward compatibility (CS: 04/24/2018)
}
// EndPoint is a structure that holds all the endpoint information
type EndPoint struct {
ID string
IP string
URI string
HTTPMethod string
UserID string
Type EndPointType
Port uint16
}
// FlowRecord describes a flow record for statistis
type FlowRecord struct {
ContextID string
Namespace string
Source EndPoint
Destination EndPoint
Tags []string
DropReason string
PolicyID string
ObservedPolicyID string
ServiceType policy.ServiceType
ServiceID string
Count int
Action policy.ActionType
ObservedAction policy.ActionType
ObservedActionType policy.ObserveActionType
L4Protocol uint8
SourceController string
DestinationController string
RuleName string
}
func (f *FlowRecord) String() string {
return fmt.Sprintf("<flowrecord contextID:%s namespace:%s count:%d sourceID:%s destinationID:%s sourceIP: %s destinationIP:%s destinationPort:%d action:%s mode:%s>",
f.ContextID,
f.Namespace,
f.Count,
f.Source.ID,
f.Destination.ID,
f.Source.IP,
f.Destination.IP,
f.Destination.Port,
f.Action.String(),
f.DropReason,
)
}
// ContainerRecord is a statistics record for a container
type ContainerRecord struct {
ContextID string
IPAddress policy.ExtendedMap
Tags *policy.TagStore
Event string
}
// UserRecord reports a new user access. These will be reported
// periodically.
type UserRecord struct {
ID string
Namespace string
Claims []string
}
// PacketReport is the struct which is used to report packets captured in datapath
type PacketReport struct {
TCPFlags int
Claims []string
DestinationIP string
DestinationPort int
DropReason string
Encrypt bool
Event packettracing.PacketEvent
Length int
Mark int
Namespace string
PacketID int
Protocol int
PUID string
SourceIP string
SourcePort int
TriremePacket bool
Timestamp int64
Payload []byte
}
// DNSRequestReport object is used to report dns requests being made by PU's
type DNSRequestReport struct {
ContextID string
Namespace string
Source *EndPoint
Destination *EndPoint
NameLookup string
Error string
Count int
Ts time.Time
IPs []string
}
// Counters represent a single entry with name and current val
type Counters uint32
// CounterReport is called from the PU which reports Counters from the datapath
type CounterReport struct {
Namespace string
PUID string
Timestamp int64
Counters []Counters
}
// PingReport represents a single ping report from datapath.
type PingReport struct {
PingID string
IterationID int
Type gaia.PingProbeTypeValue
PUID string
Namespace string
FourTuple string
RTT string
Protocol int
ServiceType string
PayloadSize int
PayloadSizeType gaia.PingProbePayloadSizeTypeValue
PolicyID string
PolicyAction policy.ActionType
AgentVersion string
ApplicationListening bool
SeqNum uint32
TargetTCPNetworks bool
ExcludedNetworks bool
Error string
Claims []string
ClaimsType gaia.PingProbeClaimsTypeValue
ACLPolicyID string
ACLPolicyAction policy.ActionType
PeerCertIssuer string
PeerCertSubject string
PeerCertExpiry time.Time
IsServer bool
ServiceID string
// Remote pu fields.
RemoteController string
RemotePUID string
RemoteEndpointType EndPointType
RemoteNamespace string
RemoteNamespaceType gaia.PingProbeRemoteNamespaceTypeValue
}
// IPTablesTrace is a bundle of iptables trace records
type IPTablesTrace struct {
Namespace string
Timestamp int64
Records []*IPTablesTraceRecord
}
// IPTablesTraceRecord is the info parsed out from a trace event message
type IPTablesTraceRecord struct {
TTL int
Chain string
DestinationIP string
DestinationInterface string
DestinationPort int
Length int
PacketID int
Protocol int
RuleID int
SourceIP string
SourceInterface string
SourcePort int
TableName string
}
// ConnectionExceptionReport represents a single connection exception report from datapath.
type ConnectionExceptionReport struct {
Timestamp time.Time
PUID string
Namespace string
Protocol int
SourceIP string
DestinationIP string
DestinationPort uint16
State string
Reason string
Value uint32
}
================================================
FILE: collector/mockcollector/mockcollector.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: collector/interfaces.go
// Package mockcollector is a generated GoMock package.
package mockcollector
import (
reflect "reflect"
gomock "github.com/golang/mock/gomock"
collector "go.aporeto.io/enforcerd/trireme-lib/collector"
)
// MockEventCollector is a mock of EventCollector interface
// nolint
type MockEventCollector struct {
ctrl *gomock.Controller
recorder *MockEventCollectorMockRecorder
}
// MockEventCollectorMockRecorder is the mock recorder for MockEventCollector
// nolint
type MockEventCollectorMockRecorder struct {
mock *MockEventCollector
}
// NewMockEventCollector creates a new mock instance
// nolint
func NewMockEventCollector(ctrl *gomock.Controller) *MockEventCollector {
mock := &MockEventCollector{ctrl: ctrl}
mock.recorder = &MockEventCollectorMockRecorder{mock}
return mock
}
// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockEventCollector) EXPECT() *MockEventCollectorMockRecorder {
return m.recorder
}
// CollectFlowEvent mocks base method
// nolint
func (m *MockEventCollector) CollectFlowEvent(record *collector.FlowRecord) {
m.ctrl.T.Helper()
m.ctrl.Call(m, "CollectFlowEvent", record)
}
// CollectFlowEvent indicates an expected call of CollectFlowEvent
// nolint
func (mr *MockEventCollectorMockRecorder) CollectFlowEvent(record interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectFlowEvent", reflect.TypeOf((*MockEventCollector)(nil).CollectFlowEvent), record)
}
// CollectContainerEvent mocks base method
// nolint
func (m *MockEventCollector) CollectContainerEvent(record *collector.ContainerRecord) {
m.ctrl.T.Helper()
m.ctrl.Call(m, "CollectContainerEvent", record)
}
// CollectContainerEvent indicates an expected call of CollectContainerEvent
// nolint
func (mr *MockEventCollectorMockRecorder) CollectContainerEvent(record interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectContainerEvent", reflect.TypeOf((*MockEventCollector)(nil).CollectContainerEvent), record)
}
// CollectUserEvent mocks base method
// nolint
func (m *MockEventCollector) CollectUserEvent(record *collector.UserRecord) {
m.ctrl.T.Helper()
m.ctrl.Call(m, "CollectUserEvent", record)
}
// CollectUserEvent indicates an expected call of CollectUserEvent
// nolint
func (mr *MockEventCollectorMockRecorder) CollectUserEvent(record interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectUserEvent", reflect.TypeOf((*MockEventCollector)(nil).CollectUserEvent), record)
}
// CollectTraceEvent mocks base method
// nolint
func (m *MockEventCollector) CollectTraceEvent(records []string) {
m.ctrl.T.Helper()
m.ctrl.Call(m, "CollectTraceEvent", records)
}
// CollectTraceEvent indicates an expected call of CollectTraceEvent
// nolint
func (mr *MockEventCollectorMockRecorder) CollectTraceEvent(records interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectTraceEvent", reflect.TypeOf((*MockEventCollector)(nil).CollectTraceEvent), records)
}
// CollectPacketEvent mocks base method
// nolint
func (m *MockEventCollector) CollectPacketEvent(report *collector.PacketReport) {
m.ctrl.T.Helper()
m.ctrl.Call(m, "CollectPacketEvent", report)
}
// CollectPacketEvent indicates an expected call of CollectPacketEvent
// nolint
func (mr *MockEventCollectorMockRecorder) CollectPacketEvent(report interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectPacketEvent", reflect.TypeOf((*MockEventCollector)(nil).CollectPacketEvent), report)
}
// CollectCounterEvent mocks base method
// nolint
func (m *MockEventCollector) CollectCounterEvent(counterReport *collector.CounterReport) {
m.ctrl.T.Helper()
m.ctrl.Call(m, "CollectCounterEvent", counterReport)
}
// CollectCounterEvent indicates an expected call of CollectCounterEvent
// nolint
func (mr *MockEventCollectorMockRecorder) CollectCounterEvent(counterReport interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectCounterEvent", reflect.TypeOf((*MockEventCollector)(nil).CollectCounterEvent), counterReport)
}
// CollectDNSRequests mocks base method
// nolint
func (m *MockEventCollector) CollectDNSRequests(request *collector.DNSRequestReport) {
m.ctrl.T.Helper()
m.ctrl.Call(m, "CollectDNSRequests", request)
}
// CollectDNSRequests indicates an expected call of CollectDNSRequests
// nolint
func (mr *MockEventCollectorMockRecorder) CollectDNSRequests(request interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectDNSRequests", reflect.TypeOf((*MockEventCollector)(nil).CollectDNSRequests), request)
}
// CollectPingEvent mocks base method
// nolint
func (m *MockEventCollector) CollectPingEvent(report *collector.PingReport) {
m.ctrl.T.Helper()
m.ctrl.Call(m, "CollectPingEvent", report)
}
// CollectPingEvent indicates an expected call of CollectPingEvent
// nolint
func (mr *MockEventCollectorMockRecorder) CollectPingEvent(report interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectPingEvent", reflect.TypeOf((*MockEventCollector)(nil).CollectPingEvent), report)
}
// CollectConnectionExceptionReport mocks base method
// nolint
func (m *MockEventCollector) CollectConnectionExceptionReport(report *collector.ConnectionExceptionReport) {
m.ctrl.T.Helper()
m.ctrl.Call(m, "CollectConnectionExceptionReport", report)
}
// CollectConnectionExceptionReport indicates an expected call of CollectConnectionExceptionReport
// nolint
func (mr *MockEventCollectorMockRecorder) CollectConnectionExceptionReport(report interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectConnectionExceptionReport", reflect.TypeOf((*MockEventCollector)(nil).CollectConnectionExceptionReport), report)
}
================================================
FILE: common/events.go
================================================
package common
import (
"context"
)
// TriremeSocket is the standard API server Trireme socket path
// it is set via ConfigureTriremeSocketPath() and canonicalized with
// utils.GetPathOnHostViaProcRoot() at point of use
var TriremeSocket = "/var/run/trireme.sock"
// ConfigureTriremeSocketPath updates the TriremeSocket path
func ConfigureTriremeSocketPath(path string) {
TriremeSocket = path
}
// PUType defines the PU type
type PUType int
const (
// ContainerPU indicates that this PU is a container
ContainerPU PUType = iota
// LinuxProcessPU indicates that this is Linux process
LinuxProcessPU
// WindowsProcessPU indicates that this is Windows process
WindowsProcessPU
// HostPU is a host wrapping PU
HostPU
// HostNetworkPU is a PU for a network service in a host
HostNetworkPU
// KubernetesPU indicates that this is KubernetesPod
KubernetesPU
// TransientPU PU -- placeholder to run processing. This should not
// be inserted in any cache. This is valid only for processing a packet
TransientPU
)
const (
// TriremeCgroupPath is the standard Trireme cgroup path
TriremeCgroupPath = "/trireme/"
// TriremeDockerHostNetwork is the path for Docker HostNetwork container based activations
TriremeDockerHostNetwork = "/trireme_docker_hostnet/"
)
// EventInfo is a generic structure that defines all the information related to a PU event.
// EventInfo should be used as a normalized struct container that
type EventInfo struct {
// EventType refers to one of the standard events that Trireme handles.
EventType Event `json:"eventtype,omitempty"`
// PUType is the the type of the PU
PUType PUType `json:"putype,omitempty"`
// The PUID is a unique value for the Processing Unit. Ideally this should be the UUID.
PUID string `json:"puid,omitempty"`
// The Name is a user-friendly name for the Processing Unit.
Name string `json:"name,omitempty"`
// The Executable is the executable name for the Processing Unit.
Executable string `json:"executable,omitempty"`
// Tags represents the set of MetadataTags associated with this PUID.
Tags []string `json:"tags,omitempty"`
// The path for the Network Namespace.
NS string `json:"namespace,omitempty"`
// Cgroup is the path to the cgroup - used for deletes
Cgroup string `json:"cgroup,omitempty"`
// IPs is a map of all the IPs that fully belong to this processing Unit.
IPs map[string]string `json:"ipaddressesutype,omitempty"`
// Services is a list of services of interest - for host control
Services []Service `json:"services,omitempty"`
// The PID is the PID on the system where this Processing Unit is running.
PID int32 `json:"pid,omitempty"`
// HostService indicates that the request is for the root namespace
HostService bool `json:"hostservice,omitempty"`
// AutoPort indicates that the PU will have auto port feature enabled
AutoPort bool `json:"autoport,omitempty"`
// NetworkOnlyTraffic indicates that traffic towards the applications must be controlled.
NetworkOnlyTraffic bool `json:"networktrafficonly,omitempty"`
// Root indicates that this request is coming from a roor user. Its overwritten by the enforcer
Root bool `json:"root,omitempty"`
}
// Event represents the event picked up by the monitor.
type Event string
// Values of the events
const (
EventStart Event = "start"
EventStop Event = "stop"
EventUpdate Event = "update"
EventCreate Event = "create"
EventDestroy Event = "destroy"
EventPause Event = "pause"
EventUnpause Event = "unpause"
EventResync Event = "resync"
)
var (
// EventMap used for validations
EventMap = map[Event]*struct{}{
"start": nil,
"stop": nil,
"update": nil,
"create": nil,
"destroy": nil,
"pause": nil,
"unpause": nil,
"resync": nil,
}
)
// EventResponse encapsulate the error response if any.
type EventResponse struct {
Error string
}
// A EventHandler is type of event handler functions.
type EventHandler func(ctx context.Context, event *EventInfo) error
// A State describes the state of the PU.
type State int
const (
// StateStarted is the state of a started PU.
StateStarted State = iota + 1
// StateStopped is the state of stopped PU.
StateStopped
// StatePaused is the state of a paused PU.
StatePaused
// StateDestroyed is the state of destroyed PU.
StateDestroyed
// StateUnknwown is the state of PU in an unknown state.
StateUnknwown
)
================================================
FILE: common/hooks.go
================================================
package common
// Values for hook methods
const (
MetadataHookPolicy = "metadata:policy"
MetadataHookHealth = "metadata:health"
MetadataHookCertificate = "metadata:certificate"
MetadataHookKey = "metadata:key"
MetadataHookToken = "metadata:token"
AWSHookInfo = "aws:info"
AWSHookRole = "aws:role"
)
// AWSRole reserved prefix
const (
AWSRoleARNPrefix = "@awsrole=arn:aws:iam::"
AWSRolePrefix = "@awsrole="
)
// Metadata API constants
const (
MetadataKey = "X-Aporeto-Metadata"
MetadataValue = "secrets"
)
================================================
FILE: common/oauthtokens.go
================================================
package common
import (
"context"
"time"
)
// ServiceTokenType is the type of the token.
type ServiceTokenType string
// Values of ServiceTokenType
const (
ServiceTokenTypeOAUTH ServiceTokenType = "oauth"
ServiceTokenTypeAWS ServiceTokenType = "aws"
)
// ServiceTokenIssuer is an interface of an implementation that can issue service tokens on behalf
// of a PU. The user of the library must provide the implementation. ServiceTokens can be OAUTH
// tokens or cloud provider specific tokens such AWS Role credentials.
type ServiceTokenIssuer interface {
Issue(ctx context.Context, contextID string, stype ServiceTokenType, audience string, validity time.Duration) (string, error)
}
================================================
FILE: common/service.go
================================================
package common
import (
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
"go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
)
// Service is a protocol/port service of interest - used to pass user requests
type Service struct {
// Ports are the corresponding ports
Ports *portspec.PortSpec `json:"ports,omitempty"`
// Port is the service port. This has been deprecated and will be removed in later releases 01/13/2018
Port uint16
// Protocol is the protocol number
Protocol uint8 `json:"protocol,omitempty"`
// Addresses are the IP addresses. An empty list means 0.0.0.0/0
Addresses map[string]struct{} `json:"addresses,omitempty"`
// FQDNs is the list of FQDNs for the service.
FQDNs []string `json:"fqdns,omitempty"`
}
// ConvertServicesToPortList converts an array of services to a port list
func ConvertServicesToPortList(services []Service) string {
portlist := ""
for _, s := range services {
portlist = portlist + s.Ports.String() + ","
}
if len(portlist) == 0 {
portlist = "0"
} else {
portlist = portlist[:len(portlist)-1]
}
return portlist
}
// ConvertServicesToProtocolPortList converts an array of services to tcp/udp port list
func ConvertServicesToProtocolPortList(services []Service) (string, string) {
tcpPortlist := ""
udpPortlist := ""
for _, s := range services {
if s.Protocol == packet.IPProtocolTCP {
tcpPortlist = tcpPortlist + s.Ports.String() + ","
} else {
udpPortlist = udpPortlist + s.Ports.String() + ","
}
}
if len(tcpPortlist) == 0 {
tcpPortlist = "0"
} else {
tcpPortlist = tcpPortlist[:len(tcpPortlist)-1]
}
if len(udpPortlist) == 0 {
udpPortlist = "0"
} else {
udpPortlist = udpPortlist[:len(udpPortlist)-1]
}
return tcpPortlist, udpPortlist
}
================================================
FILE: controller/config.go
================================================
package controller
import (
"context"
"fmt"
"sync"
"time"
"github.com/blang/semver"
"go.aporeto.io/enforcerd/trireme-lib/collector"
"go.aporeto.io/enforcerd/trireme-lib/common"
"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer"
enforcerproxy "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/proxy"
"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper"
"go.aporeto.io/enforcerd/trireme-lib/controller/internal/supervisor"
supervisornoop "go.aporeto.io/enforcerd/trireme-lib/controller/internal/supervisor/noop"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/env"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/fqconfig"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packetprocessor"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
"go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
"go.aporeto.io/enforcerd/trireme-lib/policy"
"go.uber.org/zap"
)
// config specifies all configurations accepted by trireme to start.
type config struct {
// Required Parameters.
serverID string
// External Interface implementations that we allow to plugin to components.
collector collector.EventCollector
service packetprocessor.PacketProcessor
secret secrets.Secrets
// Configurations for fine tuning internal components.
mode constants.ModeType
fq fqconfig.FilterQueue
isBPFEnabled bool
linuxProcess bool
mutualAuth bool
packetLogs bool
validity time.Duration
procMountPoint string
externalIPcacheTimeout time.Duration
runtimeCfg *runtime.Configuration
runtimeErrorChannel chan *policy.RuntimeError
remoteParameters *env.RemoteParameters
tokenIssuer common.ServiceTokenIssuer
ipv6Enabled bool
agentVersion semver.Version
iptablesLockfile string
}
// Option is provided using functional arguments.
type Option func(*config)
// OptionBPFEnabled is an option
func OptionBPFEnabled(bpfEnabled bool) Option {
return func(cfg *config) {
cfg.isBPFEnabled = bpfEnabled
}
}
// OptionIptablesLockfile is a string option to set the path to the iptables lockfile
func OptionIptablesLockfile(iptablesLockfile string) Option {
return func(cfg *config) {
cfg.iptablesLockfile = iptablesLockfile
}
}
//OptionIPv6Enable is an option to enable ipv6
func OptionIPv6Enable(ipv6Enabled bool) Option {
return func(cfg *config) {
cfg.ipv6Enabled = ipv6Enabled
}
}
// OptionCollector is an option to provide an external collector implementation.
func OptionCollector(c collector.EventCollector) Option {
return func(cfg *config) {
cfg.collector = c
}
}
// OptionDatapathService is an option to provide an external datapath service implementation.
func OptionDatapathService(s packetprocessor.PacketProcessor) Option {
return func(cfg *config) {
cfg.service = s
}
}
// OptionSecret is an option to provide an external datapath service implementation.
func OptionSecret(s secrets.Secrets) Option {
return func(cfg *config) {
cfg.secret = s
}
}
// OptionEnforceLinuxProcess is an option to request support for linux process support.
func OptionEnforceLinuxProcess() Option {
return func(cfg *config) {
cfg.linuxProcess = true
}
}
// OptionEnforceFqConfig is an option to override filter queues.
func OptionEnforceFqConfig(f fqconfig.FilterQueue) Option {
return func(cfg *config) {
cfg.fq = f
}
}
// OptionDisableMutualAuth is an option to disable MutualAuth (enabled by default)
func OptionDisableMutualAuth() Option {
return func(cfg *config) {
cfg.mutualAuth = false
}
}
// OptionRuntimeConfiguration is an option to provide target network configuration.
func OptionRuntimeConfiguration(c *runtime.Configuration) Option {
return func(cfg *config) {
cfg.runtimeCfg = c
}
}
// OptionProcMountPoint is an option to provide proc mount point.
func OptionProcMountPoint(p string) Option {
return func(cfg *config) {
cfg.procMountPoint = p
}
}
// OptionRuntimeErrorChannel configures the error channel for the policy engine.
func OptionRuntimeErrorChannel(errorChannel chan *policy.RuntimeError) Option {
return func(cfg *config) {
cfg.runtimeErrorChannel = errorChannel
}
}
// OptionPacketLogs is an option to enable packet level logging.
func OptionPacketLogs() Option {
return func(cfg *config) {
cfg.packetLogs = true
}
}
// OptionRemoteParameters is an option to set the parameters for the remote
func OptionRemoteParameters(p *env.RemoteParameters) Option {
return func(cfg *config) {
cfg.remoteParameters = p
}
}
// OptionTokenIssuer provides the token issuer.
func OptionTokenIssuer(t common.ServiceTokenIssuer) Option {
return func(cfg *config) {
cfg.tokenIssuer = t
}
}
// OptionAgentVersion is an option to set agent version.
func OptionAgentVersion(v semver.Version) Option {
return func(cfg *config) {
cfg.agentVersion = v
}
}
func (t *trireme) newEnforcers(ctx context.Context) error {
zap.L().Debug("LinuxProcessSupport", zap.Bool("Status", t.config.linuxProcess))
var err error
if t.config.linuxProcess {
t.enforcers[constants.LocalServer], err = enforcer.New(
t.config.mutualAuth,
t.config.fq,
t.config.collector,
t.config.secret,
t.config.serverID,
t.config.validity,
constants.LocalServer,
t.config.procMountPoint,
t.config.externalIPcacheTimeout,
t.config.packetLogs,
t.config.runtimeCfg,
t.config.tokenIssuer,
t.config.isBPFEnabled,
t.config.agentVersion,
policy.None,
)
if err != nil {
return fmt.Errorf("Failed to initialize LocalServer enforcer: %s ", err)
}
err = t.setupEnvoyAuthorizer()
if err != nil {
return fmt.Errorf("Failed to initialize LocalEnvoyAuthorizer enforcer: %s ", err)
}
}
if t.config.mode == constants.RemoteContainer {
enforcerProxy := enforcerproxy.NewProxyEnforcer(
ctx,
t.config.mutualAuth,
t.config.fq,
t.config.collector,
t.config.secret,
t.config.serverID,
t.config.validity,
"enforce",
t.config.procMountPoint,
t.config.externalIPcacheTimeout,
t.config.packetLogs,
t.config.runtimeCfg,
t.config.runtimeErrorChannel,
t.config.remoteParameters,
t.config.tokenIssuer,
t.config.isBPFEnabled,
t.config.ipv6Enabled,
t.config.iptablesLockfile,
rpcwrapper.NewRPCServer(),
)
t.enforcers[constants.RemoteContainer] = enforcerProxy
t.enforcers[constants.RemoteContainerEnvoyAuthorizer] = enforcerProxy
}
zap.L().Debug("TriremeMode", zap.Int("Status", int(t.config.mode)))
return nil
}
func (t *trireme) newSupervisors() error {
noopSup := supervisornoop.NewNoopSupervisor()
if t.config.linuxProcess {
sup, err := supervisor.NewSupervisor(
t.config.collector,
t.enforcers[constants.LocalServer],
constants.LocalServer,
t.config.runtimeCfg,
t.config.ipv6Enabled,
t.config.iptablesLockfile,
)
if err != nil {
return fmt.Errorf("Could Not create process supervisor :: received error %v", err)
}
t.supervisors[constants.LocalServer] = sup
err = t.setupEnvoySupervisor(noopSup)
if err != nil {
return fmt.Errorf("Could Not create envoy supervisor :: received error %v", err)
}
}
if t.config.mode == constants.RemoteContainer {
t.supervisors[constants.RemoteContainer] = noopSup
t.supervisors[constants.RemoteContainerEnvoyAuthorizer] = noopSup
}
return nil
}
// newTrireme returns a reference to the trireme object based on the parameter subelements.
func newTrireme(ctx context.Context, c *config) TriremeController {
var err error
t := &trireme{
config: c,
enforcers: map[constants.ModeType]enforcer.Enforcer{},
supervisors: map[constants.ModeType]supervisor.Supervisor{},
puTypeToEnforcerType: map[common.PUType]constants.ModeType{},
locks: sync.Map{},
enablingTrace: make(chan *traceTrigger, 10),
}
zap.L().Debug("Creating Enforcers")
if err = t.newEnforcers(ctx); err != nil {
zap.L().Error("Unable to create datapath enforcers", zap.Error(err))
return nil
}
zap.L().Debug("Creating Supervisors")
if err = t.newSupervisors(); err != nil {
zap.L().Error("Unable to start datapath supervisor", zap.Error(err))
return nil
}
if c.linuxProcess {
t.puTypeToEnforcerType[common.LinuxProcessPU] = constants.LocalServer
t.puTypeToEnforcerType[common.WindowsProcessPU] = constants.LocalServer
t.puTypeToEnforcerType[common.HostPU] = constants.LocalServer
t.puTypeToEnforcerType[common.HostNetworkPU] = constants.LocalServer
}
if t.config.mode == constants.RemoteContainer {
t.puTypeToEnforcerType[common.ContainerPU] = constants.RemoteContainer
t.puTypeToEnforcerType[common.KubernetesPU] = constants.RemoteContainer
}
return t
}
================================================
FILE: controller/config_nonwindows.go
================================================
// +build !windows
package controller
import (
"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer"
"go.aporeto.io/enforcerd/trireme-lib/controller/internal/supervisor"
"go.aporeto.io/enforcerd/trireme-lib/policy"
)
func (t *trireme) setupEnvoyAuthorizer() error {
var err error
t.enforcers[constants.LocalEnvoyAuthorizer], err = enforcer.New(
t.config.mutualAuth,
t.config.fq,
t.config.collector,
t.config.secret,
t.config.serverID,
t.config.validity,
constants.LocalEnvoyAuthorizer,
t.config.procMountPoint,
t.config.externalIPcacheTimeout,
t.config.packetLogs,
t.config.runtimeCfg,
t.config.tokenIssuer,
t.config.isBPFEnabled,
t.config.agentVersion,
policy.None,
)
return err
}
func (t *trireme) setupEnvoySupervisor(sup supervisor.Supervisor) error {
t.supervisors[constants.LocalEnvoyAuthorizer] = sup
return nil
}
================================================
FILE: controller/config_windows.go
================================================
// +build windows
package controller
import (
"go.aporeto.io/enforcerd/trireme-lib/controller/internal/supervisor"
)
func (t *trireme) setupEnvoyAuthorizer() error {
return nil
}
func (t *trireme) setupEnvoySupervisor(sup supervisor.Supervisor) error {
return nil
}
================================================
FILE: controller/constants/constants.go
================================================
package constants
import (
"path/filepath"
"time"
)
const (
// DefaultProcMountPoint The default proc mountpoint
DefaultProcMountPoint = "/proc"
// DefaultAporetoProcMountPoint The aporeto proc mountpoint just in case we are launched with some specific docker config
DefaultAporetoProcMountPoint = "/aporetoproc"
// DefaultSecretsPath is the default path for the secrets proxy.
DefaultSecretsPath = "@secrets"
// EnforcerdCleanerName is the path of the cleaner script.
EnforcerdCleanerName = "cleaner"
// DefaultEnforcerdCleanerPath is the default path of the cleaner. For now set this to
// /sbin/cleaner. Note that the cleaner path is set via the container master enforcer but
// it is ultimately run in the host and not in the container. Prior to defender integrations
// we used the same path /sbin/cleaner in the host and /sbin/cleaner in the container and it
// worked. Now, with the defender integration we use a tarball to install the enforcer and
// all the binaries, and it may install anywhere on the host, as specified by the defender
// installer. The container does not know where it was installed. Furthermore, we no longer
// install via .deb or .rpm files so there is no system files installed, and cleaner will not
// be found in /sbin/cleaner when installed via the defender bundle installer. So a new
// startup flag is defined now, `--cleaner-path` and environment variable
// `ENFORCED_CLEANER_PATH` that defender can use to tell us where it installed the
// cleaner. With this, the container enforcer can properly set the cleaner path in the
// cgroups v1 release_agent.
//
// TLDR; We now use /enforcerd-tools/cleaner in the container, and it will be installed in
// /path/to/install/ation/dir/enforcerd-tools/cleaner in the host. container enforcer will
// tell cgroup sub-system to use /enforcerd-tools/cleaner but cgroups executes it on the
// host and can't find it here. Ergo, it won't work on a defender install this way.
//
// TODO - fix this so cleaner can be installed by defender and the installation path can be
// discovered by container enforcer
DefaultEnforcerdCleanerPath = "/sbin/cleaner"
// RemoteEnforcerBuildName is the name of the remote enforcer binary we will build and deploy
RemoteEnforcerBuildName = "remoteenforcerd"
// RemoteEnforcerSrcName is the name of the original copy of the remote enforcer binary
RemoteEnforcerSrcName = "remoteenforcer"
)
const (
// DefaultRemoteArg is the default arguments for a remote enforcer
DefaultRemoteArg = "enforce"
)
const (
// EnvMountPoint is an environment variable which will contain the mount point
EnvMountPoint = "TRIREME_ENV_PROC_MOUNTPOINT"
// EnvEnforcerType is an environment variable which will indicate what enforcer type we want to use
EnvEnforcerType = "TRIREME_ENV_ENFORCER_TYPE"
// EnvContextSocket stores the path to the context specific socket
EnvContextSocket = "TRIREME_ENV_SOCKET_PATH"
// EnvStatsChannel stores the path to the stats channel
EnvStatsChannel = "TRIREME_ENV_STATS_CHANNEL_PATH"
// EnvDebugChannel stores the path to the debug channel
EnvDebugChannel = "TRIREME_ENV_DEBUG_CHANNEL_PATH"
// EnvRPCClientSecret is the secret used between RPC client/server
EnvRPCClientSecret = "TRIREME_ENV_SECRET"
// EnvStatsSecret is the secret to be used for the stats channel
EnvStatsSecret = "TRIREME_ENV_STATS_SECRET"
// EnvContainerPID is the PID of the container
EnvContainerPID = "TRIREME_ENV_CONTAINER_PID"
// EnvNSPath is the path of the network namespace
EnvNSPath = "TRIREME_ENV_NS_PATH"
// EnvNsenterErrorState stores the error state as reported by remote enforcer
EnvNsenterErrorState = "TRIREME_ENV_NSENTER_ERROR_STATE"
// EnvNsenterLogs stores the logs as reported by remote enforcer
EnvNsenterLogs = "TRIREME_ENV_NSENTER_LOGS"
// EnvLogLevel store the log level to be used.
EnvLogLevel = "TRIREME_ENV_LOG_LEVEL"
// EnvLogFormat store the log format to be used.
EnvLogFormat = "TRIREME_ENV_LOG_FORMAT"
// EnvLogID store the context Id for the log file to be used.
EnvLogID = "TRIREME_ENV_LOG_ID"
// EnvCompressedTags stores whether we should be using compressed tags.
EnvCompressedTags = "TRIREME_ENV_COMPRESSED_TAGS"
// EnvEnforcerdToolsDir is the path to the /enforcerd-tools directory so remote enforcerd can find tools.
EnvEnforcerdToolsDir = "TRIREME_ENV_ENFORCERD_TOOLS_DIR"
// EnvEnforcerdNFQueues exports the number of nfqueues to remote enforcer
EnvEnforcerdNFQueues = "TRIREME_ENV_NUM_NFQUEUES"
)
// ModeType defines the mode of the enforcement and supervisor.
type ModeType int
const (
// RemoteContainer indicates that the Supervisor is implemented in the
// container namespace
RemoteContainer ModeType = iota
// LocalServer indicates that the Supervisor applies to Linux processes
LocalServer
// LocalEnvoyAuthorizer indicates to use a local envoyproxy as enforcer/authorizer
LocalEnvoyAuthorizer
// RemoteContainerEnvoyAuthorizer indicates to use the envoyproxy enforcer/authorizer for containers
RemoteContainerEnvoyAuthorizer
)
// LogLevel corresponds to log level of any logger. eg: zap.
type LogLevel string
// LogOptions
const (
// OptionLogLevel represents the log-level
OptionLogLevel = "log-level"
// OptionLogFormat represents the log-format
OptionLogFormat = "log-format"
// OptionLogFilePath represents the log location path
OptionLogFilePath = "log-file-path"
)
// Various log levels.
const (
Info LogLevel = "Info"
Debug LogLevel = "Debug"
Trace LogLevel = "Trace"
Error LogLevel = "Error"
Warn LogLevel = "Warn"
)
// API service related constants
const (
CallbackURIExtension = "/aporeto/oidc/callback"
)
// Protocol constants
const (
TCPProtoNum = "6"
UDPProtoNum = "17"
TCPProtoString = "TCP"
UDPProtoString = "UDP"
AllProtoString = "ALL"
)
//MaxICMPCodes constant puts the maximum number of codes that can be put in a single string
const MaxICMPCodes = 25
// Channel variables
var (
StatsChannel string
DebugChannel string
)
// PortNumberLabelString is the label to use for port numbers
const (
PortNumberLabelString = "@sys:port"
)
// ControllerLabelString is the label to use for control planes
const (
ControllerLabelString = "$controller"
)
// Token and cache default validities. These have performance implications.
// The faster the datapath issues new tokens it affects performance. However,
// making it too slow can potentially allow reuse of the tokens. The
// token issuance rate must be always faster than the expiration rate.
const (
// SynTokenRefreshTime determines how often the data path creates new tokens.
SynTokenRefreshTime = 5 * time.Minute
// SynTokenValidity determines how long after the tokens are considered valid.
SynTokenValidity = 10 * time.Minute
)
// SocketsPath is used to find the socket file corresponding to the container
var SocketsPath string
// RemoteEnforcerPath sets the path of the remote enforcer
var RemoteEnforcerPath string
// ConfigureRemoteEnforcerPath updates the remote enforcer path
func ConfigureRemoteEnforcerPath(path string) {
RemoteEnforcerPath = filepath.Join(path, RemoteEnforcerBuildName)
}
// ConfigureSocketsPath updates the sockets path
func ConfigureSocketsPath(sockPath string) {
SocketsPath = sockPath
StatsChannel = filepath.Join(sockPath, "statschannel.sock")
DebugChannel = filepath.Join(sockPath, "debugchannel.sock")
}
// Mark used by the proxies/ping to bypass trap rules.
const (
ProxyMarkInt = 0x40
ProxyMark = "0x40"
)
const (
// ChainPrefix represents trireme chain prefix.
ChainPrefix = "TRI-"
)
================================================
FILE: controller/constants/constants_nonrhel6.go
================================================
// +build !rhel6
package constants
// IpsetBinaryName is the ipset binary name
const IpsetBinaryName = "aporeto-ipset"
================================================
FILE: controller/constants/constants_rhel6.go
================================================
// +build rhel6
package constants
// IpsetBinaryName is the (system) ipset binary name on RHEL6
const IpsetBinaryName = "ipset"
================================================
FILE: controller/constants/constants_test.go
================================================
package constants
import (
"path/filepath"
"testing"
)
func TestConfigureRemoteEnforcerPath(t *testing.T) {
arg := "foo"
want := filepath.Join("foo", "remoteenforcerd")
t.Run("Test with one path", func(t *testing.T) {
ConfigureRemoteEnforcerPath(arg)
got := RemoteEnforcerPath
if got != want {
t.Errorf("RemoteEnforcerPath was wrong, got: %s, want: %s.", got, want)
}
})
}
func TestConfigureSocketsPath(t *testing.T) {
path := "the/path"
want1 := filepath.Join(path, "statschannel.sock")
want2 := filepath.Join(path, "debugchannel.sock")
t.Run("Test with one path", func(t *testing.T) {
ConfigureSocketsPath(path)
got := SocketsPath
got1 := filepath.Join(path, want1)
got2 := filepath.Join(path, want2)
if got != path {
t.Errorf("ConfigureSocketsPath was wrong, got: %s, want: %s.", got, path)
}
if got != path {
t.Errorf("ConfigureSocketsPath was wrong, got: %s, want: %s.", got1, want1)
}
if got != path {
t.Errorf("ConfigureSocketsPath was wrong, got: %s, want: %s.", got2, want2)
}
})
}
================================================
FILE: controller/controller.go
================================================
package controller
import (
"context"
"fmt"
"os/exec"
"sync"
"time"
"go.aporeto.io/enforcerd/trireme-lib/collector"
"go.aporeto.io/enforcerd/trireme-lib/common"
"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer"
"go.aporeto.io/enforcerd/trireme-lib/controller/internal/supervisor"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/claimsheader"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/dmesgparser"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/env"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packettracing"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
"go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
"go.aporeto.io/enforcerd/trireme-lib/policy"
"go.uber.org/zap"
)
type traceTrigger struct {
duration time.Duration
expiry time.Time
}
// trireme contains references to all the different components of the controller.
// Depending on the configuration we might have multiple supervisor and enforcer types.
// The initialization process must provide the mode that Trireme will run in.
type trireme struct {
config *config
supervisors map[constants.ModeType]supervisor.Supervisor
enforcers map[constants.ModeType]enforcer.Enforcer
puTypeToEnforcerType map[common.PUType]constants.ModeType
enablingTrace chan *traceTrigger
locks sync.Map
}
// New returns a trireme interface implementation based on configuration provided.
func New(ctx context.Context, serverID string, mode constants.ModeType, opts ...Option) TriremeController {
c := &config{
serverID: serverID,
collector: collector.NewDefaultCollector(),
mode: mode,
mutualAuth: true,
validity: constants.SynTokenValidity,
procMountPoint: constants.DefaultProcMountPoint,
externalIPcacheTimeout: -1,
remoteParameters: &env.RemoteParameters{
LogFormat: "console",
LogWithID: false,
CompressedTags: claimsheader.CompressionTypeV1,
},
}
for _, opt := range opts {
opt(c)
}
zap.L().Debug("Trireme configuration", zap.String("configuration", fmt.Sprintf("%+v", c)))
return newTrireme(ctx, c)
}
// Run starts the supervisor and the enforcer and go routines. It doesn't try to clean
// up if something went wrong. It will be up to the caller to decide what to do.
func (t *trireme) Run(ctx context.Context) error {
// Start all the supervisors.
for _, s := range t.supervisors {
if err := s.Run(ctx); err != nil {
zap.L().Error("Error when starting the supervisor", zap.Error(err))
return fmt.Errorf("Error while starting supervisor %v", err)
}
}
// Start all the enforcers.
for _, e := range t.enforcers {
if err := e.Run(ctx); err != nil {
return fmt.Errorf("unable to start the enforcer: %s", err)
}
}
go t.runIPTraceCollector(ctx)
return nil
}
// CleanUp cleans all the acls and all the remote supervisors
func (t *trireme) CleanUp() error {
for _, s := range t.supervisors {
s.CleanUp() // nolint
}
for _, e := range t.enforcers {
e.CleanUp() // nolint
}
return nil
}
// Enforce asks the controller to enforce policy to a processing unit
func (t *trireme) Enforce(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime) error {
lock, _ := t.locks.LoadOrStore(puID, &sync.Mutex{})
lock.(*sync.Mutex).Lock()
defer lock.(*sync.Mutex).Unlock()
return t.doHandleCreate(ctx, puID, policy, runtime)
}
// Enforce asks the controller to enforce policy to a processing unit
func (t *trireme) UnEnforce(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime) error {
lock, _ := t.locks.LoadOrStore(puID, &sync.Mutex{})
lock.(*sync.Mutex).Lock()
defer func() {
t.locks.Delete(puID)
lock.(*sync.Mutex).Unlock()
}()
return t.doHandleDelete(ctx, puID, policy, runtime)
}
// UpdatePolicy updates a policy for an already activated PU. The PU is identified by the contextID
func (t *trireme) UpdatePolicy(ctx context.Context, puID string, plc *policy.PUPolicy, runtime *policy.PURuntime) error {
lock, _ := t.locks.LoadOrStore(puID, &sync.Mutex{})
lock.(*sync.Mutex).Lock()
defer lock.(*sync.Mutex).Unlock()
return t.doUpdatePolicy(ctx, puID, plc, runtime)
}
func (t *trireme) EnableDatapathPacketTracing(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, direction packettracing.TracingDirection, interval time.Duration) error {
lock, _ := t.locks.LoadOrStore(puID, &sync.Mutex{})
lock.(*sync.Mutex).Lock()
defer lock.(*sync.Mutex).Unlock()
return t.doHandleEnableDatapathPacketTracing(ctx, puID, policy, runtime, direction, interval)
}
func (t *trireme) EnableIPTablesPacketTracing(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, interval time.Duration) error {
lock, _ := t.locks.LoadOrStore(puID, &sync.Mutex{})
lock.(*sync.Mutex).Lock()
defer lock.(*sync.Mutex).Unlock()
return t.doHandleEnableIPTablesPacketTracing(ctx, puID, policy, runtime, interval)
}
// Ping runs ping based on the given config.
func (t *trireme) Ping(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, pingConfig *policy.PingConfig) error {
lock, _ := t.locks.LoadOrStore(puID, &sync.Mutex{})
lock.(*sync.Mutex).Lock()
defer lock.(*sync.Mutex).Unlock()
return t.enforcers[t.modeTypeFromPolicy(policy, runtime)].Ping(ctx, puID, pingConfig)
}
func (t *trireme) DebugCollect(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, debugConfig *policy.DebugConfig) error {
lock, _ := t.locks.LoadOrStore(puID, &sync.Mutex{})
lock.(*sync.Mutex).Lock()
defer lock.(*sync.Mutex).Unlock()
return t.enforcers[t.modeTypeFromPolicy(policy, runtime)].DebugCollect(ctx, puID, debugConfig)
}
// UpdateSecrets updates the secrets of the controllers.
func (t *trireme) UpdateSecrets(secrets secrets.Secrets) error {
for _, enforcer := range t.enforcers {
if err := enforcer.UpdateSecrets(secrets); err != nil {
zap.L().Error("unable to update secrets", zap.Error(err))
}
}
return nil
}
// UpdateConfiguration updates the configuration of the controller. Only
// a limited number of parameters can be updated at run time.
func (t *trireme) UpdateConfiguration(cfg *runtime.Configuration) error {
failure := false
for _, s := range t.supervisors {
err := s.SetTargetNetworks(cfg)
if err != nil {
zap.L().Error("Failed to update target networks in supervisor", zap.Error(err))
failure = true
}
}
for _, e := range t.enforcers {
if cfg.LogLevel != "" {
if err := e.SetLogLevel(cfg.LogLevel); err != nil {
zap.L().Error("unable to set log level", zap.Error(err))
}
}
err := e.SetTargetNetworks(cfg)
if err != nil {
zap.L().Error("Failed to update target networks in controller", zap.Error(err))
failure = true
}
}
if failure {
return fmt.Errorf("configuration update failed")
}
return nil
}
// doHandleCreate is the detailed implementation of the create event.
func (t *trireme) doHandleCreate(ctx context.Context, contextID string, policyInfo *policy.PUPolicy, runtimeInfo *policy.PURuntime) error {
containerInfo := policy.PUInfoFromPolicyAndRuntime(contextID, policyInfo, runtimeInfo)
logEvent := &collector.ContainerRecord{
ContextID: contextID,
IPAddress: policyInfo.IPAddresses(),
Tags: policyInfo.Annotations(),
Event: collector.ContainerStart,
}
defer func() {
t.config.collector.CollectContainerEvent(logEvent)
}()
addTransmitterLabel(contextID, containerInfo)
if !mustEnforce(contextID, containerInfo) {
logEvent.Event = collector.ContainerIgnored
return nil
}
modeType := t.modeTypeFromPolicy(containerInfo.Policy, containerInfo.Runtime)
if err := t.enforcers[modeType].Enforce(ctx, contextID, containerInfo); err != nil {
logEvent.Event = collector.ContainerFailed
return fmt.Errorf("unable to setup enforcer: %s", err)
}
if err := t.supervisors[modeType].Supervise(contextID, containerInfo); err != nil {
if werr := t.enforcers[modeType].Unenforce(ctx, contextID); werr != nil {
zap.L().Warn("Failed to clean up state after failures",
zap.String("contextID", contextID),
zap.Error(werr),
)
}
logEvent.Event = collector.ContainerFailed
return fmt.Errorf("unable to setup supervisor: %s", err)
}
return nil
}
// doHandleDelete is the detailed implementation of the delete event.
func (t *trireme) doHandleDelete(ctx context.Context, contextID string, policyInfo *policy.PUPolicy, runtime *policy.PURuntime) error {
modeType := t.modeTypeFromPolicy(policyInfo, runtime)
errS := t.supervisors[modeType].Unsupervise(contextID)
errE := t.enforcers[modeType].Unenforce(ctx, contextID)
t.config.collector.CollectContainerEvent(&collector.ContainerRecord{
ContextID: contextID,
IPAddress: runtime.IPAddresses(),
Tags: nil,
Event: collector.ContainerDelete,
})
if errS != nil || errE != nil {
return fmt.Errorf("unable to delete context id %s, supervisor %s, enforcer %s", contextID, errS, errE)
}
return nil
}
// doUpdatePolicy is the detailed implementation of the update policy event.
func (t *trireme) doUpdatePolicy(ctx context.Context, contextID string, newPolicy *policy.PUPolicy, runtime *policy.PURuntime) error {
containerInfo := policy.PUInfoFromPolicyAndRuntime(contextID, newPolicy, runtime)
addTransmitterLabel(contextID, containerInfo)
if !mustEnforce(contextID, containerInfo) {
return nil
}
modeType := t.modeTypeFromPolicy(containerInfo.Policy, containerInfo.Runtime)
if err := t.enforcers[modeType].Enforce(ctx, contextID, containerInfo); err != nil {
//We lost communication with the remote and killed it lets restart it here by feeding a create event in the request channel
if werr := t.supervisors[modeType].Unsupervise(contextID); werr != nil {
zap.L().Warn("Failed to clean up after enforcerments failures",
zap.String("contextID", contextID),
zap.Error(werr),
)
}
return fmt.Errorf("unable to update policy for pu %s: %s", contextID, err)
}
if err := t.supervisors[modeType].Supervise(contextID, containerInfo); err != nil {
if werr := t.enforcers[modeType].Unenforce(ctx, contextID); werr != nil {
zap.L().Warn("Failed to clean up after enforcerments failures",
zap.String("contextID", contextID),
zap.Error(werr),
)
}
return fmt.Errorf("supervisor failed to update policy for pu %s: %s", contextID, err)
}
t.config.collector.CollectContainerEvent(&collector.ContainerRecord{
ContextID: contextID,
IPAddress: runtime.IPAddresses(),
Tags: containerInfo.Runtime.Tags(),
Event: collector.ContainerUpdate,
})
return nil
}
//Debug Handlers
func (t *trireme) doHandleEnableDatapathPacketTracing(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, direction packettracing.TracingDirection, interval time.Duration) error {
return t.enforcers[t.modeTypeFromPolicy(policy, runtime)].EnableDatapathPacketTracing(ctx, puID, direction, interval)
}
func (t *trireme) doHandleEnableIPTablesPacketTracing(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, interval time.Duration) error {
modeType := t.modeTypeFromPolicy(policy, runtime)
sysctlCmd, err := exec.LookPath("sysctl")
if err != nil {
return fmt.Errorf("sysctl command not found")
}
cmd := exec.Command(sysctlCmd, "-w", "net.netfilter.nf_log_all_netns=1")
if err := cmd.Run(); err != nil {
return fmt.Errorf("remote container iptables tracing will not work %s", err)
}
t.enablingTrace <- &traceTrigger{
duration: interval,
expiry: time.Now().Add(interval),
}
if err := t.supervisors[modeType].EnableIPTablesPacketTracing(ctx, puID, interval); err != nil {
return err
}
return t.enforcers[modeType].EnableIPTablesPacketTracing(ctx, puID, interval)
}
func (t *trireme) runIPTraceCollector(ctx context.Context) {
//Run dmesg once to establish baseline
expiry := time.Now()
hdl := dmesgparser.New()
for {
select {
case <-ctx.Done():
return
case traceparams := <-t.enablingTrace:
if !traceparams.expiry.After(expiry) {
//if we already have a request expiring later drop this
continue
}
expiry = traceparams.expiry
case <-time.After(1 * time.Second):
if !time.Now().After(expiry) {
messages, err := hdl.RunDmesgCommand()
if err != nil {
zap.L().Warn("Unable to run dmesg", zap.Error(err))
continue
}
t.config.collector.CollectTraceEvent(messages)
}
}
}
}
func (t *trireme) modeTypeFromPolicy(policyInfo *policy.PUPolicy, runtime *policy.PURuntime) constants.ModeType {
if policyInfo == nil {
// there are edge cases when policyInfo really can be nil - and it is fine
// let's just fall back to the normal enforcertype mapping if this is the case
//
// Here is an example: when a PU Create event failed, but the PU gets destroyed afterwards, there is a stop
// event generated which will call UnEnforce. However, in this case there is no guarantee that PUPolicy has
// actually ever been set.
zap.L().Debug("modeTypeFromPolicy received no PU policy", zap.String("name", runtime.Name()))
return t.puTypeToEnforcerType[runtime.PUType()]
}
switch policyInfo.EnforcerType() {
case policy.EnforcerMapping:
return t.puTypeToEnforcerType[runtime.PUType()]
case policy.EnvoyAuthorizerEnforcer:
switch runtime.PUType() {
case common.KubernetesPU:
fallthrough
case common.ContainerPU:
return constants.RemoteContainerEnvoyAuthorizer
case common.HostPU:
fallthrough
case common.HostNetworkPU:
fallthrough
case common.LinuxProcessPU, common.WindowsProcessPU:
return constants.LocalEnvoyAuthorizer
default:
return t.puTypeToEnforcerType[runtime.PUType()]
}
default:
return t.puTypeToEnforcerType[runtime.PUType()]
}
}
================================================
FILE: controller/helpers.go
================================================
package controller
import (
"context"
"github.com/blang/semver"
enforcerconstants "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/constants"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/remoteenforcer"
"go.aporeto.io/enforcerd/trireme-lib/policy"
"go.uber.org/zap"
)
// LaunchRemoteEnforcer launches a remote enforcer instance.
func LaunchRemoteEnforcer(ctx context.Context, logLevel string, logFormat string, logID string, numQueues int, agentVersion semver.Version) error {
return remoteenforcer.LaunchRemoteEnforcer(ctx, logLevel, logFormat, logID, numQueues, agentVersion)
}
// addTransmitterLabel adds the enforcerconstants.TransmitterLabel as a fixed label in the policy.
// The ManagementID part of the policy is used as the enforcerconstants.TransmitterLabel.
// If the Policy didn't set the ManagementID, we use the Local contextID as the
// default enforcerconstants.TransmitterLabel.
func addTransmitterLabel(contextID string, containerInfo *policy.PUInfo) {
if containerInfo.Policy.ManagementID() == "" {
containerInfo.Policy.AddIdentityTag(enforcerconstants.TransmitterLabel, contextID)
} else {
containerInfo.Policy.AddIdentityTag(enforcerconstants.TransmitterLabel, containerInfo.Policy.ManagementID())
}
}
// MustEnforce returns true if the Policy should go Through the Enforcer/internal/supervisor.
// Return false if:
// - PU is in host namespace.
// - Policy got the AllowAll tag.
func mustEnforce(contextID string, containerInfo *policy.PUInfo) bool {
if containerInfo.Policy.TriremeAction() == policy.AllowAll {
zap.L().Debug("PUPolicy with AllowAll Action. Not policing", zap.String("contextID", contextID))
return false
}
return true
}
================================================
FILE: controller/interfaces.go
================================================
package controller
import (
"context"
"time"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packettracing"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
"go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
"go.aporeto.io/enforcerd/trireme-lib/policy"
)
// TriremeController is the main API of the Trireme controller
type TriremeController interface {
// Run initializes and runs the controller.
Run(ctx context.Context) error
// CleanUp cleans all the supervisors and ACLs for a clean exit
CleanUp() error
// Enforce asks the controller to enforce policy on a processing unit
Enforce(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime) (err error)
// UnEnforce asks the controller to ub-enforce policy on a processing unit
UnEnforce(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime) (err error)
// UpdatePolicy updates the policy of the isolator for a container.
UpdatePolicy(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime) error
// UpdateSecrets updates the secrets of running enforcers managed by trireme. Remote enforcers will get the secret updates with the next policy push
UpdateSecrets(secrets secrets.Secrets) error
// UpdateConfiguration updates the configuration of the controller. Only specific configuration
// parameters can be updated during run time.
UpdateConfiguration(cfg *runtime.Configuration) error
DebugInfo
}
// DebugInfo is the interface implemented by controllers to support configuring debug options
type DebugInfo interface {
// EnableReceivedPacketTracing will enable tracing of packets received by the datapath for a particular PU. Setting Disabled as tracing direction will stop tracing for the contextID
EnableDatapathPacketTracing(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, direction packettracing.TracingDirection, interval time.Duration) error
// EnablePacketTracing enable iptables -j trace for the particular pu and is much wider packet stream.
EnableIPTablesPacketTracing(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, interval time.Duration) error
// Ping runs ping based on the given config.
Ping(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, pingConfig *policy.PingConfig) error
// DebugCollect collects debug information, such as packet capture
DebugCollect(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, debugConfig *policy.DebugConfig) error
}
================================================
FILE: controller/internal/enforcer/acls/acl.go
================================================
package acls
import (
"errors"
"fmt"
"net"
"reflect"
"strings"
"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
"go.aporeto.io/enforcerd/trireme-lib/policy"
"go.aporeto.io/enforcerd/trireme-lib/utils/ipprefix"
"go.aporeto.io/gaia/protocols"
)
// acl holds all the ACLS in an internal DB
type acl struct {
tcpCache ipprefix.IPcache
udpCache ipprefix.IPcache
icmpCache ipprefix.IPcache
}
func newACL() *acl {
return &acl{
tcpCache: ipprefix.NewIPCache(),
udpCache: ipprefix.NewIPCache(),
icmpCache: ipprefix.NewIPCache(),
}
}
// errNoMatchFromRule must stop the LPM check
var errNoMatchFromRule = errors.New("No Match")
var errNotFound = errors.New("No Match")
func (a *acl) addICMPToCache(ip net.IP, mask int, baseRule string, listOfDisjunctives []string, policy *policy.FlowPolicy) {
var icmpRuleList []*icmpRule
val, exists := a.icmpCache.Get(ip, mask)
if !exists {
icmpRuleList = []*icmpRule{}
} else {
icmpRuleList = val.([]*icmpRule)
}
newRule := &icmpRule{baseRule, listOfDisjunctives, policy}
icmpRuleList = append(icmpRuleList, newRule)
a.icmpCache.Put(ip, mask, icmpRuleList)
}
func (a *acl) removeICMPFromCache(ip net.IP, mask int, baseRule string, listOfDisjunctives []string, policy *policy.FlowPolicy) error {
var icmpRuleList []*icmpRule
val, exists := a.icmpCache.Get(ip, mask)
if !exists {
// nothing to remove
return nil
}
icmpRuleList = val.([]*icmpRule)
searchRule := icmpRule{baseRule, listOfDisjunctives, policy}
newIcmpRuleList := make([]*icmpRule, 0, len(icmpRuleList))
for _, rule := range icmpRuleList {
if reflect.DeepEqual(searchRule, *rule) {
// this is a full match, skip
continue
}
// TODO: partial matches aren't handled. Should they?
newIcmpRuleList = append(newIcmpRuleList, rule)
}
a.icmpCache.Put(ip, mask, newIcmpRuleList)
return nil
}
func (a *acl) removeFromCache(ip net.IP, mask int, nomatch bool, proto string, ports []string, policy *policy.FlowPolicy) error {
removeICMPCache := func(baseRule string, listOfDisjunctives []string) error {
return a.removeICMPFromCache(ip, mask, baseRule, listOfDisjunctives, policy)
}
// the TCP or UDP cases use this part
removeCache := func(lookupCache ipprefix.IPcache, port string) error {
val, exists := lookupCache.Get(ip, mask)
if !exists {
// nothing to remove
return nil
}
portList := val.(portActionList)
newPortList := make(portActionList, 0, len(portList))
r, err := newPortAction(port, policy, nomatch)
if err != nil {
return fmt.Errorf("unable to create port action: %s", err)
}
for _, portAction := range portList {
if reflect.DeepEqual(*r, *portAction) {
// this is a full match, skip
continue
}
// TODO: partial matches aren't handled. Should they?
newPortList = append(newPortList, portAction)
}
lookupCache.Put(ip, mask, newPortList)
return nil
}
switch strings.ToLower(proto) {
case constants.TCPProtoNum:
for _, port := range ports {
if err := removeCache(a.tcpCache, port); err != nil {
return err
}
}
return nil
case constants.UDPProtoNum:
for _, port := range ports {
if err := removeCache(a.udpCache, port); err != nil {
return err
}
}
return nil
default:
// ICMP protocol
if splits := strings.Split(proto, "/"); strings.ToUpper(splits[0]) == protocols.L4ProtocolICMP || strings.ToUpper(splits[0]) == protocols.L4ProtocolICMP6 {
return removeICMPCache(proto, ports)
}
// unknown protocol - nothing to do
return nil
}
}
func (a *acl) addToCache(ip net.IP, mask int, port string, proto string, policy *policy.FlowPolicy, nomatch bool) error {
var err error
var portList portActionList
var lookupCache ipprefix.IPcache
switch strings.ToLower(proto) {
case constants.TCPProtoNum:
{
lookupCache = a.tcpCache
}
case constants.UDPProtoNum:
{
lookupCache = a.udpCache
}
default:
return nil
}
r, err := newPortAction(port, policy, nomatch)
if err != nil {
return fmt.Errorf("unable to create port action: %s", err)
}
val, exists := lookupCache.Get(ip, mask)
if !exists {
portList = portActionList{}
} else {
portList = val.(portActionList)
}
/* check if this is duplicate entry */
for _, portAction := range portList {
if *r == *portAction {
return nil
}
}
portList = append(portList, r)
lookupCache.Put(ip, mask, portList)
return nil
}
func (a *acl) removeIPMask(ip net.IP, mask int) {
a.tcpCache.Put(ip, mask, nil)
a.udpCache.Put(ip, mask, nil)
a.icmpCache.Put(ip, mask, nil)
}
func (a *acl) matchRule(ip net.IP, port uint16, proto uint8, preReport *policy.FlowPolicy) (report *policy.FlowPolicy, packetPolicy *policy.FlowPolicy, err error) {
report = preReport
err = errNotFound
lookup := func(val interface{}) bool {
if val != nil {
portList := val.(portActionList)
report, packetPolicy, err = portList.lookup(port, report)
if err == nil || err == errNoMatchFromRule {
return true
}
}
return false
}
if proto == packet.IPProtocolTCP {
a.tcpCache.RunFuncOnLpmIP(ip, lookup)
} else if proto == packet.IPProtocolUDP {
a.udpCache.RunFuncOnLpmIP(ip, lookup)
}
return report, packetPolicy, err
}
func (a *acl) addRule(rule policy.IPRule) (err error) {
addCache := func(address, port, proto string) error {
addr, err := ParseAddress(address)
if err != nil {
return err
}
if err := a.addToCache(addr.IP, addr.Mask, port, proto, rule.Policy, addr.NoMatch); err != nil {
return err
}
return nil
}
addICMPCache := func(address, baseRule string, listOfDisjunctives []string) error {
addr, err := ParseAddress(address)
if err != nil {
return err
}
a.addICMPToCache(addr.IP, addr.Mask, baseRule, listOfDisjunctives, rule.Policy)
return nil
}
for _, proto := range rule.Protocols {
switch strings.ToLower(proto) {
case constants.TCPProtoNum, constants.UDPProtoNum:
for _, address := range rule.Addresses {
for _, port := range rule.Ports {
if err := addCache(address, port, proto); err != nil {
return err
}
}
}
}
if splits := strings.Split(proto, "/"); strings.ToUpper(splits[0]) == protocols.L4ProtocolICMP || strings.ToUpper(splits[0]) == protocols.L4ProtocolICMP6 {
for _, address := range rule.Addresses {
if err := addICMPCache(address, proto, rule.Ports); err != nil {
return err
}
}
}
}
return nil
}
// getMatchingAction does lookup in acl in a common way for accept/reject rules.
func (a *acl) getMatchingAction(ip net.IP, port uint16, proto uint8, preReport *policy.FlowPolicy) (report *policy.FlowPolicy, packet *policy.FlowPolicy, err error) {
return a.matchRule(ip, port, proto, preReport)
}
================================================
FILE: controller/internal/enforcer/acls/acl_test.go
================================================
package acls
import (
"net"
"testing"
. "github.com/smartystreets/goconvey/convey"
"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
"go.aporeto.io/enforcerd/trireme-lib/policy"
)
var (
rules = policy.IPRuleList{
policy.IPRule{
Addresses: []string{"172.0.0.0/8"},
Ports: []string{"400:500"},
Protocols: []string{constants.TCPProtoNum},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "tcp172/8"},
},
policy.IPRule{
Addresses: []string{"172.17.0.0/16"},
Ports: []string{"400:500"},
Protocols: []string{constants.TCPProtoNum},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "tcp172.17/16"},
},
policy.IPRule{
Addresses: []string{"192.168.100.0/24"},
Protocols: []string{constants.TCPProtoNum},
Ports: []string{"80"},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "tcp192.168.100/24"},
},
policy.IPRule{
Addresses: []string{"10.1.1.1"},
Protocols: []string{constants.TCPProtoNum},
Ports: []string{"80"},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "tcp10.1.1.1"}},
policy.IPRule{
Addresses: []string{"0.0.0.0/0"},
Protocols: []string{constants.TCPProtoNum},
Ports: []string{"443"},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "tcp0/0"}},
policy.IPRule{
Addresses: []string{"0.0.0.0/0"},
Protocols: []string{constants.UDPProtoNum},
Ports: []string{"443"},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "udp0/0"}},
}
)
func TestLookup(t *testing.T) {
Convey("Given a good DB", t, func() {
a := newACL()
So(a, ShouldNotBeNil)
for _, r := range rules {
err := a.addRule(r)
So(err, ShouldBeNil)
}
Convey("When I lookup for a matching address and a port range, I should get the right action", func() {
ip := net.ParseIP("172.17.0.1")
port := uint16(401)
r, p, err := a.getMatchingAction(ip.To4(), port, packet.IPProtocolTCP, nil)
So(err, ShouldBeNil)
So(p.Action, ShouldEqual, policy.Accept)
So(p.PolicyID, ShouldEqual, "tcp172.17/16")
So(r.Action, ShouldEqual, policy.Accept)
So(r.PolicyID, ShouldEqual, "tcp172.17/16")
})
Convey("When I lookup for a matching address with less specific match and a port range, I should get the right action", func() {
ip := net.ParseIP("172.16.0.1")
port := uint16(401)
r, p, err := a.getMatchingAction(ip.To4(), port, packet.IPProtocolTCP, nil)
So(err, ShouldBeNil)
So(p.Action, ShouldEqual, policy.Accept)
So(p.PolicyID, ShouldEqual, "tcp172/8")
So(r.Action, ShouldEqual, policy.Accept)
So(r.PolicyID, ShouldEqual, "tcp172/8")
})
Convey("When I lookup for a matching address exact port, I should get the right action", func() {
ip := net.ParseIP("192.168.100.1")
port := uint16(80)
r, p, err := a.getMatchingAction(ip.To4(), port, packet.IPProtocolTCP, nil)
So(err, ShouldBeNil)
So(p.Action, ShouldEqual, policy.Accept)
So(p.PolicyID, ShouldEqual, "tcp192.168.100/24")
So(r.Action, ShouldEqual, policy.Accept)
So(r.PolicyID, ShouldEqual, "tcp192.168.100/24")
})
Convey("When I lookup for a non matching address . I should get reject", func() {
ip := net.ParseIP("192.168.200.1")
port := uint16(80)
r, p, err := a.getMatchingAction(ip.To4(), port, packet.IPProtocolTCP, nil)
So(err, ShouldNotBeNil)
So(p, ShouldBeNil)
So(r, ShouldBeNil)
})
Convey("When I lookup for a matching address but failed port, I should get reject", func() {
ip := net.ParseIP("192.168.100.1")
port := uint16(600)
r, p, err := a.getMatchingAction(ip.To4(), port, packet.IPProtocolTCP, nil)
So(err, ShouldNotBeNil)
So(p, ShouldBeNil)
So(r, ShouldBeNil)
})
Convey("When I lookup for a matching exact address exact port, I should get the right action", func() {
ip := net.ParseIP("10.1.1.1")
port := uint16(80)
r, p, err := a.getMatchingAction(ip.To4(), port, packet.IPProtocolTCP, nil)
So(err, ShouldBeNil)
So(p.Action, ShouldEqual, policy.Accept)
So(p.PolicyID, ShouldEqual, "tcp10.1.1.1")
So(r.Action, ShouldEqual, policy.Accept)
So(r.PolicyID, ShouldEqual, "tcp10.1.1.1")
})
})
}
func TestICMPMatch(t *testing.T) {
var icmpRules = policy.IPRuleList{
policy.IPRule{
Addresses: []string{"0.0.0.0/0"},
Protocols: []string{"ICMP/8/1:3"},
Ports: []string{},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "icmp0/0-8/1:3",
},
},
policy.IPRule{
Addresses: []string{"684D:1111:222:3333:4444:5555:6:77"},
Protocols: []string{"ICMP6"},
Ports: []string{},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "icmp6",
},
},
policy.IPRule{
Addresses: []string{"192.0.2.1"},
Protocols: []string{"icmp"},
Ports: []string{},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "removeme",
},
},
}
Convey("Given a good DB", t, func() {
a := newACL()
So(a, ShouldNotBeNil)
for _, r := range icmpRules {
err := a.addRule(r)
So(err, ShouldBeNil)
}
Convey("When I lookup for a matching address for icmp but wrong type or code, I should get the right action", func() {
ip := net.ParseIP("172.17.0.1")
r, p, err := a.matchICMPRule(ip.To4(), 8, 2)
So(err, ShouldBeNil)
So(p.Action, ShouldEqual, policy.Accept)
So(p.PolicyID, ShouldEqual, "icmp0/0-8/1:3")
So(r.Action, ShouldEqual, policy.Accept)
So(r.PolicyID, ShouldEqual, "icmp0/0-8/1:3")
})
Convey("When I lookup for a matching address for icmp, I should not get a match", func() {
ip := net.ParseIP("172.17.0.1")
r, p, err := a.matchICMPRule(ip.To4(), 8, 4)
So(err, ShouldNotBeNil)
So(p, ShouldBeNil)
So(r, ShouldBeNil)
})
Convey("When I lookup for a matching address for icmp6, I should get the right action", func() {
ip := net.ParseIP("684D:1111:222:3333:4444:5555:6:77")
r, p, err := a.matchICMPRule(ip, 8, 1)
So(err, ShouldBeNil)
So(p.Action, ShouldEqual, policy.Accept)
So(p.PolicyID, ShouldEqual, "icmp6")
So(r.Action, ShouldEqual, policy.Accept)
So(r.PolicyID, ShouldEqual, "icmp6")
})
Convey("When I lookup for a non-matching address for icmp6, I should not get a match", func() {
ip := net.ParseIP("684D:1111:222:3333:4444:5555:6:77")
r, p, err := a.matchICMPRule(ip, 8, 1)
So(err, ShouldBeNil)
So(p.Action, ShouldEqual, policy.Accept)
So(p.PolicyID, ShouldEqual, "icmp6")
So(r.Action, ShouldEqual, policy.Accept)
So(r.PolicyID, ShouldEqual, "icmp6")
})
})
}
func TestICMPRemove(t *testing.T) {
var icmpRules = policy.IPRuleList{
policy.IPRule{
Addresses: []string{"192.0.2.1"},
Protocols: []string{"icmp"},
Ports: []string{},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "removeme",
},
},
}
removeMePolicy := &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "removeme",
}
Convey("Given a good DB", t, func() {
a := newACL()
So(a, ShouldNotBeNil)
for _, r := range icmpRules {
err := a.addRule(r)
So(err, ShouldBeNil)
}
Convey("When I try to remove a rule which does not exist, then it should not error", func() {
ip := net.ParseIP("192.0.2.2")
err := a.removeFromCache(ip, 32, false, "icmp", nil, removeMePolicy)
So(err, ShouldBeNil)
})
Convey("When I try to remove a rule which does not match, then nothing should change", func() {
ip := net.ParseIP("192.0.2.1")
oldVal, ok := a.icmpCache.Get(ip, 32)
So(ok, ShouldBeTrue)
old := oldVal.([]*icmpRule)
So(old, ShouldNotBeEmpty)
err := a.removeFromCache(ip, 32, false, "icmp", nil, removeMePolicy)
So(err, ShouldBeNil)
newVal, ok := a.icmpCache.Get(ip, 32)
So(ok, ShouldBeTrue)
new := newVal.([]*icmpRule)
So(new, ShouldNotBeEmpty)
So(old, ShouldResemble, new)
})
Convey("When I try to remove a rule which matches, then it should get removed", func() {
ip := net.ParseIP("192.0.2.1")
oldVal, ok := a.icmpCache.Get(ip, 32)
So(ok, ShouldBeTrue)
old := oldVal.([]*icmpRule)
So(old, ShouldNotBeEmpty)
err := a.removeFromCache(ip, 32, false, "icmp", []string{}, removeMePolicy)
So(err, ShouldBeNil)
newVal, ok := a.icmpCache.Get(ip, 32)
So(ok, ShouldBeTrue)
new := newVal.([]*icmpRule)
So(new, ShouldBeEmpty)
})
})
}
func TestRemove(t *testing.T) {
// keep one policy here for a direct pointer comparison
policyOne := &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "1",
}
removeRules := policy.IPRuleList{
policy.IPRule{
Addresses: []string{"192.0.2.1"},
Ports: []string{"80"},
Protocols: []string{constants.TCPProtoNum},
Policy: policyOne,
},
policy.IPRule{
Addresses: []string{"192.0.2.1"},
Ports: []string{"80"},
Protocols: []string{constants.UDPProtoNum},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "2",
},
},
}
// and one here for a content comparison
policyTwo := &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "2",
}
Convey("Given a good DB", t, func() {
a := newACL()
So(a, ShouldNotBeNil)
for _, r := range removeRules {
err := a.addRule(r)
So(err, ShouldBeNil)
}
Convey("When I try to remove a rule with an unsupported protocol, then it should not error", func() {
ip := net.ParseIP("192.0.2.1")
err := a.removeFromCache(ip, 32, false, "unsupported", nil, nil)
So(err, ShouldBeNil)
})
Convey("When I try to remove a TCP rule which does not exist, then it should not error", func() {
ip := net.ParseIP("192.0.2.2")
err := a.removeFromCache(ip, 32, false, constants.TCPProtoNum, []string{"42"}, nil)
So(err, ShouldBeNil)
})
Convey("When I try to remove a TCP rule which cannot be parsed correctly, then it should error", func() {
ip := net.ParseIP("192.0.2.1")
err := a.removeFromCache(ip, 32, false, constants.TCPProtoNum, []string{"invalid port"}, nil)
So(err, ShouldNotBeNil)
})
Convey("When I try to remove a UDP rule which does not exist, then it should not error", func() {
ip := net.ParseIP("192.0.2.2")
err := a.removeFromCache(ip, 32, false, constants.UDPProtoNum, []string{"43"}, nil)
So(err, ShouldBeNil)
})
Convey("When I try to remove a UDP rule which cannot be parsed correctly, then it should error", func() {
ip := net.ParseIP("192.0.2.1")
err := a.removeFromCache(ip, 32, false, constants.UDPProtoNum, []string{"another invalid port"}, nil)
So(err, ShouldNotBeNil)
})
Convey("When I try to remove a TCP rule which does not match, then nothing should change", func() {
ip := net.ParseIP("192.0.2.1")
oldVal, ok := a.tcpCache.Get(ip, 32)
So(ok, ShouldBeTrue)
old := oldVal.(portActionList)
So(old, ShouldNotBeEmpty)
err := a.removeFromCache(ip, 32, false, constants.TCPProtoNum, []string{"44"}, policyOne)
So(err, ShouldBeNil)
newVal, ok := a.tcpCache.Get(ip, 32)
So(ok, ShouldBeTrue)
new := newVal.(portActionList)
So(new, ShouldNotBeEmpty)
So(old, ShouldResemble, new)
})
Convey("When I try to remove a TCP rule which matches, then it should get removed", func() {
ip := net.ParseIP("192.0.2.1")
oldVal, ok := a.tcpCache.Get(ip, 32)
So(ok, ShouldBeTrue)
old := oldVal.(portActionList)
So(old, ShouldNotBeEmpty)
oldLength := len(old)
err := a.removeFromCache(ip, 32, false, constants.TCPProtoNum, []string{"80"}, policyOne)
So(err, ShouldBeNil)
newVal, ok := a.tcpCache.Get(ip, 32)
So(ok, ShouldBeTrue)
new := newVal.(portActionList)
So(new, ShouldHaveLength, oldLength-1)
})
Convey("When I try to remove a UDP rule which does not match, then nothing should change", func() {
ip := net.ParseIP("192.0.2.1")
oldVal, ok := a.udpCache.Get(ip, 32)
So(ok, ShouldBeTrue)
old := oldVal.(portActionList)
So(old, ShouldNotBeEmpty)
err := a.removeFromCache(ip, 32, false, constants.UDPProtoNum, []string{"45"}, policyTwo)
So(err, ShouldBeNil)
newVal, ok := a.udpCache.Get(ip, 32)
So(ok, ShouldBeTrue)
new := newVal.(portActionList)
So(new, ShouldNotBeEmpty)
So(old, ShouldResemble, new)
})
Convey("When I try to remove a UDP rule which matches, then it should get removed", func() {
ip := net.ParseIP("192.0.2.1")
oldVal, ok := a.udpCache.Get(ip, 32)
So(ok, ShouldBeTrue)
old := oldVal.(portActionList)
So(old, ShouldNotBeEmpty)
oldLength := len(old)
err := a.removeFromCache(ip, 32, false, constants.UDPProtoNum, []string{"80"}, policyTwo)
So(err, ShouldBeNil)
newVal, ok := a.udpCache.Get(ip, 32)
So(ok, ShouldBeTrue)
new := newVal.(portActionList)
So(new, ShouldHaveLength, oldLength-1)
})
})
}
func TestObservedLookup(t *testing.T) {
ip1 := "200.17.0.0/17"
ip2 := "200.18.0.0/17"
ip3 := "200.0.0.0/9"
var (
rulesWithObservation = policy.IPRuleList{
policy.IPRule{
Addresses: []string{ip1},
Ports: []string{"401"},
Protocols: []string{constants.TCPProtoNum},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
ObserveAction: policy.ObserveContinue,
PolicyID: "observed-continue-tcp200.17/17"},
},
policy.IPRule{
Addresses: []string{ip2},
Ports: []string{"401"},
Protocols: []string{constants.TCPProtoNum},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
ObserveAction: policy.ObserveApply,
PolicyID: "observed-applied-tcp200.18/17"},
},
policy.IPRule{
Addresses: []string{ip3},
Ports: []string{"401"},
Protocols: []string{constants.TCPProtoNum},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "tcp200/9"},
},
}
)
Convey("Given a good DB", t, func() {
a := newACL()
So(a, ShouldNotBeNil)
for _, r := range rulesWithObservation {
err := a.addRule(r)
So(err, ShouldBeNil)
}
// Ensure all the elements are there in the cache
cidrs := []string{ip1, ip2, ip3}
for _, cidr := range cidrs {
ip, ipnet, _ := net.ParseCIDR(cidr)
size, _ := ipnet.Mask.Size()
_, ok := a.tcpCache.Get(ip, size)
So(ok, ShouldEqual, true)
}
Convey("When I lookup for a matching address and a port range, I should get the right action and observed action", func() {
ip := net.ParseIP("200.17.0.1")
port := uint16(401)
r, p, err := a.getMatchingAction(ip.To4(), port, packet.IPProtocolTCP, nil)
So(err, ShouldBeNil)
So(p.Action, ShouldEqual, policy.Accept)
So(p.PolicyID, ShouldEqual, "tcp200/9")
So(r.Action, ShouldEqual, policy.Accept)
So(r.PolicyID, ShouldEqual, "observed-continue-tcp200.17/17")
})
Convey("When I lookup for a matching address and a port range, I should get the observed action as applied", func() {
ip := net.ParseIP("200.18.0.1")
port := uint16(401)
r, p, err := a.getMatchingAction(ip.To4(), port, packet.IPProtocolTCP, nil)
So(err, ShouldBeNil)
So(p.Action, ShouldEqual, policy.Accept)
So(p.PolicyID, ShouldEqual, "observed-applied-tcp200.18/17")
So(r.Action, ShouldEqual, policy.Accept)
So(r.PolicyID, ShouldEqual, "observed-applied-tcp200.18/17")
})
Convey("When I lookup for a matching address and a port range with an already reported action of reject, I should get the observed action as applied", func() {
ip := net.ParseIP("200.18.0.1")
port := uint16(401)
preReported := &policy.FlowPolicy{
Action: policy.Reject,
PolicyID: "preReportedPolicyID",
}
r, p, err := a.getMatchingAction(ip.To4(), port, packet.IPProtocolTCP, preReported)
So(err, ShouldBeNil)
So(p.Action, ShouldEqual, policy.Accept)
So(p.PolicyID, ShouldEqual, "observed-applied-tcp200.18/17")
So(r.Action, ShouldEqual, policy.Reject)
So(r.PolicyID, ShouldEqual, "preReportedPolicyID")
})
})
}
func TestNomatchLookup(t *testing.T) {
ip1 := "200.17.0.0/16"
ip2 := "200.18.0.0/16"
ip3 := "200.0.0.0/8"
var (
rulesWithNomatch = policy.IPRuleList{
policy.IPRule{
Addresses: []string{"!" + ip1},
Ports: []string{"401"},
Protocols: []string{constants.TCPProtoNum},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "nomatch-tcp200.17/16"},
},
policy.IPRule{
Addresses: []string{"!" + ip2},
Ports: []string{"401"},
Protocols: []string{constants.TCPProtoNum},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "nomatch-tcp200.18/16"},
},
policy.IPRule{
Addresses: []string{ip3},
Ports: []string{"401"},
Protocols: []string{constants.TCPProtoNum},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "tcp200/8"},
},
}
)
Convey("Given a good DB", t, func() {
a := newACL()
So(a, ShouldNotBeNil)
for _, r := range rulesWithNomatch {
err := a.addRule(r)
So(err, ShouldBeNil)
}
// Ensure all the elements are there in the cache
cidrs := []string{ip1, ip2, ip3}
for _, cidr := range cidrs {
ip, ipnet, _ := net.ParseCIDR(cidr)
size, _ := ipnet.Mask.Size()
_, ok := a.tcpCache.Get(ip, size)
So(ok, ShouldEqual, true)
}
Convey("When I lookup for a nomatch address and a port range, I should get nomatch", func() {
ip := net.ParseIP("200.17.0.1")
port := uint16(401)
_, _, err := a.getMatchingAction(ip.To4(), port, packet.IPProtocolTCP, nil)
So(err, ShouldNotBeNil)
})
Convey("When I lookup for another nomatch address and a port range, I should get nomatch", func() {
ip := net.ParseIP("200.18.0.1")
port := uint16(401)
_, _, err := a.getMatchingAction(ip.To4(), port, packet.IPProtocolTCP, nil)
So(err, ShouldNotBeNil)
})
Convey("When I lookup for a matching address and a port range, I should get the accept action", func() {
ip := net.ParseIP("200.19.0.1")
port := uint16(401)
r, p, err := a.getMatchingAction(ip.To4(), port, packet.IPProtocolTCP, nil)
So(err, ShouldBeNil)
So(p.Action, ShouldEqual, policy.Accept)
So(p.PolicyID, ShouldEqual, "tcp200/8")
So(r.Action, ShouldEqual, policy.Accept)
So(r.PolicyID, ShouldEqual, "tcp200/8")
})
})
}
================================================
FILE: controller/internal/enforcer/acls/aclcache.go
================================================
package acls
import (
"errors"
"net"
"go.aporeto.io/enforcerd/trireme-lib/policy"
)
// ACLCache holds all the ACLS in an internal DB
// map[prefixes][subnets] -> list of ports with their actions
type ACLCache struct {
reject *acl
accept *acl
observe *acl
}
// NewACLCache a new ACL cache
func NewACLCache() *ACLCache {
return &ACLCache{
reject: newACL(),
accept: newACL(),
observe: newACL(),
}
}
// AddRule adds a single rule to the ACL Cache
func (c *ACLCache) AddRule(rule policy.IPRule) (err error) {
if rule.Policy.ObserveAction.ObserveApply() {
return c.observe.addRule(rule)
}
if rule.Policy.Action.Accepted() {
return c.accept.addRule(rule)
}
return c.reject.addRule(rule)
}
// AddRuleList adds a list of rules to the cache
func (c *ACLCache) AddRuleList(rules policy.IPRuleList) (err error) {
for _, rule := range rules {
if err = c.AddRule(rule); err != nil {
return
}
}
return
}
// RemoveRulesForAddress is going to remove all rules for the provided address, protocol and ports.
func (c *ACLCache) RemoveRulesForAddress(address *Address, protocol string, ports []string, policy *policy.FlowPolicy) error {
if err := c.reject.removeFromCache(address.IP, address.Mask, address.NoMatch, protocol, ports, policy); err != nil {
return err
}
if err := c.accept.removeFromCache(address.IP, address.Mask, address.NoMatch, protocol, ports, policy); err != nil {
return err
}
if err := c.observe.removeFromCache(address.IP, address.Mask, address.NoMatch, protocol, ports, policy); err != nil {
return err
}
return nil
}
// RemoveIPMask removes the entries indexed with (ip, mask). This is an idempotent operation
// and thus does not returns an error
func (c *ACLCache) RemoveIPMask(ip net.IP, mask int) {
c.reject.removeIPMask(ip, mask)
c.accept.removeIPMask(ip, mask)
c.observe.removeIPMask(ip, mask)
}
// GetMatchingAction gets the action from the acl cache
func (c *ACLCache) GetMatchingAction(ip net.IP, port uint16, proto uint8, defaultFlowPolicy *policy.FlowPolicy) (report *policy.FlowPolicy, packet *policy.FlowPolicy, err error) {
report, packet, err = c.reject.getMatchingAction(ip, port, proto, report)
if err == nil {
return
}
report, packet, err = c.accept.getMatchingAction(ip, port, proto, report)
if err == nil {
return
}
report, packet, err = c.observe.getMatchingAction(ip, port, proto, report)
if err == nil {
return
}
if report == nil {
report = defaultFlowPolicy
}
if packet == nil {
packet = defaultFlowPolicy
}
if defaultFlowPolicy.Action.Accepted() {
return report, packet, nil
}
return report, packet, errors.New("no match")
}
// GetMatchingICMPAction gets the action based on icmp policy
func (c *ACLCache) GetMatchingICMPAction(ip net.IP, icmpType, icmpCode int8, defaultFlowPolicy *policy.FlowPolicy) (report *policy.FlowPolicy, packet *policy.FlowPolicy, err error) {
report, packet, err = c.reject.matchICMPRule(ip, icmpType, icmpCode)
if err == nil {
return
}
report, packet, err = c.accept.matchICMPRule(ip, icmpType, icmpCode)
if err == nil {
return
}
report, packet, err = c.observe.matchICMPRule(ip, icmpType, icmpCode)
if err == nil {
return
}
if report == nil {
report = defaultFlowPolicy
}
if packet == nil {
packet = defaultFlowPolicy
}
if defaultFlowPolicy.Action.Accepted() {
return report, packet, nil
}
return report, packet, errors.New("no match")
}
================================================
FILE: controller/internal/enforcer/acls/aclcache_test.go
================================================
// +build !windows
package acls
import (
"net"
"testing"
. "github.com/smartystreets/goconvey/convey"
"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
"go.aporeto.io/enforcerd/trireme-lib/policy"
)
var catchAllPolicy = &policy.FlowPolicy{Action: policy.Reject | policy.Log, PolicyID: "default", ServiceID: "default"}
func TestEmptyACLCacheLookup(t *testing.T) {
Convey("Given an empty ACL Cache", t, func() {
c := NewACLCache()
Convey("When I lookup for a matching address but failed port, I should get reject", func() {
ip := net.ParseIP("192.168.100.1")
port := uint16(600)
a, p, err := c.GetMatchingAction(ip.To4(), port, packet.IPProtocolTCP, catchAllPolicy)
So(err, ShouldNotBeNil)
So(a.Action&policy.Reject, ShouldEqual, policy.Reject)
So(a.PolicyID, ShouldEqual, "default")
So(p.Action&policy.Reject, ShouldEqual, policy.Reject)
So(p.ServiceID, ShouldEqual, "default")
})
Convey("When I lookup for a matching address but failed port, I should get accept", func() {
ip := net.ParseIP("192.168.100.1")
port := uint16(600)
defaultFlowPolcy := &policy.FlowPolicy{Action: policy.Accept | policy.Log, PolicyID: "default", ServiceID: "default"}
a, p, err := c.GetMatchingAction(ip.To4(), port, packet.IPProtocolTCP, defaultFlowPolcy)
So(err, ShouldBeNil)
So(a.Action&policy.Accept, ShouldEqual, policy.Accept)
So(a.PolicyID, ShouldEqual, "default")
So(p.Action&policy.Accept, ShouldEqual, policy.Accept)
So(p.ServiceID, ShouldEqual, "default")
})
})
}
func TestRejectPrioritizedOverAcceptCacheLookup(t *testing.T) {
rules = policy.IPRuleList{
policy.IPRule{
Addresses: []string{"172.0.0.0/8"},
Ports: []string{"1"},
Protocols: []string{constants.TCPProtoNum},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "tcp172/8"},
},
policy.IPRule{
Addresses: []string{"0.0.0.0/0"},
Ports: []string{"1"},
Protocols: []string{constants.TCPProtoNum},
Policy: &policy.FlowPolicy{
Action: policy.Reject,
PolicyID: "catchAllDrop"},
},
}
Convey("Given an ACL Cache with accept and reject rules", t, func() {
c := NewACLCache()
So(c, ShouldNotBeNil)
err := c.AddRuleList(rules)
So(err, ShouldBeNil)
Convey("When I lookup for a matching address to both accept and reject rule, I should get reject", func() {
ip := net.ParseIP("172.1.1.1")
port := uint16(1)
a, p, err := c.GetMatchingAction(ip.To4(), port, packet.IPProtocolTCP, catchAllPolicy)
So(err, ShouldBeNil)
So(a.Action, ShouldEqual, policy.Reject)
So(a.PolicyID, ShouldEqual, "catchAllDrop")
So(p.Action, ShouldEqual, policy.Reject)
So(p.PolicyID, ShouldEqual, "catchAllDrop")
})
})
}
func TestEmptyACLWithObserveContinueCacheLookup(t *testing.T) {
rules = policy.IPRuleList{
policy.IPRule{
Addresses: []string{"0.0.0.0/0"},
Ports: []string{"1"},
Protocols: []string{constants.TCPProtoNum},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
ObserveAction: policy.ObserveContinue,
PolicyID: "ObserveAcceptContinue"},
},
}
Convey("Given an empty ACL Cache", t, func() {
c := NewACLCache()
So(c, ShouldNotBeNil)
err := c.AddRuleList(rules)
So(err, ShouldBeNil)
Convey("When I lookup for a matching address, I should get accept", func() {
ip := net.ParseIP("192.168.100.1")
port := uint16(1)
a, p, err := c.GetMatchingAction(ip.To4(), port, packet.IPProtocolTCP, catchAllPolicy)
So(err, ShouldNotBeNil)
So(a.Action, ShouldEqual, policy.Accept)
So(a.PolicyID, ShouldEqual, "ObserveAcceptContinue")
So(p.Action&policy.Reject, ShouldEqual, policy.Reject)
So(p.PolicyID, ShouldEqual, "default")
})
})
}
func TestEmptyACLWithObserveApplyCacheLookup(t *testing.T) {
rules = policy.IPRuleList{
policy.IPRule{
Addresses: []string{"0.0.0.0/0"},
Ports: []string{"1"},
Protocols: []string{constants.TCPProtoNum},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
ObserveAction: policy.ObserveApply,
PolicyID: "observeAcceptApply"},
},
}
Convey("Given an empty ACL Cache", t, func() {
c := NewACLCache()
So(c, ShouldNotBeNil)
err := c.AddRuleList(rules)
So(err, ShouldBeNil)
Convey("When I lookup for a matching address, I should get accept", func() {
ip := net.ParseIP("192.168.100.1")
port := uint16(1)
a, p, err := c.GetMatchingAction(ip.To4(), port, packet.IPProtocolTCP, catchAllPolicy)
So(err, ShouldBeNil)
So(a.Action, ShouldEqual, policy.Accept)
So(a.PolicyID, ShouldEqual, "observeAcceptApply")
So(p.Action, ShouldEqual, policy.Accept)
So(p.PolicyID, ShouldEqual, "observeAcceptApply")
})
})
}
func TestObserveContinueApplyCacheLookup(t *testing.T) {
rules = policy.IPRuleList{
policy.IPRule{
Addresses: []string{"172.1.0.0/16"},
Ports: []string{"1"},
Protocols: []string{constants.TCPProtoNum},
Policy: &policy.FlowPolicy{
Action: policy.Reject,
ObserveAction: policy.ObserveContinue,
PolicyID: "observeRejectContinue-172.1/16"},
},
policy.IPRule{
Addresses: []string{"172.0.0.0/8"},
Ports: []string{"1"},
Protocols: []string{constants.TCPProtoNum},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "tcp172/8"},
},
policy.IPRule{
Addresses: []string{"172.0.0.0/8"},
Ports: []string{"1"},
Protocols: []string{constants.TCPProtoNum},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
ObserveAction: policy.ObserveApply,
PolicyID: "observeRejectApply"},
},
policy.IPRule{
Addresses: []string{"172.0.0.0/8"},
Ports: []string{"1"},
Protocols: []string{constants.TCPProtoNum},
Policy: &policy.FlowPolicy{
Action: policy.Reject,
ObserveAction: policy.ObserveContinue,
PolicyID: "observeRejectContinue"},
},
}
Convey("Given an ACL Cache with accept observe-apply and observe-continue rules for same prefix", t, func() {
c := NewACLCache()
So(c, ShouldNotBeNil)
err := c.AddRuleList(rules)
So(err, ShouldBeNil)
Convey("When I lookup for a matching address to /16, I should get report reject and packet accept and ignore observe-apply rule", func() {
ip := net.ParseIP("172.1.1.1")
port := uint16(1)
a, p, err := c.GetMatchingAction(ip.To4(), port, packet.IPProtocolTCP, catchAllPolicy)
So(err, ShouldBeNil)
So(a.Action, ShouldEqual, policy.Reject)
So(a.PolicyID, ShouldEqual, "observeRejectContinue-172.1/16")
// So(p.Action, ShouldEqual, policy.Accept)
So(p.PolicyID, ShouldEqual, "tcp172/8")
})
Convey("When I lookup for a matching address to /8, I should get report reject and packet accept and ignore observe-apply rule", func() {
ip := net.ParseIP("172.2.1.1")
port := uint16(1)
a, p, err := c.GetMatchingAction(ip.To4(), port, packet.IPProtocolTCP, catchAllPolicy)
So(err, ShouldBeNil)
So(a.Action, ShouldEqual, policy.Reject)
So(a.PolicyID, ShouldEqual, "observeRejectContinue")
So(p.Action, ShouldEqual, policy.Accept)
So(p.PolicyID, ShouldEqual, "tcp172/8")
})
})
}
func TestAcceptWithNomatchCacheLookup(t *testing.T) {
rules = policy.IPRuleList{
policy.IPRule{
Addresses: []string{"0.0.0.0/1", "!10.10.10.0/24", "128.0.0.0/1", "!10.0.0.0/8", "10.10.0.0/16"},
Ports: []string{"0:65535"},
Protocols: []string{constants.TCPProtoNum},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
},
},
}
Convey("Given an ACL Cache with accept policy with some nomatch addresses", t, func() {
c := NewACLCache()
So(c, ShouldNotBeNil)
err := c.AddRuleList(rules)
So(err, ShouldBeNil)
Convey("When I lookup address within nomatch outer but also within match inner, I should get accept", func() {
ip := net.ParseIP("10.10.2.100")
port := uint16(443)
a, p, err := c.GetMatchingAction(ip.To4(), port, packet.IPProtocolTCP, catchAllPolicy)
So(err, ShouldBeNil)
So(a.Action, ShouldEqual, policy.Accept)
So(p.Action, ShouldEqual, policy.Accept)
})
Convey("When I lookup address within nomatch, I should get no match", func() {
ip := net.ParseIP("10.10.10.100")
port := uint16(443)
_, _, err := c.GetMatchingAction(ip.To4(), port, packet.IPProtocolTCP, catchAllPolicy)
So(err, ShouldNotBeNil)
})
Convey("When I lookup address within nomatch outer and not also within match inner, I should get no match", func() {
ip := net.ParseIP("10.4.10.100")
port := uint16(443)
_, _, err := c.GetMatchingAction(ip.To4(), port, packet.IPProtocolTCP, catchAllPolicy)
So(err, ShouldNotBeNil)
})
Convey("When I lookup address within match outer and not also within match inner, I should get accept", func() {
ip := net.ParseIP("192.168.10.100")
port := uint16(443)
a, p, err := c.GetMatchingAction(ip.To4(), port, packet.IPProtocolTCP, catchAllPolicy)
So(err, ShouldBeNil)
So(a.Action, ShouldEqual, policy.Accept)
So(p.Action, ShouldEqual, policy.Accept)
})
})
}
func TestRemoveRules(t *testing.T) {
Convey("Given an ACL Cache with some rules", t, func() {
ip := net.ParseIP("172.1.0.0")
So(ip, ShouldNotBeNil)
c := NewACLCache()
So(c, ShouldNotBeNil)
err := c.AddRuleList(policy.IPRuleList{
policy.IPRule{
Addresses: []string{"172.1.0.0/16"},
Ports: []string{"1"},
Protocols: []string{constants.TCPProtoNum},
Policy: &policy.FlowPolicy{
Action: policy.Reject,
PolicyID: "reject",
},
},
policy.IPRule{
Addresses: []string{"172.1.0.0/16"},
Ports: []string{"1"},
Protocols: []string{constants.TCPProtoNum},
Policy: &policy.FlowPolicy{
ObserveAction: policy.ObserveApply,
PolicyID: "observeApply",
},
},
policy.IPRule{
Addresses: []string{"172.1.0.0/16"},
Ports: []string{"1"},
Protocols: []string{constants.TCPProtoNum},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "accept",
},
},
})
So(err, ShouldBeNil)
val, ok := c.reject.tcpCache.Get(ip, 16)
So(ok, ShouldBeTrue)
So(val.(portActionList), ShouldNotBeEmpty)
val, ok = c.observe.tcpCache.Get(ip, 16)
So(ok, ShouldBeTrue)
So(val.(portActionList), ShouldNotBeEmpty)
val, ok = c.accept.tcpCache.Get(ip, 16)
So(ok, ShouldBeTrue)
So(val.(portActionList), ShouldNotBeEmpty)
Convey("Then I should error if I pass unparseable rules", func() {
err := c.RemoveRulesForAddress(
&Address{IP: ip, Mask: 16, NoMatch: false},
constants.TCPProtoNum,
[]string{"invalid"},
&policy.FlowPolicy{
Action: policy.Reject,
PolicyID: "reject",
},
)
So(err, ShouldNotBeNil)
})
Convey("Then I should be able to remove the rules", func() {
err := c.RemoveRulesForAddress(
&Address{IP: ip, Mask: 16, NoMatch: false},
constants.TCPProtoNum,
[]string{"1"},
&policy.FlowPolicy{
Action: policy.Reject,
PolicyID: "reject",
},
)
So(err, ShouldBeNil)
err = c.RemoveRulesForAddress(
&Address{IP: ip, Mask: 16, NoMatch: false},
constants.TCPProtoNum,
[]string{"1"},
&policy.FlowPolicy{
ObserveAction: policy.ObserveApply,
PolicyID: "observeApply",
},
)
So(err, ShouldBeNil)
err = c.RemoveRulesForAddress(
&Address{IP: ip, Mask: 16, NoMatch: false},
constants.TCPProtoNum,
[]string{"1"},
&policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "accept",
},
)
So(err, ShouldBeNil)
val, ok := c.reject.tcpCache.Get(ip, 16)
So(ok, ShouldBeTrue)
So(val.(portActionList), ShouldBeEmpty)
val, ok = c.observe.tcpCache.Get(ip, 16)
So(ok, ShouldBeTrue)
So(val.(portActionList), ShouldBeEmpty)
val, ok = c.accept.tcpCache.Get(ip, 16)
So(ok, ShouldBeTrue)
So(val.(portActionList), ShouldBeEmpty)
})
})
}
================================================
FILE: controller/internal/enforcer/acls/icmpacl.go
================================================
package acls
import (
"net"
"strconv"
"strings"
"go.aporeto.io/enforcerd/trireme-lib/policy"
)
type icmpRule struct {
baseRule string
listOfDisjunctives []string
policy *policy.FlowPolicy
}
func (rule *icmpRule) match(icmpType, icmpCode int8) (*policy.FlowPolicy, bool) {
type evaluator func(int8) bool
processList := func(vs []string, f func(string) evaluator) []evaluator {
vals := make([]evaluator, len(vs))
for i, v := range vs {
vals[i] = f(v)
}
return vals
}
genCodes := func(val string) evaluator {
genCode := func(v string) evaluator {
switch splits := strings.Split(v, ":"); len(splits) {
case 1:
numVal, _ := strconv.Atoi(v)
return func(input int8) bool { return input == int8(numVal) }
default:
min := splits[0]
max := splits[1]
minVal, _ := strconv.Atoi(min)
maxVal, _ := strconv.Atoi(max)
return func(input int8) bool { return input >= int8(minVal) && input <= int8(maxVal) }
}
}
splits := strings.Split(val, ",")
vals := processList(splits, genCode)
return func(input int8) bool {
result := false
for _, v := range vals {
result = result || v(input)
}
return result
}
}
processSingleTypeCode := func(icmpTypeCode string) (evaluator, evaluator) {
splits := strings.Split(icmpTypeCode, "/")
var typeEval evaluator
var codeEval evaluator
typeEval = func(val int8) bool { return true }
codeEval = func(val int8) bool { return true }
for i, val := range splits {
switch i {
case 0:
case 1:
codeVal, _ := strconv.Atoi(val)
typeEval = func(input int8) bool { return input == int8(codeVal) }
case 2:
codeEval = genCodes(val)
}
}
return typeEval, codeEval
}
matches := func(icmpType, icmpCode int8, icmpTypeCode string) bool {
typeMatch, codeMatch := processSingleTypeCode(icmpTypeCode)
return typeMatch(icmpType) && codeMatch(icmpCode)
}
if !matches(icmpType, icmpCode, rule.baseRule) {
return rule.policy, false
}
action := true
for _, r := range rule.listOfDisjunctives {
action = false
if matches(icmpType, icmpCode, r) {
return rule.policy, true
}
}
return rule.policy, action
}
func (a *acl) matchICMPRule(ip net.IP, icmpType int8, icmpCode int8) (*policy.FlowPolicy, *policy.FlowPolicy, error) {
var report *policy.FlowPolicy
var match bool
lookup := func(val interface{}) bool {
if val != nil {
icmpRules := val.([]*icmpRule)
for _, icmpRule := range icmpRules {
report, match = icmpRule.match(icmpType, icmpCode)
if match {
return true
}
}
return false
}
return false
}
a.icmpCache.RunFuncOnLpmIP(ip, lookup)
if !match {
return nil, nil, errNotFound
}
return report, report, nil
}
================================================
FILE: controller/internal/enforcer/acls/ports.go
================================================
package acls
import (
"errors"
"fmt"
"strconv"
"strings"
"go.aporeto.io/enforcerd/trireme-lib/policy"
)
// ErrNoMatch is error returned when no match is found.
var ErrNoMatch = errors.New("No Match")
// portAction captures the minimum and maximum ports for an action
type portAction struct {
min uint16
max uint16
policy *policy.FlowPolicy
nomatch bool
}
// portActionList is a list of Port Actions
type portActionList []*portAction
// newPortAction parses a port spec and creates the action
func newPortAction(tcpport string, policy *policy.FlowPolicy, nomatch bool) (*portAction, error) {
p := &portAction{}
if strings.Contains(tcpport, ":") {
parts := strings.Split(tcpport, ":")
if len(parts) != 2 {
return nil, fmt.Errorf("invalid port: %s", tcpport)
}
port, err := strconv.Atoi(parts[0])
if err != nil {
return nil, err
}
p.min = uint16(port)
port, err = strconv.Atoi(parts[1])
if err != nil {
return nil, err
}
p.max = uint16(port)
} else {
port, err := strconv.Atoi(tcpport)
if err != nil {
return nil, err
}
p.min = uint16(port)
p.max = p.min
}
if p.min > p.max {
return nil, errors.New("min port is greater than max port")
}
p.policy = policy
p.nomatch = nomatch
return p, nil
}
func (p *portActionList) lookup(port uint16, preReported *policy.FlowPolicy) (report *policy.FlowPolicy, packet *policy.FlowPolicy, err error) {
report = preReported
// Scan the ports - TODO: better algorithm needed here
for _, pa := range *p {
if port >= pa.min && port <= pa.max {
if pa.nomatch {
return report, packet, errNoMatchFromRule
}
// Check observed policies.
if pa.policy.ObserveAction.Observed() {
if report == nil {
report = pa.policy
}
if pa.policy.ObserveAction.ObserveContinue() {
continue
}
packet = pa.policy
return report, packet, nil
}
packet = pa.policy
if report == nil {
report = packet
}
return report, packet, nil
}
}
return report, packet, ErrNoMatch
}
================================================
FILE: controller/internal/enforcer/acls/ports_test.go
================================================
// +build !windows
package acls
import (
"testing"
. "github.com/smartystreets/goconvey/convey"
"go.aporeto.io/enforcerd/trireme-lib/policy"
)
func TestEmptyPortListLookup(t *testing.T) {
Convey("Given an empty port action list", t, func() {
pl := &portActionList{}
Convey("When I lookup for a matching port, I should not get any result", func() {
r, p, err := pl.lookup(10, nil)
So(err, ShouldNotBeNil)
So(r, ShouldBeNil)
So(p, ShouldBeNil)
})
})
}
func TestPortListLookup(t *testing.T) {
rule := policy.IPRule{
Addresses: []string{"172.0.0.0/8"},
Ports: []string{"1:999"},
Protocols: []string{"tcp"},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "portMatch",
},
}
Convey("Given a non-empty port action list", t, func() {
var pl portActionList
for _, port := range rule.Ports {
pa, err := newPortAction(port, rule.Policy, false)
So(err, ShouldBeNil)
So(pa, ShouldNotBeNil)
pl = append(pl, pa)
}
Convey("When I lookup for a non matching port, I should get error", func() {
r, p, err := pl.lookup(0, nil)
So(err, ShouldNotBeNil)
So(r, ShouldBeNil)
So(p, ShouldBeNil)
})
Convey("When I lookup for a non matching port, I should get error but get the unmodified reported flow input", func() {
r, p, err := pl.lookup(0, &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "portPreMatch"},
)
So(err, ShouldNotBeNil)
So(r, ShouldNotBeNil)
So(r.Action, ShouldEqual, policy.Accept)
So(r.PolicyID, ShouldEqual, "portPreMatch")
So(p, ShouldBeNil)
})
Convey("When I lookup for a matching port, I should get accept", func() {
r, p, err := pl.lookup(10, nil)
So(err, ShouldBeNil)
So(r.Action, ShouldEqual, policy.Accept)
So(r.PolicyID, ShouldEqual, "portMatch")
So(p.Action, ShouldEqual, policy.Accept)
So(p.PolicyID, ShouldEqual, "portMatch")
})
Convey("When I lookup for a matching port, and a report action, packet must be reported with no error", func() {
r, p, err := pl.lookup(10, &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "portPreMatch"},
)
So(err, ShouldBeNil)
So(r, ShouldNotBeNil)
So(r.Action, ShouldEqual, policy.Accept)
So(r.PolicyID, ShouldEqual, "portPreMatch")
So(p, ShouldNotBeNil)
So(p.Action, ShouldEqual, policy.Accept)
So(p.PolicyID, ShouldEqual, "portMatch")
})
})
}
func TestPortListLookupObservedPolicyContinue(t *testing.T) {
rule := policy.IPRule{
Addresses: []string{"172.0.0.0/8"},
Ports: []string{"1:999"},
Protocols: []string{"tcp"},
Policy: &policy.FlowPolicy{
ObserveAction: policy.ObserveContinue,
Action: policy.Accept,
PolicyID: "portMatch",
},
}
Convey("Given a non-empty port action list", t, func() {
var pl portActionList
for _, port := range rule.Ports {
pa, err := newPortAction(port, rule.Policy, false)
So(err, ShouldBeNil)
So(pa, ShouldNotBeNil)
pl = append(pl, pa)
}
Convey("When I lookup for a non matching port, I should get error", func() {
r, p, err := pl.lookup(0, nil)
So(err, ShouldNotBeNil)
So(r, ShouldBeNil)
So(p, ShouldBeNil)
})
Convey("When I lookup for a non matching port, I should get error but get the unmodified reported flow input", func() {
r, p, err := pl.lookup(0, &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "portPreMatch"},
)
So(err, ShouldNotBeNil)
So(r, ShouldNotBeNil)
So(r.Action, ShouldEqual, policy.Accept)
So(r.PolicyID, ShouldEqual, "portPreMatch")
So(p, ShouldBeNil)
})
Convey("When I lookup for a matching port with observed policy, I should get report but no packet action and error ", func() {
r, p, err := pl.lookup(10, nil)
So(err, ShouldEqual, ErrNoMatch)
So(r.ObserveAction, ShouldEqual, policy.ObserveContinue)
So(r.Action, ShouldEqual, policy.Accept)
So(r.PolicyID, ShouldEqual, "portMatch")
So(p, ShouldBeNil)
})
Convey("When I lookup for a matching port with observed policy and pre-existing report, I should get unmodified report but no packet action and error ", func() {
r, p, err := pl.lookup(10, &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "portPreMatch",
})
So(err, ShouldEqual, ErrNoMatch)
So(r.ObserveAction, ShouldEqual, policy.ObserveNone)
So(r.Action, ShouldEqual, policy.Accept)
So(r.PolicyID, ShouldEqual, "portPreMatch")
So(p, ShouldBeNil)
})
})
}
func TestPortListLookupObservedPolicyApply(t *testing.T) {
rule := policy.IPRule{
Addresses: []string{"172.0.0.0/8"},
Ports: []string{"1:999"},
Protocols: []string{"tcp"},
Policy: &policy.FlowPolicy{
ObserveAction: policy.ObserveApply,
Action: policy.Accept,
PolicyID: "portMatch",
},
}
Convey("Given a non-empty port action list", t, func() {
var pl portActionList
for _, port := range rule.Ports {
pa, err := newPortAction(port, rule.Policy, false)
So(err, ShouldBeNil)
So(pa, ShouldNotBeNil)
pl = append(pl, pa)
}
Convey("When I lookup for a non matching port, I should get error", func() {
r, p, err := pl.lookup(0, nil)
So(err, ShouldNotBeNil)
So(r, ShouldBeNil)
So(p, ShouldBeNil)
})
Convey("When I lookup for a non matching port, I should get error but get the unmodified reported flow input", func() {
r, p, err := pl.lookup(0, &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "portPreMatch"},
)
So(err, ShouldNotBeNil)
So(r, ShouldNotBeNil)
So(r.Action, ShouldEqual, policy.Accept)
So(r.PolicyID, ShouldEqual, "portPreMatch")
So(p, ShouldBeNil)
})
Convey("When I lookup for a matching port with observed policy apply, I should get report and packet action and no error ", func() {
r, p, err := pl.lookup(10, nil)
So(err, ShouldBeNil)
So(r.ObserveAction, ShouldEqual, policy.ObserveApply)
So(r.Action, ShouldEqual, policy.Accept)
So(r.PolicyID, ShouldEqual, "portMatch")
So(p.ObserveAction, ShouldEqual, policy.ObserveApply)
So(p.Action, ShouldEqual, policy.Accept)
So(p.PolicyID, ShouldEqual, "portMatch")
})
Convey("When I lookup for a matching port with observed policy and pre-existing report, I should get unmodified report, packet action and no error ", func() {
r, p, err := pl.lookup(10, &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "portPreMatch",
})
So(err, ShouldBeNil)
So(r.ObserveAction, ShouldEqual, policy.ObserveNone)
So(r.Action, ShouldEqual, policy.Accept)
So(r.PolicyID, ShouldEqual, "portPreMatch")
So(p.ObserveAction, ShouldEqual, policy.ObserveApply)
So(p.Action, ShouldEqual, policy.Accept)
So(p.PolicyID, ShouldEqual, "portMatch")
})
})
}
func TestPortListWithNomatchLookup(t *testing.T) {
rule := policy.IPRule{
Addresses: []string{"0.0.0.0/1", "128.0.0.0/1", "!172.0.0.0/8"},
Ports: []string{"1:999"},
Protocols: []string{"tcp"},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "portMatch",
},
}
Convey("Given a non-empty port action list", t, func() {
var pl portActionList
for _, port := range rule.Ports {
pa, err := newPortAction(port, rule.Policy, true)
So(err, ShouldBeNil)
So(pa, ShouldNotBeNil)
pl = append(pl, pa)
}
Convey("When I lookup for a non matching port, I should get error", func() {
r, p, err := pl.lookup(0, nil)
So(err, ShouldNotBeNil)
So(r, ShouldBeNil)
So(p, ShouldBeNil)
})
Convey("When I lookup for a non matching port, I should get error but get the unmodified reported flow input", func() {
r, p, err := pl.lookup(0, &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "portPreMatch"},
)
So(err, ShouldNotBeNil)
So(r, ShouldNotBeNil)
So(r.Action, ShouldEqual, policy.Accept)
So(r.PolicyID, ShouldEqual, "portPreMatch")
So(p, ShouldBeNil)
})
Convey("When I lookup for a matching port, I should get no match", func() {
r, p, err := pl.lookup(10, nil)
So(err, ShouldNotBeNil)
So(r, ShouldBeNil)
So(p, ShouldBeNil)
})
Convey("When I lookup for a matching port, I should get no match but the unmodified reported flow input", func() {
r, p, err := pl.lookup(10, &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: "portPreMatch"},
)
So(err, ShouldNotBeNil)
So(r, ShouldNotBeNil)
So(r.Action, ShouldEqual, policy.Accept)
So(r.PolicyID, ShouldEqual, "portPreMatch")
So(p, ShouldBeNil)
})
})
}
================================================
FILE: controller/internal/enforcer/acls/utils.go
================================================
package acls
import (
"fmt"
"net"
"strconv"
"strings"
)
// Address is a parsed IP address or CIDR
type Address struct {
IP net.IP
Mask int
NoMatch bool
}
// ParseAddress parses `address` as an IP or CIDR address - based on the notation that we allow in our backend.
// If the address is prefixed with a "!"", then the NoMatch attribute will be true.
// If the Address is of the format "IP/BitMask" (e.g. 192.0.2.0/24), then the mask will be set to 24.
// If the address is of the form "IP" (e.g. 192.0.2.1), then the mask will be added automatically.
func ParseAddress(address string) (*Address, error) {
var mask int
var err error
parts := strings.Split(address, "/")
nomatch := strings.HasPrefix(parts[0], "!")
if nomatch {
parts[0] = parts[0][1:]
}
ip := net.ParseIP(parts[0])
if ip == nil {
return nil, fmt.Errorf("invalid ip address: %s", parts[0])
}
if len(parts) == 1 {
if ip.To4() != nil {
mask = 32
} else {
mask = 128
}
} else {
mask, err = strconv.Atoi(parts[1])
if err != nil {
return nil, fmt.Errorf("invalid mask '%s': %w", parts[1], err)
}
}
return &Address{IP: ip, Mask: mask, NoMatch: nomatch}, nil
}
================================================
FILE: controller/internal/enforcer/acls/utils_test.go
================================================
package acls
import (
"net"
"reflect"
"testing"
)
func TestParseAddress(t *testing.T) {
ipv4 := net.ParseIP("192.0.2.1")
if ipv4 == nil {
panic("ipv4 address invalid at test prerequisite")
}
ipv6 := net.ParseIP("2001:db8::1")
if ipv6 == nil {
panic("ipv6 address invalid at test prerequisite")
}
type args struct {
address string
}
tests := []struct {
name string
args args
want *Address
wantErr bool
}{
{
name: "invalid IP address",
args: args{
address: "invalid IP address",
},
want: nil,
wantErr: true,
},
{
name: "invalid network mask",
args: args{
address: "192.0.2.0/invalid",
},
want: nil,
wantErr: true,
},
{
name: "IPv4 address without mask",
args: args{
address: "192.0.2.1",
},
want: &Address{
IP: ipv4,
Mask: 32,
NoMatch: false,
},
},
{
name: "IPv6 address without mask",
args: args{
address: "2001:db8::1",
},
want: &Address{
IP: ipv6,
Mask: 128,
NoMatch: false,
},
},
{
name: "IPv4 address with mask",
args: args{
address: "192.0.2.1/24",
},
want: &Address{
IP: ipv4,
Mask: 24,
NoMatch: false,
},
},
{
name: "IPv6 address with mask",
args: args{
address: "2001:db8::1/64",
},
want: &Address{
IP: ipv6,
Mask: 64,
NoMatch: false,
},
},
{
name: "IPv4 address with mask and nomatch",
args: args{
address: "!192.0.2.1/24",
},
want: &Address{
IP: ipv4,
Mask: 24,
NoMatch: true,
},
},
{
name: "IPv6 address with mask and nomatch",
args: args{
address: "!2001:db8::1/64",
},
want: &Address{
IP: ipv6,
Mask: 64,
NoMatch: true,
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := ParseAddress(tt.args.address)
if (err != nil) != tt.wantErr {
t.Errorf("ParseAddress() error = %v, wantErr %v", err, tt.wantErr)
return
}
if !reflect.DeepEqual(got, tt.want) {
t.Errorf("ParseAddress() = %v, want %v", got, tt.want)
}
})
}
}
================================================
FILE: controller/internal/enforcer/apiauth/apiauth.go
================================================
package apiauth
import (
"context"
"fmt"
"net"
"net/http"
"strings"
"sync"
"time"
"go.aporeto.io/enforcerd/trireme-lib/collector"
"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/serviceregistry"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/servicetokens"
"go.aporeto.io/enforcerd/trireme-lib/policy"
"go.uber.org/zap"
)
const (
// DefaultValidity is default service token validity.
DefaultValidity = 60 * time.Second
// TriremeOIDCCallbackURI is the callback URI that must be presented by
// any OIDC provider.
TriremeOIDCCallbackURI = "/aporeto/oidc/callback"
)
// Processor is an API Authorization processor.
type Processor struct {
puContext string
issuer string // the issuer ID .. need to get rid of that part with the new tokens
secrets secrets.Secrets
sync.RWMutex
}
// New will create a new authorization processor.
func New(contextID string, s secrets.Secrets) *Processor {
return &Processor{
puContext: contextID,
secrets: s,
}
}
func (p *Processor) retrieveNetworkContext(originalIP *net.TCPAddr) (*serviceregistry.PortContext, error) {
return serviceregistry.Instance().RetrieveExposedServiceContext(originalIP.IP, originalIP.Port, "")
}
func (p *Processor) retrieveApplicationContext(address *net.TCPAddr) (*serviceregistry.ServiceContext, *serviceregistry.DependentServiceData, error) {
return serviceregistry.Instance().RetrieveDependentServiceDataByIDAndNetwork(p.puContext, address.IP, address.Port, "")
}
// UpdateSecrets is called to update the authorizer secrets.
func (p *Processor) UpdateSecrets(s secrets.Secrets) {
p.Lock()
defer p.Unlock()
p.secrets = s
}
// ApplicationRequest processes an application side request and returns
// the token that is associated with this application, together with an
// error if the request must be rejected.
func (p *Processor) ApplicationRequest(r *Request) (*AppAuthResponse, error) {
d := &AppAuthResponse{
TLSListener: true,
}
// Derive the service context for this request. This is another PU
// or some external service. Context is derived based on the original
// destination of the request.
sctx, serviceData, err := p.retrieveApplicationContext(r.OriginalDestination)
if err != nil {
return d, &AuthError{
status: http.StatusBadGateway,
message: fmt.Sprintf("Cannot identify application context: %s", err),
}
}
d.PUContext = sctx.PUContext
d.ServiceID = serviceData.APICache.ID
// First we process network type rules (L3 based decision)
_, netaction, noNetAccesPolicy := sctx.PUContext.ApplicationACLPolicyFromAddr(r.OriginalDestination.IP, uint16(r.OriginalDestination.Port), uint8(packet.IPProtocolTCP))
d.NetworkPolicyID = netaction.PolicyID
d.NetworkServiceID = netaction.ServiceID
if noNetAccesPolicy == nil && netaction.Action.Rejected() {
return d, &AuthError{
status: http.StatusNetworkAuthenticationRequired,
message: "Unauthorized Service - Rejected Outgoing Request by Network Policies",
}
}
// For external services we validate policy at the ingress.
if serviceData.APICache.External {
d.External = true
// Get the corresponding scopes
found, rule := serviceData.APICache.FindRule(r.Method, r.URL.Path)
if !found {
return d, &AuthError{
status: http.StatusForbidden,
message: "Uknown or unauthorized service: policy not found",
}
}
d.HookMethod = rule.HookMethod
// If there is an authorization policy attached to the rule, we must validate
// against the identity of the PU.
if !rule.Public {
// Validate the policy based on the scopes of the PU.
// TODO: Add user scopes
if !serviceData.APICache.MatchClaims(rule.ClaimMatchingRules, append(sctx.PUContext.Identity().GetSlice(), sctx.PUContext.Scopes()...)) {
return d, &AuthError{
status: http.StatusForbidden,
message: "Unauthorized service: rejected by policy",
}
}
}
d.Action = policy.Accept | policy.Log
if !serviceData.ServiceObject.NoTLSExternalService {
d.Action = d.Action | policy.Encrypt
}
d.TLSListener = !serviceData.ServiceObject.NoTLSExternalService
return d, nil
}
p.RLock()
defer p.RUnlock()
secret := p.secrets
token, err := servicetokens.CreateAndSign(
p.issuer,
sctx.PUContext.Identity().GetSlice(),
sctx.PUContext.Scopes(),
sctx.PUContext.ManagementID(),
DefaultValidity,
secret.EncodingKey(),
nil,
)
if err != nil {
return d, &AuthError{
status: http.StatusInternalServerError,
message: "Unable to issue service token",
err: err,
}
}
d.Token = token
return d, nil
}
// NetworkRequest authorizes a network request and either accepts the request
// or potentially issues a redirect.
func (p *Processor) NetworkRequest(ctx context.Context, r *Request) (*NetworkAuthResponse, error) {
// First retrieve the context and policy for this request. Network
// requests are indexed based on the original destination and port.
pctx, err := p.retrieveNetworkContext(r.OriginalDestination)
if err != nil {
return nil, &AuthError{
status: http.StatusInternalServerError,
message: "Internal server error - cannot identify destination policy",
err: err,
}
}
// Create a basic response. We will update this response with information
// as we continue processing.
d := &NetworkAuthResponse{
PUContext: pctx.PUContext,
ServiceID: pctx.Service.ID,
Action: policy.Reject,
SourceType: collector.EndPointTypeExternalIP,
TLSListener: pctx.Service.PrivateTLSListener,
Namespace: pctx.PUContext.ManagementNamespace(),
}
// We process first OIDC callbacks. These are the redirects after a user
// has been authorized. We do not apply any network rule checks in this
// case. If the callback is authorized we return the cookie and JWT
// for the user.
if strings.HasPrefix(r.RequestURI, TriremeOIDCCallbackURI) {
callbackResponse, err := pctx.Authorizer.Callback(ctx, r.URL)
if err == nil {
d.Action = policy.Accept | policy.Encrypt | policy.Log
d.Redirect = true
d.RedirectURI = callbackResponse.OriginURL
d.Cookie = callbackResponse.Cookie
d.Data = callbackResponse.Data
d.SourceType = collector.EndPointTypeClaims
d.NetworkPolicyID = "default"
d.NetworkServiceID = "default"
}
return d, &AuthError{
message: callbackResponse.Message,
status: callbackResponse.Status,
}
}
// We first process the network access rules based on external networks or
// incoming IP addresses. We cannot process yet the Aporeto authorization
// rules until after we decode the claims. The aclPolicy holds the matched
// rules. If the method returns no error we store it in the noNetAccessPolicy
// variable. This indicates that we have found no external network rule that
// allows the request and we must validate the PU to PU rules. We will not
// know what to do until after we decode all the incoming claims.
// We perform this function early so that we don't waste CPU cycles with
// processing tokens if the network policy does not allow the connection.
aclReportPolicy, aclActualPolicy, noNetAccessPolicy := pctx.PUContext.NetworkACLPolicyFromAddr(
r.SourceAddress.IP,
uint16(r.OriginalDestination.Port),
uint8(packet.IPProtocolTCP),
)
d.NetworkPolicyID = aclActualPolicy.PolicyID
d.NetworkServiceID = aclActualPolicy.ServiceID
if aclActualPolicy.Action.Logged() {
d.Action = d.Action | policy.Log
}
if aclReportPolicy.ObserveAction.Observed() {
d.ObservedPolicyID = aclReportPolicy.PolicyID
d.ObservedAction = aclReportPolicy.Action
}
if noNetAccessPolicy == nil && aclActualPolicy.Action.Rejected() {
d.DropReason = collector.PolicyDrop
d.SourceType = collector.EndPointTypeExternalIP
return d, &AuthError{
message: "Access denied by network policy",
status: http.StatusNetworkAuthenticationRequired,
}
}
// Retrieve the headers with the key and auth parameters. If the parameters do not
// exist, we will end up with empty values, but processing can continue. The authorizer
// will validate if they are needed or not.
token, key := processHeaders(r)
// Calculate the user attributes. User attributes can be derived either from a
// token or from a certificate. The authorizer library will parse them. We don't
// care if there are no user credentials. It might be a request from a PU,
// or it might be a request to a public interface. Only if the service mandates
// user credentials, we get the redirect directive.
userCredentials(ctx, pctx, r, d)
// Calculate the Aporeto PU claims by parsing the token if it exists. If the token
// is empty the DecodeAporetoClaims method will return no error.
var aporetoClaims []string
var pingPayload *policy.PingPayload
d.SourcePUID, aporetoClaims, pingPayload, err = pctx.Authorizer.DecodeAporetoClaims(token, key)
if err != nil {
d.DropReason = collector.PolicyDrop
return d, &AuthError{
message: fmt.Sprintf("Invalid Authorization Token: %s", err),
status: http.StatusForbidden,
}
}
if pingPayload != nil && pingPayload.PingID != "" {
d.PingConfig = &PingConfig{
PingID: pingPayload.PingID,
IterationID: pingPayload.IterationID,
Claims: aporetoClaims,
PayloadSize: len(token) + len(key),
}
}
// If the other side is a PU we will always put the source type as PU.
isPUSource := false
if len(aporetoClaims) > 0 {
isPUSource = true
d.SourceType = collector.EndPointTypePU
}
// We need to verify network policy, before validating the API policy. If a network
// policy has given us an accept because of IP address based ACLs we proceed anyway.
// This is rather convoluted, but a user might choose to implement network
// policies with ACLs only, and we have to cover this case.
if noNetAccessPolicy != nil || aclReportPolicy.ObserveAction.ObserveApply() {
// If we have not found an IP based access policy and the other side
// is a PU we can visit the network rules based on tag authorization.
if isPUSource {
netReportPolicy, netActualPolicy := pctx.PUContext.SearchRcvRules(policy.NewTagStoreFromSlice(aporetoClaims))
d.NetworkPolicyID = netActualPolicy.PolicyID
d.NetworkServiceID = aclActualPolicy.ServiceID
d.ObservedPolicyID = ""
d.ObservedAction = policy.ActionType(0)
if netReportPolicy.ObserveAction.Observed() {
d.ObservedPolicyID = netReportPolicy.PolicyID
d.ObservedAction = netReportPolicy.Action
}
if netActualPolicy.Action.Rejected() {
d.DropReason = collector.PolicyDrop
return d, &AuthError{
message: "Access not authorized by network policy",
status: http.StatusNetworkAuthenticationRequired,
}
}
} else {
// If no network access policy and no PU claims, this request
// is dropped.
d.DropReason = collector.PolicyDrop
return d, &AuthError{
message: "Access denied by network policy: no policy found",
status: http.StatusNetworkAuthenticationRequired,
}
}
} else {
if aclActualPolicy.Action.Accepted() {
aporetoClaims = append(aporetoClaims, aclActualPolicy.Labels...)
}
}
// We can now validate the API authorization. This is the final step
// before forwarding.
allClaims := append(aporetoClaims, d.UserAttributes...)
accept, public := pctx.Authorizer.Check(r.Method, r.URL.Path, allClaims)
if !accept && !public {
// If the authorization check returns reject, we need to validate
// if this is a public request, it will be accepted.
d.DropReason = collector.APIPolicyDrop
// We need to process the redirects here. The reject might be forcing
// us to issue a redirect. Redirects are valid only if the source
// is a user. It doesn't make sense to redirect a PU.
// If the source is not a PU, then ping cannot be enabled.
if !isPUSource {
authError := &AuthError{
message: "No token presented or invalid token: Please authenticate first",
status: http.StatusTemporaryRedirect,
}
if d.Redirect {
d.RedirectURI = pctx.Authorizer.RedirectURI(r.URL.String())
return d, authError
} else if len(pctx.Service.UserRedirectOnAuthorizationFail) > 0 {
d.RedirectURI = pctx.Service.UserRedirectOnAuthorizationFail + "?failure_message=authorization"
return d, authError
}
}
zap.L().Debug("No match found for the request or authorization Error",
zap.String("Request", r.Method+" "+r.RequestURI),
zap.Strings("User Attributes", d.UserAttributes),
zap.Strings("Aporeto Claims", aporetoClaims),
)
return d, &AuthError{
message: fmt.Sprintf("Unauthorized Access to %s", r.URL),
status: http.StatusUnauthorized,
}
}
d.Action = policy.Accept
if r.TLS != nil {
d.Action = d.Action | policy.Encrypt
}
if aclActualPolicy.Action.Logged() {
d.Action = d.Action | policy.Log
}
// We update the request headers with the claims and pass back
// the information.
pctx.Authorizer.UpdateRequestHeaders(r.Header, d.UserAttributes)
d.Header = r.Header
return d, nil
}
// userCredentials will find all the user credentials in the http request.
// TODO: In addition to looking at the headers, we need to look at the parameters
// in case authorization is provided there.
// It will return the userAttributes and a boolean instructing whether a redirect
// must be performed. If no user credentials are found, it will allow processing
// to proceed. It might be a
func userCredentials(ctx context.Context, pctx *serviceregistry.PortContext, r *Request, d *NetworkAuthResponse) {
if r.TLS == nil {
return
}
userCerts := r.TLS.PeerCertificates
var userToken string
authToken := r.Header.Get("Authorization")
if len(authToken) < 7 {
if r.Cookie != nil {
userToken = r.Cookie.Value
}
} else {
userToken = strings.TrimPrefix(authToken, "Bearer ")
}
userAttributes, redirect, refreshedToken, err := pctx.Authorizer.DecodeUserClaims(ctx, pctx.Service.ID, userToken, userCerts)
if err != nil {
zap.L().Warn("Partially failed to extract and decode user claims", zap.Error(err))
}
if len(userAttributes) > 0 {
d.SourceType = collector.EndPointTypeClaims
}
if refreshedToken != userToken {
d.Cookie = &http.Cookie{
Name: "X-APORETO-AUTH",
Value: refreshedToken,
HttpOnly: true,
Secure: true,
Path: "/",
}
}
d.UserAttributes = userAttributes
d.Redirect = redirect
}
func processHeaders(r *Request) (string, string) {
token := r.Header.Get("X-APORETO-AUTH")
if token != "" {
r.Header.Del("X-APORETO-AUTH")
}
key := r.Header.Get("X-APORETO-KEY")
if key != "" {
r.Header.Del("X-APORETO-KEY")
}
return token, key
}
================================================
FILE: controller/internal/enforcer/apiauth/apiauth_test.go
================================================
// +build !windows
package apiauth
import (
"context"
"crypto/tls"
"fmt"
"net"
"net/http"
"net/url"
"testing"
"time"
"github.com/golang/mock/gomock"
. "github.com/smartystreets/goconvey/convey"
"go.aporeto.io/enforcerd/trireme-lib/collector"
triremecommon "go.aporeto.io/enforcerd/trireme-lib/common"
"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/serviceregistry"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets/testhelper"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/servicetokens"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/usertokens/mockusertokens"
"go.aporeto.io/enforcerd/trireme-lib/policy"
"go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
)
const (
policyID = "somepolicy"
rejectPolicyID = "somerejectepolicy"
serviceID = "someservice"
rejectServiceID = "somerejectservice"
namespace = "somenamespace"
appLabel = "app=web"
)
func newBaseApplicationServices(ctrl *gomock.Controller, id string, ipAddr string, exposedPortValue, publicPortValue, privatePortValue uint16, external bool) *policy.ApplicationService {
exposedPort, err := portspec.NewPortSpec(exposedPortValue, exposedPortValue, nil)
So(err, ShouldBeNil)
publicPort, err := portspec.NewPortSpec(publicPortValue, publicPortValue, nil)
So(err, ShouldBeNil)
privatePort, err := portspec.NewPortSpec(privatePortValue, privatePortValue, nil)
So(err, ShouldBeNil)
return &policy.ApplicationService{
ID: id,
NetworkInfo: &triremecommon.Service{
Ports: exposedPort,
Protocol: 6,
Addresses: map[string]struct{}{ipAddr: struct{}{}},
},
PublicNetworkInfo: &triremecommon.Service{
Ports: publicPort,
Protocol: 6,
Addresses: map[string]struct{}{ipAddr: struct{}{}},
},
PrivateNetworkInfo: &triremecommon.Service{
Ports: privatePort,
Protocol: 6,
Addresses: map[string]struct{}{},
},
Type: policy.ServiceHTTP,
PublicServiceTLSType: policy.ServiceTLSTypeAporeto,
External: external,
HTTPRules: []*policy.HTTPRule{
{
URIs: []string{"/admin"},
Methods: []string{"GET"},
ClaimMatchingRules: [][]string{
{appLabel},
},
Public: false,
},
{
URIs: []string{"/public"},
Methods: []string{"GET"},
Public: true,
},
{
URIs: []string{"/forbidden"},
Methods: []string{"GET"},
ClaimMatchingRules: [][]string{
{"Nobody"},
},
Public: false,
},
},
UserAuthorizationType: policy.UserAuthorizationOIDC,
UserAuthorizationHandler: mockusertokens.NewMockVerifier(ctrl),
}
}
func newAPIAuthProcessor(ctrl *gomock.Controller) (*serviceregistry.Registry, *pucontext.PUContext, secrets.Secrets) {
contextID := "test"
baseService := newBaseApplicationServices(ctrl, "base", "10.1.1.0/24", uint16(80), uint16(443), uint16(80), false)
externalService := newBaseApplicationServices(ctrl, "external", "45.0.0.0/8", uint16(80), uint16(443), uint16(80), true)
externalBadService := newBaseApplicationServices(ctrl, "external", "100.0.0.0/8", uint16(80), uint16(443), uint16(80), true)
exposedServices := policy.ApplicationServicesList{baseService}
dependentServices := policy.ApplicationServicesList{baseService, externalService, externalBadService}
networkACLs := policy.IPRuleList{
{
Addresses: []string{"10.1.1.0/24"},
Ports: []string{"80"},
Protocols: []string{"6"},
Policy: &policy.FlowPolicy{
Action: policy.Accept,
PolicyID: policyID,
ServiceID: serviceID,
Labels: []string{"service=external
gitextract_oai4eol3/
├── .github/
│ ├── ISSUE_TEMPLATE.md
│ └── PULL_REQUEST_TEMPLATE.md
├── .gitignore
├── .lint.windows.sh
├── .test.sh
├── .test.windows.sh
├── .travis.yml
├── CONTRIBUTING.md
├── Gopkg.toml
├── LICENSE
├── Makefile
├── NOTICE
├── README.md
├── buildflags/
│ ├── buildflags.go
│ └── buildflags_rhel.go
├── cmd/
│ └── systemdutil/
│ ├── exec.go
│ ├── exec_windows.go
│ └── systemdutil.go
├── collector/
│ ├── default.go
│ ├── default_test.go
│ ├── interfaces.go
│ └── mockcollector/
│ └── mockcollector.go
├── common/
│ ├── events.go
│ ├── hooks.go
│ ├── oauthtokens.go
│ └── service.go
├── controller/
│ ├── config.go
│ ├── config_nonwindows.go
│ ├── config_windows.go
│ ├── constants/
│ │ ├── constants.go
│ │ ├── constants_nonrhel6.go
│ │ ├── constants_rhel6.go
│ │ └── constants_test.go
│ ├── controller.go
│ ├── helpers.go
│ ├── interfaces.go
│ ├── internal/
│ │ ├── enforcer/
│ │ │ ├── acls/
│ │ │ │ ├── acl.go
│ │ │ │ ├── acl_test.go
│ │ │ │ ├── aclcache.go
│ │ │ │ ├── aclcache_test.go
│ │ │ │ ├── icmpacl.go
│ │ │ │ ├── ports.go
│ │ │ │ ├── ports_test.go
│ │ │ │ ├── utils.go
│ │ │ │ └── utils_test.go
│ │ │ ├── apiauth/
│ │ │ │ ├── apiauth.go
│ │ │ │ ├── apiauth_test.go
│ │ │ │ └── types.go
│ │ │ ├── applicationproxy/
│ │ │ │ ├── applicationproxy.go
│ │ │ │ ├── common/
│ │ │ │ │ └── common.go
│ │ │ │ ├── http/
│ │ │ │ │ ├── error_handler.go
│ │ │ │ │ ├── http.go
│ │ │ │ │ ├── ping_http.go
│ │ │ │ │ └── transport.go
│ │ │ │ ├── markedconn/
│ │ │ │ │ ├── mark_linux.go
│ │ │ │ │ ├── mark_windows.go
│ │ │ │ │ ├── markedconn.go
│ │ │ │ │ ├── markedconn_darwin.go
│ │ │ │ │ ├── markedconn_test.go
│ │ │ │ │ ├── markedconn_windows_test.go
│ │ │ │ │ ├── origdest_linux.go
│ │ │ │ │ ├── origdest_windows.go
│ │ │ │ │ ├── platformdata.go
│ │ │ │ │ ├── platformdata_test.go
│ │ │ │ │ └── platformdata_windows.go
│ │ │ │ ├── pingrequest/
│ │ │ │ │ └── pingrequest.go
│ │ │ │ ├── protomux/
│ │ │ │ │ ├── protomux.go
│ │ │ │ │ └── protomux_test.go
│ │ │ │ ├── servicecache/
│ │ │ │ │ ├── servicecache.go
│ │ │ │ │ └── servicecache_test.go
│ │ │ │ ├── serviceregistry/
│ │ │ │ │ ├── serviceregistry.go
│ │ │ │ │ └── serviceregistry_test.go
│ │ │ │ ├── tcp/
│ │ │ │ │ ├── lookup.go
│ │ │ │ │ ├── ping_tcp.go
│ │ │ │ │ ├── tcp.go
│ │ │ │ │ ├── tcp_test.go
│ │ │ │ │ └── verifier/
│ │ │ │ │ ├── testdata/
│ │ │ │ │ │ ├── generate-certs.sh
│ │ │ │ │ │ ├── myca-cert.pem
│ │ │ │ │ │ ├── myclient-bad-cert.pem
│ │ │ │ │ │ ├── myclient-dns-cert.pem
│ │ │ │ │ │ ├── myclient-ip-cert.pem
│ │ │ │ │ │ └── myserver-cert.pem
│ │ │ │ │ ├── verifier.go
│ │ │ │ │ └── verifier_test.go
│ │ │ │ └── tlshelper/
│ │ │ │ └── tlshelper.go
│ │ │ ├── constants/
│ │ │ │ └── constants.go
│ │ │ ├── dnsproxy/
│ │ │ │ ├── common.go
│ │ │ │ ├── dns.go
│ │ │ │ ├── dns_darwin.go
│ │ │ │ ├── dns_linux.go
│ │ │ │ ├── dns_linux_test.go
│ │ │ │ ├── dns_report.go
│ │ │ │ ├── dns_test.go
│ │ │ │ ├── dns_unsupported.go
│ │ │ │ ├── dns_windows.go
│ │ │ │ ├── dns_windows_test.go
│ │ │ │ ├── dnsproxy.go
│ │ │ │ ├── mockdnsproxy/
│ │ │ │ │ └── mockdnsproxy.go
│ │ │ │ └── mutex_map.go
│ │ │ ├── enforcer.go
│ │ │ ├── envoyauthorizer/
│ │ │ │ ├── envoyauthorizerenforcer.go
│ │ │ │ └── envoyproxy/
│ │ │ │ ├── auth_server.go
│ │ │ │ └── sds_server.go
│ │ │ ├── flowstats/
│ │ │ │ └── state.go
│ │ │ ├── lookup/
│ │ │ │ ├── lookup.go
│ │ │ │ └── lookup_test.go
│ │ │ ├── metadata/
│ │ │ │ └── metadata.go
│ │ │ ├── mockenforcer/
│ │ │ │ └── mockenforcer.go
│ │ │ ├── nfqdatapath/
│ │ │ │ ├── afinetrawsocket/
│ │ │ │ │ ├── afinetrawsocket.go
│ │ │ │ │ ├── afinetrawsocket_osx.go
│ │ │ │ │ └── afinetrawsocket_windows.go
│ │ │ │ ├── autoport.go
│ │ │ │ ├── autoport_nonwindows.go
│ │ │ │ ├── autoport_windows.go
│ │ │ │ ├── countererrors.go
│ │ │ │ ├── datapath.go
│ │ │ │ ├── datapath_common_test.go
│ │ │ │ ├── datapath_darwin.go
│ │ │ │ ├── datapath_icmp.go
│ │ │ │ ├── datapath_linux.go
│ │ │ │ ├── datapath_tcp.go
│ │ │ │ ├── datapath_test.go
│ │ │ │ ├── datapath_udp.go
│ │ │ │ ├── datapath_windows.go
│ │ │ │ ├── diagnostics_tcp.go
│ │ │ │ ├── interfaces.go
│ │ │ │ ├── nflog/
│ │ │ │ │ ├── nflog_common.go
│ │ │ │ │ ├── nflog_darwin.go
│ │ │ │ │ ├── nflog_linux.go
│ │ │ │ │ ├── nflog_test.go
│ │ │ │ │ └── nflog_windows.go
│ │ │ │ ├── nfq_darwin.go
│ │ │ │ ├── nfq_linux.go
│ │ │ │ ├── nfq_windows.go
│ │ │ │ ├── nfq_windows_test.go
│ │ │ │ ├── ping_tcp.go
│ │ │ │ ├── ping_test.go
│ │ │ │ ├── test_utils.go
│ │ │ │ ├── test_utils_linux.go
│ │ │ │ ├── tokenaccessor/
│ │ │ │ │ ├── interfaces.go
│ │ │ │ │ ├── mocktokenaccessor/
│ │ │ │ │ │ └── mocktokenaccessor.go
│ │ │ │ │ ├── tokenaccessor.go
│ │ │ │ │ └── tokenaccessor_test.go
│ │ │ │ ├── utils.go
│ │ │ │ └── utils_test.go
│ │ │ ├── proxy/
│ │ │ │ ├── enforcerproxy.go
│ │ │ │ ├── enforcerproxy_test.go
│ │ │ │ └── rpcserver.go
│ │ │ ├── secretsproxy/
│ │ │ │ ├── secretsproxy.go
│ │ │ │ ├── secretsproxy_windows.go
│ │ │ │ └── transformer.go
│ │ │ └── utils/
│ │ │ ├── ephemeralkeys/
│ │ │ │ ├── ephemeralkeys.go
│ │ │ │ ├── interfaces.go
│ │ │ │ └── mockephemeralkeys/
│ │ │ │ └── mockephemeralkeys.go
│ │ │ ├── nsenter/
│ │ │ │ ├── nsenter.c
│ │ │ │ ├── nsenter.go
│ │ │ │ └── nsenter_linux.go
│ │ │ ├── packetgen/
│ │ │ │ ├── interfaces.go
│ │ │ │ ├── packet_gen.go
│ │ │ │ ├── packet_gen_test.go
│ │ │ │ └── packet_templates.go
│ │ │ └── rpcwrapper/
│ │ │ ├── interfaces.go
│ │ │ ├── mockrpcwrapper/
│ │ │ │ └── mockrpcwrapper.go
│ │ │ ├── rpc_handle.go
│ │ │ ├── rpc_handlemock.go
│ │ │ ├── rpc_handletest.go
│ │ │ ├── rpc_testhelper.go
│ │ │ └── types.go
│ │ ├── processmon/
│ │ │ ├── interfaces.go
│ │ │ ├── mockprocessmon/
│ │ │ │ └── mockprocessmon.go
│ │ │ ├── processmon.go
│ │ │ ├── processmon_linux_test.go
│ │ │ ├── processmon_test.go
│ │ │ ├── processmon_windows.go
│ │ │ └── testbinary/
│ │ │ └── testbinary.go
│ │ ├── supervisor/
│ │ │ ├── interfaces.go
│ │ │ ├── iptablesctrl/
│ │ │ │ ├── acls.go
│ │ │ │ ├── acls_darwin.go
│ │ │ │ ├── acls_linux.go
│ │ │ │ ├── acls_nonwindows.go
│ │ │ │ ├── acls_rhel6.go
│ │ │ │ ├── acls_windows.go
│ │ │ │ ├── acls_windows_test.go
│ │ │ │ ├── comparators.go
│ │ │ │ ├── constants_nonwindows.go
│ │ │ │ ├── constants_windows.go
│ │ │ │ ├── icmp_linux.go
│ │ │ │ ├── icmp_linux_test.go
│ │ │ │ ├── icmp_rhel6.go
│ │ │ │ ├── icmp_windows.go
│ │ │ │ ├── instance.go
│ │ │ │ ├── ipsets.go
│ │ │ │ ├── iptables.go
│ │ │ │ ├── iptablesV4_test.go
│ │ │ │ ├── iptablesV6_test.go
│ │ │ │ ├── iptables_linux_test.go
│ │ │ │ ├── iptables_rhel6_test.go
│ │ │ │ ├── iptables_windows_test.go
│ │ │ │ ├── ipv4.go
│ │ │ │ ├── ipv6.go
│ │ │ │ ├── ipv6_nonwindows.go
│ │ │ │ ├── ipv6_windows.go
│ │ │ │ ├── legacyacls.go
│ │ │ │ ├── portset.go
│ │ │ │ ├── rules.go
│ │ │ │ ├── rules_rhel6.go
│ │ │ │ ├── rules_windows.go
│ │ │ │ ├── templates.go
│ │ │ │ └── templates_test.go
│ │ │ ├── mocksupervisor/
│ │ │ │ └── mocksupervisor.go
│ │ │ ├── noop/
│ │ │ │ └── supervisornoop.go
│ │ │ ├── supervisor.go
│ │ │ └── supervisor_test.go
│ │ └── windows/
│ │ ├── rulespec_windows.go
│ │ ├── rulespec_windows_test.go
│ │ └── utils.go
│ ├── mockcontroller/
│ │ └── mocktrireme.go
│ ├── pkg/
│ │ ├── aclprovider/
│ │ │ ├── ipsetprovider.go
│ │ │ ├── ipsetprovider_windows.go
│ │ │ ├── ipsetprovidermock.go
│ │ │ ├── iptablesprovider.go
│ │ │ ├── iptablesprovider_test.go
│ │ │ ├── iptablesprovider_windows.go
│ │ │ └── iptablesprovidermock.go
│ │ ├── auth/
│ │ │ └── auth.go
│ │ ├── bufferpool/
│ │ │ └── bufferpool.go
│ │ ├── claimsheader/
│ │ │ ├── bytes.go
│ │ │ ├── bytes_test.go
│ │ │ ├── claimsheader.go
│ │ │ ├── claimsheader_test.go
│ │ │ ├── constants.go
│ │ │ ├── ct.go
│ │ │ ├── datapath_version.go
│ │ │ ├── options.go
│ │ │ ├── ping_type.go
│ │ │ └── types.go
│ │ ├── cleaner/
│ │ │ └── cleaner.go
│ │ ├── connection/
│ │ │ ├── connection.go
│ │ │ ├── connection_test.go
│ │ │ └── connectioncache.go
│ │ ├── counters/
│ │ │ ├── counters.go
│ │ │ ├── counters_test.go
│ │ │ ├── countertype_string.go
│ │ │ ├── default.go
│ │ │ ├── default_test.go
│ │ │ └── types.go
│ │ ├── dmesgparser/
│ │ │ └── dmesgparser.go
│ │ ├── ebpf/
│ │ │ ├── bpfbuild/
│ │ │ │ └── socket-filter-bpf.go
│ │ │ ├── ebpf_darwin.go
│ │ │ ├── ebpf_linux.go
│ │ │ ├── ebpf_rhel6.go
│ │ │ ├── ebpf_windows.go
│ │ │ └── interface.go
│ │ ├── env/
│ │ │ └── parameters.go
│ │ ├── flowtracking/
│ │ │ ├── flowtracking.go
│ │ │ ├── flowtracking_nonlinux.go
│ │ │ ├── interfaces.go
│ │ │ └── mockflowclient/
│ │ │ └── mockflowclient.go
│ │ ├── fqconfig/
│ │ │ ├── fqconfig.go
│ │ │ └── fqconfig_test.go
│ │ ├── ipsetmanager/
│ │ │ ├── constants_nonwindows.go
│ │ │ ├── constants_windows.go
│ │ │ ├── helpers.go
│ │ │ ├── ipsetmanager.go
│ │ │ ├── ipsetmanager_test.go
│ │ │ ├── ipsetprovider.go
│ │ │ ├── ipsetprovider_windows.go
│ │ │ ├── ipsetprovidermock.go
│ │ │ ├── ipsets.go
│ │ │ └── mock_ipsetmanager/
│ │ │ └── ipsetmanagermock.go
│ │ ├── packet/
│ │ │ ├── constants.go
│ │ │ ├── helpers.go
│ │ │ ├── packet.go
│ │ │ ├── packet_test.go
│ │ │ └── types.go
│ │ ├── packetprocessor/
│ │ │ └── packetprocessor.go
│ │ ├── packettracing/
│ │ │ └── packettracing.go
│ │ ├── pingconfig/
│ │ │ ├── pingconfig.go
│ │ │ └── pingconfig_test.go
│ │ ├── pkiverifier/
│ │ │ ├── pkiverifier.go
│ │ │ └── pkiverifier_test.go
│ │ ├── pucontext/
│ │ │ ├── pucontext.go
│ │ │ └── pucontext_test.go
│ │ ├── remoteenforcer/
│ │ │ ├── interfaces.go
│ │ │ ├── internal/
│ │ │ │ ├── client/
│ │ │ │ │ ├── interfaces.go
│ │ │ │ │ ├── mockclient/
│ │ │ │ │ │ └── mockclient.go
│ │ │ │ │ ├── reportsclient/
│ │ │ │ │ │ └── client.go
│ │ │ │ │ └── statsclient/
│ │ │ │ │ └── client.go
│ │ │ │ ├── statscollector/
│ │ │ │ │ ├── collector.go
│ │ │ │ │ ├── collector_reader.go
│ │ │ │ │ ├── collector_test.go
│ │ │ │ │ ├── collector_trireme.go
│ │ │ │ │ ├── interfaces.go
│ │ │ │ │ └── mockstatscollector/
│ │ │ │ │ └── mockstatscollector.go
│ │ │ │ └── tokenissuer/
│ │ │ │ ├── mocktokenclient/
│ │ │ │ │ └── mocktokenclient.go
│ │ │ │ └── tokenissuer.go
│ │ │ ├── mockremoteenforcer/
│ │ │ │ └── mockremoteenforcer.go
│ │ │ ├── remoteenforcer_linux.go
│ │ │ ├── remoteenforcer_stub.go
│ │ │ ├── remoteenforcer_test.go
│ │ │ └── type.go
│ │ ├── secrets/
│ │ │ ├── compactpki/
│ │ │ │ ├── compactpki.go
│ │ │ │ └── compactpki_test.go
│ │ │ ├── compactpki.go
│ │ │ ├── compactpki_test.go
│ │ │ ├── interfaces.go
│ │ │ ├── mocksecrets/
│ │ │ │ └── mocksecrets.go
│ │ │ ├── null.go
│ │ │ ├── rpc/
│ │ │ │ └── rpc.go
│ │ │ ├── secrets.go
│ │ │ ├── test_utils.go
│ │ │ └── testhelper/
│ │ │ └── testhelper.go
│ │ ├── servicetokens/
│ │ │ └── servicetokens.go
│ │ ├── tokens/
│ │ │ ├── binarycodec.go
│ │ │ ├── binaryjwt.go
│ │ │ ├── binaryjwt314.go
│ │ │ ├── binaryjwt500.go
│ │ │ ├── binaryjwt_test.go
│ │ │ ├── binaryjwtclaimtypes.go
│ │ │ ├── errors.go
│ │ │ ├── jwt.go
│ │ │ ├── jwt_test.go
│ │ │ ├── mocktokens/
│ │ │ │ └── mocktokens.go
│ │ │ └── tokens.go
│ │ ├── urisearch/
│ │ │ ├── urisearch.go
│ │ │ └── urisearch_test.go
│ │ └── usertokens/
│ │ ├── common/
│ │ │ ├── common.go
│ │ │ └── common_test.go
│ │ ├── mockusertokens/
│ │ │ └── mockusertokens.go
│ │ ├── oidc/
│ │ │ └── oidc.go
│ │ ├── pkitokens/
│ │ │ ├── jwt.go
│ │ │ ├── jwt_test.go
│ │ │ ├── publickeys.go
│ │ │ └── publickeys_test.go
│ │ └── usertokens.go
│ └── runtime/
│ └── runtime.go
├── doc.go
├── docs/
│ ├── README.md
│ ├── docker_host_networks.md
│ ├── linux_processes.md
│ ├── policy_design.md
│ ├── secure-application_segmentation.md
│ └── trireme_architecture.md
├── fix_bpf
├── mockgen.sh
├── monitor/
│ ├── api/
│ │ └── spec/
│ │ ├── Makefile
│ │ └── protos/
│ │ ├── monitor.pb.go
│ │ └── monitor.proto
│ ├── config/
│ │ └── config.go
│ ├── constants/
│ │ └── constants.go
│ ├── external/
│ │ ├── interfaces.go
│ │ └── mockexternal/
│ │ └── mockinterfaces.go
│ ├── extractors/
│ │ ├── constants.go
│ │ ├── constants_windows.go
│ │ ├── docker.go
│ │ ├── docker_test.go
│ │ ├── error.go
│ │ ├── error_test.go
│ │ ├── interface.go
│ │ ├── kubernetes.go
│ │ ├── kubernetes_test.go
│ │ ├── linux.go
│ │ ├── linux_test.go
│ │ ├── ssh.go
│ │ ├── ssh_test.go
│ │ ├── testdata/
│ │ │ └── curl
│ │ ├── uid.go
│ │ ├── uid_test.go
│ │ ├── util.go
│ │ ├── windows.go
│ │ └── windows_test.go
│ ├── interfaces.go
│ ├── internal/
│ │ ├── cni/
│ │ │ ├── extractor.go
│ │ │ ├── monitor.go
│ │ │ └── processor.go
│ │ ├── docker/
│ │ │ ├── config.go
│ │ │ ├── helpers.go
│ │ │ ├── helpers_test.go
│ │ │ ├── mockdocker/
│ │ │ │ └── mockdocker.go
│ │ │ ├── monitor.go
│ │ │ ├── monitor_linux_test.go
│ │ │ ├── monitor_test.go
│ │ │ └── types.go
│ │ ├── k8s/
│ │ │ ├── config.go
│ │ │ ├── event_handler.go
│ │ │ ├── event_handler_test.go
│ │ │ ├── event_retry_handler.go
│ │ │ ├── event_retry_handler_test.go
│ │ │ ├── helpers_test.go
│ │ │ ├── mocks_pod_cache_test.go
│ │ │ ├── mocks_runtime_cache_test.go
│ │ │ ├── monitor.go
│ │ │ ├── monitor_test.go
│ │ │ ├── on_startup.go
│ │ │ ├── on_startup_test.go
│ │ │ ├── pod_cache.go
│ │ │ ├── pod_cache_test.go
│ │ │ ├── runtime_cache.go
│ │ │ ├── runtime_cache_linux.go
│ │ │ ├── runtime_cache_test.go
│ │ │ ├── runtime_cache_unsupported.go
│ │ │ ├── runtime_cache_windows.go
│ │ │ └── testdata/
│ │ │ └── kubeconfig
│ │ ├── kubernetes/
│ │ │ ├── DEPRECATED.txt
│ │ │ ├── cache.go
│ │ │ ├── cache_test.go
│ │ │ ├── client.go
│ │ │ ├── client_test.go
│ │ │ ├── config.go
│ │ │ ├── handler.go
│ │ │ ├── handler_test.go
│ │ │ ├── kubernetes.go
│ │ │ ├── monitor.go
│ │ │ └── monitor_test.go
│ │ ├── linux/
│ │ │ ├── config.go
│ │ │ ├── monitor.go
│ │ │ ├── processor.go
│ │ │ └── processor_test.go
│ │ ├── pod/
│ │ │ ├── config.go
│ │ │ ├── config_test.go
│ │ │ ├── controller.go
│ │ │ ├── controller_test.go
│ │ │ ├── delete_controller.go
│ │ │ ├── delete_controller_test.go
│ │ │ ├── mockcache_test.go
│ │ │ ├── mockclient_test.go
│ │ │ ├── mockinformer_test.go
│ │ │ ├── mockmanager_test.go
│ │ │ ├── mockzapcore_test.go
│ │ │ ├── monitor.go
│ │ │ ├── monitor_test.go
│ │ │ ├── resync.go
│ │ │ ├── resync_test.go
│ │ │ ├── testdata/
│ │ │ │ └── kubeconfig
│ │ │ ├── watcher.go
│ │ │ └── watcher_test.go
│ │ ├── uid/
│ │ │ ├── config.go
│ │ │ ├── monitor.go
│ │ │ └── processor.go
│ │ └── windows/
│ │ ├── config.go
│ │ ├── monitor.go
│ │ ├── processor.go
│ │ └── processor_test.go
│ ├── mockmonitor/
│ │ └── mockmonitor.go
│ ├── monitor.go
│ ├── monitor_windows.go
│ ├── options.go
│ ├── options_windows.go
│ ├── processor/
│ │ ├── interfaces.go
│ │ └── mockprocessor/
│ │ └── mockprocessor.go
│ ├── registerer/
│ │ ├── interfaces.go
│ │ ├── registerer.go
│ │ └── registerer_test.go
│ ├── remoteapi/
│ │ ├── client/
│ │ │ ├── client.go
│ │ │ ├── client_nonwindows.go
│ │ │ ├── client_windows.go
│ │ │ ├── interfaces.go
│ │ │ └── mockclient/
│ │ │ └── mockclient.go
│ │ └── server/
│ │ ├── interfaces.go
│ │ ├── server.go
│ │ ├── server_nonwindows.go
│ │ ├── server_test.go
│ │ ├── server_windows.go
│ │ ├── uidlistener.go
│ │ └── uidlistener_nonlinux.go
│ └── server/
│ ├── pipe.go
│ ├── pipe_windows.go
│ └── server.go
├── plugins/
│ └── pam/
│ ├── README.md
│ ├── uidmonitorpam.go
│ └── uidmonitorpam_c.go
├── policy/
│ ├── apiservices.go
│ ├── interfaces.go
│ ├── mockpolicy/
│ │ └── mockpolicy.go
│ ├── policy.go
│ ├── policy_test.go
│ ├── policyerror.go
│ ├── policyerror_test.go
│ ├── puinfo.go
│ ├── runtime.go
│ ├── runtime_test.go
│ ├── tagstore.go
│ ├── tagstore_test.go
│ ├── types.go
│ └── types_test.go
├── protogen.sh
├── scripts/
│ ├── fix_bpf
│ ├── lint.sh
│ ├── lint.windows.sh
│ ├── test.sh
│ └── test.windows.sh
├── third_party/
│ └── generated/
│ └── envoyproxy/
│ └── data-plane-api/
│ └── envoy/
│ ├── api/
│ │ └── v2/
│ │ ├── core/
│ │ │ ├── address.pb.go
│ │ │ ├── base.pb.go
│ │ │ └── http_uri.pb.go
│ │ └── discovery.pb.go
│ ├── service/
│ │ ├── auth/
│ │ │ └── v2/
│ │ │ ├── attribute_context.pb.go
│ │ │ └── external_auth.pb.go
│ │ └── discovery/
│ │ └── v2/
│ │ └── sds.pb.go
│ └── type/
│ ├── http_status.pb.go
│ └── percent.pb.go
└── utils/
├── README.md
├── allocator/
│ ├── allocator.go
│ └── interfaces.go
├── cache/
│ ├── cache.go
│ └── cache_test.go
├── cgnetcls/
│ ├── cgnetcls.go
│ ├── cgnetcls_osx.go
│ ├── cgnetcls_test.go
│ ├── cgnetcls_windows.go
│ ├── constants.go
│ ├── constants_nonwindows.go
│ ├── interfaces.go
│ ├── mockcgnetcls/
│ │ └── mockcgnetcls.go
│ └── netcls.go
├── constants/
│ ├── constants.go
│ ├── constants_linux.go
│ └── constants_rhel6.go
├── cri/
│ ├── common.go
│ ├── cri_client_setup.go
│ ├── cri_client_setup_linux.go
│ ├── cri_client_setup_linux_test.go
│ ├── cri_client_setup_unsupported.go
│ ├── cri_client_setup_windows.go
│ ├── cri_runtime_wrapper.go
│ ├── cri_runtime_wrapper_test.go
│ ├── interface.go
│ └── mockcri/
│ ├── mock_runtime_service.go
│ └── mockinterface.go
├── crypto/
│ ├── crypto.go
│ └── crypto_test.go
├── fqdn/
│ ├── fqdn.go
│ └── fqdn_test.go
├── frontman/
│ ├── driver_windows.go
│ ├── driver_windows_test.go
│ ├── rulecleanup_windows.go
│ ├── rulecleanup_windows_test.go
│ ├── utils_windows.go
│ └── wrapper_windows.go
├── ipprefix/
│ ├── ipprefix.go
│ └── ipprefix_test.go
├── netinterfaces/
│ └── netinterfaces.go
├── nfqparser/
│ ├── constants.go
│ ├── nfqlayout.go
│ ├── nfqparser.go
│ └── nfqparser_test.go
├── portcache/
│ ├── portcache.go
│ └── portcache_test.go
└── portspec/
├── portspec.go
└── portspec_test.go
Showing preview only (658K chars total). Download the full file or copy to clipboard to get everything.
SYMBOL INDEX (6939 symbols across 500 files)
FILE: buildflags/buildflags.go
constant Rhel6 (line 7) | Rhel6 = ""
constant Rhel5 (line 8) | Rhel5 = ""
function IsRHEL6 (line 12) | func IsRHEL6() bool {
function IsRHEL5 (line 17) | func IsRHEL5() bool {
function IsLegacyKernel (line 22) | func IsLegacyKernel() bool {
FILE: buildflags/buildflags_rhel.go
constant Rhel6 (line 7) | Rhel6 = "rhel6"
constant Rhel5 (line 8) | Rhel5 = "rhel5"
function IsRHEL6 (line 12) | func IsRHEL6() bool {
function IsRHEL5 (line 17) | func IsRHEL5() bool {
function IsLegacyKernel (line 22) | func IsLegacyKernel() bool {
FILE: cmd/systemdutil/exec.go
function execve (line 11) | func execve(c *CLIRequest, env []string) error {
function getPUType (line 15) | func getPUType() common.PUType {
FILE: cmd/systemdutil/exec_windows.go
function execve (line 11) | func execve(c *CLIRequest, env []string) error {
function getPUType (line 20) | func getPUType() common.PUType {
FILE: cmd/systemdutil/systemdutil.go
function ExecuteCommandFromArguments (line 21) | func ExecuteCommandFromArguments(arguments map[string]interface{}) error {
type RequestType (line 34) | type RequestType
constant CreateRequest (line 38) | CreateRequest RequestType = iota
constant DeleteCgroupRequest (line 40) | DeleteCgroupRequest
constant DeleteServiceRequest (line 42) | DeleteServiceRequest
type CLIRequest (line 46) | type CLIRequest struct
type RequestProcessor (line 70) | type RequestProcessor struct
method ParseCommand (line 125) | func (r *RequestProcessor) ParseCommand(arguments map[string]interface...
method CreateAndRun (line 191) | func (r *RequestProcessor) CreateAndRun(c *CLIRequest) error {
method DeleteService (line 249) | func (r *RequestProcessor) DeleteService(c *CLIRequest) error {
method DeleteCgroup (line 271) | func (r *RequestProcessor) DeleteCgroup(c *CLIRequest) error {
method ExecuteRequest (line 307) | func (r *RequestProcessor) ExecuteRequest(c *CLIRequest) error {
function NewRequestProcessor (line 75) | func NewRequestProcessor() *RequestProcessor {
function NewCustomRequestProcessor (line 82) | func NewCustomRequestProcessor(address string) *RequestProcessor {
function sendRequest (line 322) | func sendRequest(address string, event *common.EventInfo) error {
function executableTags (line 332) | func executableTags(c *CLIRequest) []string {
function ParseServices (line 350) | func ParseServices(ports []string) ([]common.Service, error) {
FILE: collector/default.go
type DefaultCollector (line 11) | type DefaultCollector struct
method CollectFlowEvent (line 19) | func (d *DefaultCollector) CollectFlowEvent(record *FlowRecord) {}
method CollectContainerEvent (line 22) | func (d *DefaultCollector) CollectContainerEvent(record *ContainerReco...
method CollectUserEvent (line 25) | func (d *DefaultCollector) CollectUserEvent(record *UserRecord) {}
method CollectTraceEvent (line 28) | func (d *DefaultCollector) CollectTraceEvent(records []string) {}
method CollectPacketEvent (line 31) | func (d *DefaultCollector) CollectPacketEvent(report *PacketReport) {}
method CollectCounterEvent (line 34) | func (d *DefaultCollector) CollectCounterEvent(report *CounterReport) {}
method CollectDNSRequests (line 37) | func (d *DefaultCollector) CollectDNSRequests(report *DNSRequestReport...
method CollectPingEvent (line 40) | func (d *DefaultCollector) CollectPingEvent(report *PingReport) {}
method CollectConnectionExceptionReport (line 43) | func (d *DefaultCollector) CollectConnectionExceptionReport(report *Co...
function NewDefaultCollector (line 14) | func NewDefaultCollector() EventCollector {
function StatsFlowHash (line 48) | func StatsFlowHash(r *FlowRecord) (flowhash, contenthash uint64) {
function StatsFlowContentHash (line 70) | func StatsFlowContentHash(r *FlowRecord) (contenthash uint64) {
function StatsUserHash (line 77) | func StatsUserHash(r *UserRecord) error {
function ConnectionExceptionReportHash (line 87) | func ConnectionExceptionReportHash(r *ConnectionExceptionReport) uint64 {
FILE: collector/default_test.go
function TestStatsUserHash (line 9) | func TestStatsUserHash(t *testing.T) {
function TestStatsFlowHash (line 61) | func TestStatsFlowHash(t *testing.T) {
FILE: collector/interfaces.go
constant FlowReject (line 15) | FlowReject = "reject"
constant FlowAccept (line 17) | FlowAccept = "accept"
constant MissingToken (line 19) | MissingToken = "missingtoken"
constant InvalidToken (line 21) | InvalidToken = "token"
constant InvalidFormat (line 23) | InvalidFormat = "format"
constant InvalidHeader (line 25) | InvalidHeader = "header"
constant InvalidPayload (line 27) | InvalidPayload = "payload"
constant InvalidContext (line 29) | InvalidContext = "context"
constant InvalidConnection (line 31) | InvalidConnection = "connection"
constant InvalidState (line 33) | InvalidState = "state"
constant InvalidNonse (line 35) | InvalidNonse = "nonse"
constant PolicyDrop (line 37) | PolicyDrop = "policy"
constant APIPolicyDrop (line 39) | APIPolicyDrop = "api"
constant UnableToDial (line 41) | UnableToDial = "dial"
constant CompressedTagMismatch (line 43) | CompressedTagMismatch = "compressedtagmismatch"
constant EncryptionMismatch (line 45) | EncryptionMismatch = "encryptionmismatch"
constant DatapathVersionMismatch (line 47) | DatapathVersionMismatch = "datapathversionmismatch"
constant PacketDrop (line 49) | PacketDrop = "packetdrop"
constant ContainerStart (line 55) | ContainerStart = "start"
constant ContainerStop (line 57) | ContainerStop = "stop"
constant ContainerCreate (line 59) | ContainerCreate = "create"
constant ContainerDelete (line 61) | ContainerDelete = "delete"
constant ContainerUpdate (line 63) | ContainerUpdate = "update"
constant ContainerFailed (line 65) | ContainerFailed = "forcestop"
constant ContainerIgnored (line 67) | ContainerIgnored = "ignore"
constant ContainerDeleteUnknown (line 69) | ContainerDeleteUnknown = "unknowncontainer"
constant PolicyValid (line 74) | PolicyValid = "V"
constant DefaultEndPoint (line 76) | DefaultEndPoint = "default"
constant SomeClaimsSource (line 78) | SomeClaimsSource = "some-claims"
type EventCollector (line 82) | type EventCollector interface
type EndPointType (line 113) | type EndPointType
method String (line 124) | func (e *EndPointType) String() string {
constant EndPointTypeExternalIP (line 117) | EndPointTypeExternalIP EndPointType = iota
constant EndPointTypePU (line 119) | EndPointTypePU
constant EndPointTypeClaims (line 121) | EndPointTypeClaims
type EndPoint (line 139) | type EndPoint struct
type FlowRecord (line 150) | type FlowRecord struct
method String (line 171) | func (f *FlowRecord) String() string {
type ContainerRecord (line 187) | type ContainerRecord struct
type UserRecord (line 196) | type UserRecord struct
type PacketReport (line 203) | type PacketReport struct
type DNSRequestReport (line 225) | type DNSRequestReport struct
type Counters (line 238) | type Counters
type CounterReport (line 241) | type CounterReport struct
type PingReport (line 249) | type PingReport struct
type IPTablesTrace (line 288) | type IPTablesTrace struct
type IPTablesTraceRecord (line 295) | type IPTablesTraceRecord struct
type ConnectionExceptionReport (line 312) | type ConnectionExceptionReport struct
FILE: collector/mockcollector/mockcollector.go
type MockEventCollector (line 16) | type MockEventCollector struct
method EXPECT (line 37) | func (m *MockEventCollector) EXPECT() *MockEventCollectorMockRecorder {
method CollectFlowEvent (line 43) | func (m *MockEventCollector) CollectFlowEvent(record *collector.FlowRe...
method CollectContainerEvent (line 57) | func (m *MockEventCollector) CollectContainerEvent(record *collector.C...
method CollectUserEvent (line 71) | func (m *MockEventCollector) CollectUserEvent(record *collector.UserRe...
method CollectTraceEvent (line 85) | func (m *MockEventCollector) CollectTraceEvent(records []string) {
method CollectPacketEvent (line 99) | func (m *MockEventCollector) CollectPacketEvent(report *collector.Pack...
method CollectCounterEvent (line 113) | func (m *MockEventCollector) CollectCounterEvent(counterReport *collec...
method CollectDNSRequests (line 127) | func (m *MockEventCollector) CollectDNSRequests(request *collector.DNS...
method CollectPingEvent (line 141) | func (m *MockEventCollector) CollectPingEvent(report *collector.PingRe...
method CollectConnectionExceptionReport (line 155) | func (m *MockEventCollector) CollectConnectionExceptionReport(report *...
type MockEventCollectorMockRecorder (line 23) | type MockEventCollectorMockRecorder struct
method CollectFlowEvent (line 50) | func (mr *MockEventCollectorMockRecorder) CollectFlowEvent(record inte...
method CollectContainerEvent (line 64) | func (mr *MockEventCollectorMockRecorder) CollectContainerEvent(record...
method CollectUserEvent (line 78) | func (mr *MockEventCollectorMockRecorder) CollectUserEvent(record inte...
method CollectTraceEvent (line 92) | func (mr *MockEventCollectorMockRecorder) CollectTraceEvent(records in...
method CollectPacketEvent (line 106) | func (mr *MockEventCollectorMockRecorder) CollectPacketEvent(report in...
method CollectCounterEvent (line 120) | func (mr *MockEventCollectorMockRecorder) CollectCounterEvent(counterR...
method CollectDNSRequests (line 134) | func (mr *MockEventCollectorMockRecorder) CollectDNSRequests(request i...
method CollectPingEvent (line 148) | func (mr *MockEventCollectorMockRecorder) CollectPingEvent(report inte...
method CollectConnectionExceptionReport (line 162) | func (mr *MockEventCollectorMockRecorder) CollectConnectionExceptionRe...
function NewMockEventCollector (line 29) | func NewMockEventCollector(ctrl *gomock.Controller) *MockEventCollector {
FILE: common/events.go
function ConfigureTriremeSocketPath (line 13) | func ConfigureTriremeSocketPath(path string) {
type PUType (line 18) | type PUType
constant ContainerPU (line 22) | ContainerPU PUType = iota
constant LinuxProcessPU (line 24) | LinuxProcessPU
constant WindowsProcessPU (line 26) | WindowsProcessPU
constant HostPU (line 28) | HostPU
constant HostNetworkPU (line 30) | HostNetworkPU
constant KubernetesPU (line 32) | KubernetesPU
constant TransientPU (line 35) | TransientPU
constant TriremeCgroupPath (line 40) | TriremeCgroupPath = "/trireme/"
constant TriremeDockerHostNetwork (line 43) | TriremeDockerHostNetwork = "/trireme_docker_hostnet/"
type EventInfo (line 48) | type EventInfo struct
type Event (line 97) | type Event
constant EventStart (line 101) | EventStart Event = "start"
constant EventStop (line 102) | EventStop Event = "stop"
constant EventUpdate (line 103) | EventUpdate Event = "update"
constant EventCreate (line 104) | EventCreate Event = "create"
constant EventDestroy (line 105) | EventDestroy Event = "destroy"
constant EventPause (line 106) | EventPause Event = "pause"
constant EventUnpause (line 107) | EventUnpause Event = "unpause"
constant EventResync (line 108) | EventResync Event = "resync"
type EventResponse (line 126) | type EventResponse struct
type EventHandler (line 131) | type EventHandler
type State (line 134) | type State
constant StateStarted (line 138) | StateStarted State = iota + 1
constant StateStopped (line 141) | StateStopped
constant StatePaused (line 144) | StatePaused
constant StateDestroyed (line 147) | StateDestroyed
constant StateUnknwown (line 150) | StateUnknwown
FILE: common/hooks.go
constant MetadataHookPolicy (line 5) | MetadataHookPolicy = "metadata:policy"
constant MetadataHookHealth (line 6) | MetadataHookHealth = "metadata:health"
constant MetadataHookCertificate (line 7) | MetadataHookCertificate = "metadata:certificate"
constant MetadataHookKey (line 8) | MetadataHookKey = "metadata:key"
constant MetadataHookToken (line 9) | MetadataHookToken = "metadata:token"
constant AWSHookInfo (line 10) | AWSHookInfo = "aws:info"
constant AWSHookRole (line 11) | AWSHookRole = "aws:role"
constant AWSRoleARNPrefix (line 16) | AWSRoleARNPrefix = "@awsrole=arn:aws:iam::"
constant AWSRolePrefix (line 18) | AWSRolePrefix = "@awsrole="
constant MetadataKey (line 23) | MetadataKey = "X-Aporeto-Metadata"
constant MetadataValue (line 24) | MetadataValue = "secrets"
FILE: common/oauthtokens.go
type ServiceTokenType (line 9) | type ServiceTokenType
constant ServiceTokenTypeOAUTH (line 13) | ServiceTokenTypeOAUTH ServiceTokenType = "oauth"
constant ServiceTokenTypeAWS (line 15) | ServiceTokenTypeAWS ServiceTokenType = "aws"
type ServiceTokenIssuer (line 21) | type ServiceTokenIssuer interface
FILE: common/service.go
type Service (line 9) | type Service struct
function ConvertServicesToPortList (line 27) | func ConvertServicesToPortList(services []Service) string {
function ConvertServicesToProtocolPortList (line 44) | func ConvertServicesToProtocolPortList(services []Service) (string, stri...
FILE: controller/config.go
type config (line 29) | type config struct
type Option (line 58) | type Option
function OptionBPFEnabled (line 61) | func OptionBPFEnabled(bpfEnabled bool) Option {
function OptionIptablesLockfile (line 68) | func OptionIptablesLockfile(iptablesLockfile string) Option {
function OptionIPv6Enable (line 75) | func OptionIPv6Enable(ipv6Enabled bool) Option {
function OptionCollector (line 82) | func OptionCollector(c collector.EventCollector) Option {
function OptionDatapathService (line 89) | func OptionDatapathService(s packetprocessor.PacketProcessor) Option {
function OptionSecret (line 96) | func OptionSecret(s secrets.Secrets) Option {
function OptionEnforceLinuxProcess (line 103) | func OptionEnforceLinuxProcess() Option {
function OptionEnforceFqConfig (line 110) | func OptionEnforceFqConfig(f fqconfig.FilterQueue) Option {
function OptionDisableMutualAuth (line 117) | func OptionDisableMutualAuth() Option {
function OptionRuntimeConfiguration (line 124) | func OptionRuntimeConfiguration(c *runtime.Configuration) Option {
function OptionProcMountPoint (line 131) | func OptionProcMountPoint(p string) Option {
function OptionRuntimeErrorChannel (line 138) | func OptionRuntimeErrorChannel(errorChannel chan *policy.RuntimeError) O...
function OptionPacketLogs (line 146) | func OptionPacketLogs() Option {
function OptionRemoteParameters (line 153) | func OptionRemoteParameters(p *env.RemoteParameters) Option {
function OptionTokenIssuer (line 160) | func OptionTokenIssuer(t common.ServiceTokenIssuer) Option {
function OptionAgentVersion (line 167) | func OptionAgentVersion(v semver.Version) Option {
method newEnforcers (line 173) | func (t *trireme) newEnforcers(ctx context.Context) error {
method newSupervisors (line 233) | func (t *trireme) newSupervisors() error {
function newTrireme (line 266) | func newTrireme(ctx context.Context, c *config) TriremeController {
FILE: controller/config_nonwindows.go
method setupEnvoyAuthorizer (line 12) | func (t *trireme) setupEnvoyAuthorizer() error {
method setupEnvoySupervisor (line 35) | func (t *trireme) setupEnvoySupervisor(sup supervisor.Supervisor) error {
FILE: controller/config_windows.go
method setupEnvoyAuthorizer (line 9) | func (t *trireme) setupEnvoyAuthorizer() error {
method setupEnvoySupervisor (line 13) | func (t *trireme) setupEnvoySupervisor(sup supervisor.Supervisor) error {
FILE: controller/constants/constants.go
constant DefaultProcMountPoint (line 10) | DefaultProcMountPoint = "/proc"
constant DefaultAporetoProcMountPoint (line 12) | DefaultAporetoProcMountPoint = "/aporetoproc"
constant DefaultSecretsPath (line 14) | DefaultSecretsPath = "@secrets"
constant EnforcerdCleanerName (line 17) | EnforcerdCleanerName = "cleaner"
constant DefaultEnforcerdCleanerPath (line 40) | DefaultEnforcerdCleanerPath = "/sbin/cleaner"
constant RemoteEnforcerBuildName (line 43) | RemoteEnforcerBuildName = "remoteenforcerd"
constant RemoteEnforcerSrcName (line 46) | RemoteEnforcerSrcName = "remoteenforcer"
constant DefaultRemoteArg (line 51) | DefaultRemoteArg = "enforce"
constant EnvMountPoint (line 57) | EnvMountPoint = "TRIREME_ENV_PROC_MOUNTPOINT"
constant EnvEnforcerType (line 60) | EnvEnforcerType = "TRIREME_ENV_ENFORCER_TYPE"
constant EnvContextSocket (line 63) | EnvContextSocket = "TRIREME_ENV_SOCKET_PATH"
constant EnvStatsChannel (line 66) | EnvStatsChannel = "TRIREME_ENV_STATS_CHANNEL_PATH"
constant EnvDebugChannel (line 69) | EnvDebugChannel = "TRIREME_ENV_DEBUG_CHANNEL_PATH"
constant EnvRPCClientSecret (line 72) | EnvRPCClientSecret = "TRIREME_ENV_SECRET"
constant EnvStatsSecret (line 75) | EnvStatsSecret = "TRIREME_ENV_STATS_SECRET"
constant EnvContainerPID (line 78) | EnvContainerPID = "TRIREME_ENV_CONTAINER_PID"
constant EnvNSPath (line 81) | EnvNSPath = "TRIREME_ENV_NS_PATH"
constant EnvNsenterErrorState (line 84) | EnvNsenterErrorState = "TRIREME_ENV_NSENTER_ERROR_STATE"
constant EnvNsenterLogs (line 87) | EnvNsenterLogs = "TRIREME_ENV_NSENTER_LOGS"
constant EnvLogLevel (line 90) | EnvLogLevel = "TRIREME_ENV_LOG_LEVEL"
constant EnvLogFormat (line 93) | EnvLogFormat = "TRIREME_ENV_LOG_FORMAT"
constant EnvLogID (line 96) | EnvLogID = "TRIREME_ENV_LOG_ID"
constant EnvCompressedTags (line 99) | EnvCompressedTags = "TRIREME_ENV_COMPRESSED_TAGS"
constant EnvEnforcerdToolsDir (line 102) | EnvEnforcerdToolsDir = "TRIREME_ENV_ENFORCERD_TOOLS_DIR"
constant EnvEnforcerdNFQueues (line 105) | EnvEnforcerdNFQueues = "TRIREME_ENV_NUM_NFQUEUES"
type ModeType (line 109) | type ModeType
constant RemoteContainer (line 114) | RemoteContainer ModeType = iota
constant LocalServer (line 116) | LocalServer
constant LocalEnvoyAuthorizer (line 118) | LocalEnvoyAuthorizer
constant RemoteContainerEnvoyAuthorizer (line 120) | RemoteContainerEnvoyAuthorizer
type LogLevel (line 124) | type LogLevel
constant OptionLogLevel (line 129) | OptionLogLevel = "log-level"
constant OptionLogFormat (line 131) | OptionLogFormat = "log-format"
constant OptionLogFilePath (line 133) | OptionLogFilePath = "log-file-path"
constant Info (line 138) | Info LogLevel = "Info"
constant Debug (line 139) | Debug LogLevel = "Debug"
constant Trace (line 140) | Trace LogLevel = "Trace"
constant Error (line 141) | Error LogLevel = "Error"
constant Warn (line 142) | Warn LogLevel = "Warn"
constant CallbackURIExtension (line 147) | CallbackURIExtension = "/aporeto/oidc/callback"
constant TCPProtoNum (line 152) | TCPProtoNum = "6"
constant UDPProtoNum (line 153) | UDPProtoNum = "17"
constant TCPProtoString (line 154) | TCPProtoString = "TCP"
constant UDPProtoString (line 155) | UDPProtoString = "UDP"
constant AllProtoString (line 156) | AllProtoString = "ALL"
constant MaxICMPCodes (line 160) | MaxICMPCodes = 25
constant PortNumberLabelString (line 170) | PortNumberLabelString = "@sys:port"
constant ControllerLabelString (line 175) | ControllerLabelString = "$controller"
constant SynTokenRefreshTime (line 184) | SynTokenRefreshTime = 5 * time.Minute
constant SynTokenValidity (line 186) | SynTokenValidity = 10 * time.Minute
function ConfigureRemoteEnforcerPath (line 196) | func ConfigureRemoteEnforcerPath(path string) {
function ConfigureSocketsPath (line 201) | func ConfigureSocketsPath(sockPath string) {
constant ProxyMarkInt (line 209) | ProxyMarkInt = 0x40
constant ProxyMark (line 210) | ProxyMark = "0x40"
constant ChainPrefix (line 215) | ChainPrefix = "TRI-"
FILE: controller/constants/constants_nonrhel6.go
constant IpsetBinaryName (line 6) | IpsetBinaryName = "aporeto-ipset"
FILE: controller/constants/constants_rhel6.go
constant IpsetBinaryName (line 6) | IpsetBinaryName = "ipset"
FILE: controller/constants/constants_test.go
function TestConfigureRemoteEnforcerPath (line 8) | func TestConfigureRemoteEnforcerPath(t *testing.T) {
function TestConfigureSocketsPath (line 23) | func TestConfigureSocketsPath(t *testing.T) {
FILE: controller/controller.go
type traceTrigger (line 25) | type traceTrigger struct
type trireme (line 33) | type trireme struct
method Run (line 71) | func (t *trireme) Run(ctx context.Context) error {
method CleanUp (line 93) | func (t *trireme) CleanUp() error {
method Enforce (line 105) | func (t *trireme) Enforce(ctx context.Context, puID string, policy *po...
method UnEnforce (line 113) | func (t *trireme) UnEnforce(ctx context.Context, puID string, policy *...
method UpdatePolicy (line 124) | func (t *trireme) UpdatePolicy(ctx context.Context, puID string, plc *...
method EnableDatapathPacketTracing (line 131) | func (t *trireme) EnableDatapathPacketTracing(ctx context.Context, puI...
method EnableIPTablesPacketTracing (line 138) | func (t *trireme) EnableIPTablesPacketTracing(ctx context.Context, puI...
method Ping (line 146) | func (t *trireme) Ping(ctx context.Context, puID string, policy *polic...
method DebugCollect (line 153) | func (t *trireme) DebugCollect(ctx context.Context, puID string, polic...
method UpdateSecrets (line 161) | func (t *trireme) UpdateSecrets(secrets secrets.Secrets) error {
method UpdateConfiguration (line 172) | func (t *trireme) UpdateConfiguration(cfg *runtime.Configuration) error {
method doHandleCreate (line 206) | func (t *trireme) doHandleCreate(ctx context.Context, contextID string...
method doHandleDelete (line 250) | func (t *trireme) doHandleDelete(ctx context.Context, contextID string...
method doUpdatePolicy (line 272) | func (t *trireme) doUpdatePolicy(ctx context.Context, contextID string...
method doHandleEnableDatapathPacketTracing (line 316) | func (t *trireme) doHandleEnableDatapathPacketTracing(ctx context.Cont...
method doHandleEnableIPTablesPacketTracing (line 321) | func (t *trireme) doHandleEnableIPTablesPacketTracing(ctx context.Cont...
method runIPTraceCollector (line 347) | func (t *trireme) runIPTraceCollector(ctx context.Context) {
method modeTypeFromPolicy (line 377) | func (t *trireme) modeTypeFromPolicy(policyInfo *policy.PUPolicy, runt...
function New (line 43) | func New(ctx context.Context, serverID string, mode constants.ModeType, ...
FILE: controller/helpers.go
function LaunchRemoteEnforcer (line 14) | func LaunchRemoteEnforcer(ctx context.Context, logLevel string, logForma...
function addTransmitterLabel (line 23) | func addTransmitterLabel(contextID string, containerInfo *policy.PUInfo) {
function mustEnforce (line 36) | func mustEnforce(contextID string, containerInfo *policy.PUInfo) bool {
FILE: controller/interfaces.go
type TriremeController (line 14) | type TriremeController interface
type DebugInfo (line 40) | type DebugInfo interface
FILE: controller/internal/enforcer/acls/acl.go
type acl (line 19) | type acl struct
method addICMPToCache (line 37) | func (a *acl) addICMPToCache(ip net.IP, mask int, baseRule string, lis...
method removeICMPFromCache (line 52) | func (a *acl) removeICMPFromCache(ip net.IP, mask int, baseRule string...
method removeFromCache (line 77) | func (a *acl) removeFromCache(ip net.IP, mask int, nomatch bool, proto...
method addToCache (line 140) | func (a *acl) addToCache(ip net.IP, mask int, port string, proto strin...
method removeIPMask (line 180) | func (a *acl) removeIPMask(ip net.IP, mask int) {
method matchRule (line 186) | func (a *acl) matchRule(ip net.IP, port uint16, proto uint8, preReport...
method addRule (line 211) | func (a *acl) addRule(rule policy.IPRule) (err error) {
method getMatchingAction (line 261) | func (a *acl) getMatchingAction(ip net.IP, port uint16, proto uint8, p...
function newACL (line 25) | func newACL() *acl {
FILE: controller/internal/enforcer/acls/acl_test.go
function TestLookup (line 63) | func TestLookup(t *testing.T) {
function TestICMPMatch (line 139) | func TestICMPMatch(t *testing.T) {
function TestICMPRemove (line 220) | func TestICMPRemove(t *testing.T) {
function TestRemove (line 286) | func TestRemove(t *testing.T) {
function TestObservedLookup (line 419) | func TestObservedLookup(t *testing.T) {
function TestNomatchLookup (line 512) | func TestNomatchLookup(t *testing.T) {
FILE: controller/internal/enforcer/acls/aclcache.go
type ACLCache (line 12) | type ACLCache struct
method AddRule (line 28) | func (c *ACLCache) AddRule(rule policy.IPRule) (err error) {
method AddRuleList (line 42) | func (c *ACLCache) AddRuleList(rules policy.IPRuleList) (err error) {
method RemoveRulesForAddress (line 54) | func (c *ACLCache) RemoveRulesForAddress(address *Address, protocol st...
method RemoveIPMask (line 70) | func (c *ACLCache) RemoveIPMask(ip net.IP, mask int) {
method GetMatchingAction (line 78) | func (c *ACLCache) GetMatchingAction(ip net.IP, port uint16, proto uin...
method GetMatchingICMPAction (line 111) | func (c *ACLCache) GetMatchingICMPAction(ip net.IP, icmpType, icmpCode...
function NewACLCache (line 19) | func NewACLCache() *ACLCache {
FILE: controller/internal/enforcer/acls/aclcache_test.go
function TestEmptyACLCacheLookup (line 17) | func TestEmptyACLCacheLookup(t *testing.T) {
function TestRejectPrioritizedOverAcceptCacheLookup (line 46) | func TestRejectPrioritizedOverAcceptCacheLookup(t *testing.T) {
function TestEmptyACLWithObserveContinueCacheLookup (line 86) | func TestEmptyACLWithObserveContinueCacheLookup(t *testing.T) {
function TestEmptyACLWithObserveApplyCacheLookup (line 119) | func TestEmptyACLWithObserveApplyCacheLookup(t *testing.T) {
function TestObserveContinueApplyCacheLookup (line 152) | func TestObserveContinueApplyCacheLookup(t *testing.T) {
function TestAcceptWithNomatchCacheLookup (line 222) | func TestAcceptWithNomatchCacheLookup(t *testing.T) {
function TestRemoveRules (line 275) | func TestRemoveRules(t *testing.T) {
FILE: controller/internal/enforcer/acls/icmpacl.go
type icmpRule (line 11) | type icmpRule struct
method match (line 17) | func (rule *icmpRule) match(icmpType, icmpCode int8) (*policy.FlowPoli...
method matchICMPRule (line 107) | func (a *acl) matchICMPRule(ip net.IP, icmpType int8, icmpCode int8) (*p...
FILE: controller/internal/enforcer/acls/ports.go
type portAction (line 16) | type portAction struct
type portActionList (line 24) | type portActionList
method lookup (line 68) | func (p *portActionList) lookup(port uint16, preReported *policy.FlowP...
function newPortAction (line 27) | func newPortAction(tcpport string, policy *policy.FlowPolicy, nomatch bo...
FILE: controller/internal/enforcer/acls/ports_test.go
function TestEmptyPortListLookup (line 12) | func TestEmptyPortListLookup(t *testing.T) {
function TestPortListLookup (line 26) | func TestPortListLookup(t *testing.T) {
function TestPortListLookupObservedPolicyContinue (line 93) | func TestPortListLookupObservedPolicyContinue(t *testing.T) {
function TestPortListLookupObservedPolicyApply (line 158) | func TestPortListLookupObservedPolicyApply(t *testing.T) {
function TestPortListWithNomatchLookup (line 233) | func TestPortListWithNomatchLookup(t *testing.T) {
FILE: controller/internal/enforcer/acls/utils.go
type Address (line 11) | type Address struct
function ParseAddress (line 21) | func ParseAddress(address string) (*Address, error) {
FILE: controller/internal/enforcer/acls/utils_test.go
function TestParseAddress (line 9) | func TestParseAddress(t *testing.T) {
FILE: controller/internal/enforcer/apiauth/apiauth.go
constant DefaultValidity (line 23) | DefaultValidity = 60 * time.Second
constant TriremeOIDCCallbackURI (line 27) | TriremeOIDCCallbackURI = "/aporeto/oidc/callback"
type Processor (line 31) | type Processor struct
method retrieveNetworkContext (line 47) | func (p *Processor) retrieveNetworkContext(originalIP *net.TCPAddr) (*...
method retrieveApplicationContext (line 52) | func (p *Processor) retrieveApplicationContext(address *net.TCPAddr) (...
method UpdateSecrets (line 58) | func (p *Processor) UpdateSecrets(s secrets.Secrets) {
method ApplicationRequest (line 68) | func (p *Processor) ApplicationRequest(r *Request) (*AppAuthResponse, ...
method NetworkRequest (line 162) | func (p *Processor) NetworkRequest(ctx context.Context, r *Request) (*...
function New (line 40) | func New(contextID string, s secrets.Secrets) *Processor {
function userCredentials (line 390) | func userCredentials(ctx context.Context, pctx *serviceregistry.PortCont...
function processHeaders (line 430) | func processHeaders(r *Request) (string, string) {
FILE: controller/internal/enforcer/apiauth/apiauth_test.go
constant policyID (line 30) | policyID = "somepolicy"
constant rejectPolicyID (line 31) | rejectPolicyID = "somerejectepolicy"
constant serviceID (line 32) | serviceID = "someservice"
constant rejectServiceID (line 33) | rejectServiceID = "somerejectservice"
constant namespace (line 34) | namespace = "somenamespace"
constant appLabel (line 35) | appLabel = "app=web"
function newBaseApplicationServices (line 38) | func newBaseApplicationServices(ctrl *gomock.Controller, id string, ipAd...
function newAPIAuthProcessor (line 95) | func newAPIAuthProcessor(ctrl *gomock.Controller) (*serviceregistry.Regi...
function Test_New (line 223) | func Test_New(t *testing.T) {
function Test_ApplicationRequest (line 234) | func Test_ApplicationRequest(t *testing.T) {
function Test_NetworkRequest (line 422) | func Test_NetworkRequest(t *testing.T) {
function Test_UserCredentials (line 758) | func Test_UserCredentials(t *testing.T) {
FILE: controller/internal/enforcer/apiauth/types.go
type Request (line 16) | type Request struct
type NetworkAuthResponse (line 37) | type NetworkAuthResponse struct
type PingConfig (line 77) | type PingConfig struct
type AppAuthResponse (line 85) | type AppAuthResponse struct
type AuthError (line 112) | type AuthError struct
method Error (line 119) | func (a *AuthError) Error() string {
method Message (line 124) | func (a *AuthError) Message() string {
method Status (line 129) | func (a *AuthError) Status() int {
FILE: controller/internal/enforcer/applicationproxy/applicationproxy.go
type ServerInterface (line 36) | type ServerInterface interface
type clientData (line 41) | type clientData struct
type AppProxy (line 47) | type AppProxy struct
method Run (line 88) | func (p *AppProxy) Run(ctx context.Context) error {
method Enforce (line 96) | func (p *AppProxy) Enforce(ctx context.Context, puID string, puInfo *p...
method Unenforce (line 199) | func (p *AppProxy) Unenforce(ctx context.Context, puID string) error {
method GetFilterQueue (line 234) | func (p *AppProxy) GetFilterQueue() *fqconfig.FilterQueue {
method Ping (line 239) | func (p *AppProxy) Ping(ctx context.Context, contextID string, sctx *s...
method UpdateSecrets (line 269) | func (p *AppProxy) UpdateSecrets(secret secrets.Secrets) error {
method registerAndRun (line 277) | func (p *AppProxy) registerAndRun(ctx context.Context, puID string, lt...
method createNetworkListener (line 305) | func (p *AppProxy) createNetworkListener(ctx context.Context, port str...
method processCertificateUpdates (line 311) | func (p *AppProxy) processCertificateUpdates(puInfo *policy.PUInfo, cl...
method expandCAPool (line 339) | func (p *AppProxy) expandCAPool(externalCAs [][]byte) (*x509.CertPool,...
method ServiceData (line 357) | func (p *AppProxy) ServiceData(
function NewAppProxy (line 63) | func NewAppProxy(
FILE: controller/internal/enforcer/applicationproxy/common/common.go
type ListenerType (line 12) | type ListenerType
constant TCPApplication (line 16) | TCPApplication ListenerType = iota
constant TCPNetwork (line 17) | TCPNetwork
constant HTTPApplication (line 18) | HTTPApplication
constant HTTPNetwork (line 19) | HTTPNetwork
constant HTTPSApplication (line 20) | HTTPSApplication
constant HTTPSNetwork (line 21) | HTTPSNetwork
function ExtractExtension (line 25) | func ExtractExtension(oid asn1.ObjectIdentifier, extensions []pkix.Exten...
function GetTLSServerName (line 39) | func GetTLSServerName(
FILE: controller/internal/enforcer/applicationproxy/http/error_handler.go
constant TriremeBadGatewayText (line 12) | TriremeBadGatewayText = ":The downstream port cannot be accessed. Please...
constant TriremeGatewayTimeout (line 15) | TriremeGatewayTimeout = ":The downstream node timed-out."
constant StatusClientClosedRequest (line 18) | StatusClientClosedRequest = 499
constant StatusClientClosedRequestText (line 21) | StatusClientClosedRequestText = "Client Closed Request"
type TriremeHTTPErrHandler (line 25) | type TriremeHTTPErrHandler struct
method ServeHTTP (line 27) | func (e TriremeHTTPErrHandler) ServeHTTP(w http.ResponseWriter, req *h...
function statusText (line 46) | func statusText(statusCode int) string {
FILE: controller/internal/enforcer/applicationproxy/http/http.go
type statsContextKeyType (line 40) | type statsContextKeyType
constant statsContextKey (line 43) | statsContextKey = statsContextKeyType("statsContext")
constant TriremeOIDCCallbackURI (line 47) | TriremeOIDCCallbackURI = "/aporeto/oidc/callback"
constant typeCertificate (line 48) | typeCertificate = "CERTIFICATE"
type JWTClaims (line 52) | type JWTClaims struct
type hookFunc (line 59) | type hookFunc
type Config (line 62) | type Config struct
method clientTLSConfiguration (line 134) | func (p *Config) clientTLSConfiguration(conn net.Conn, originalConfig ...
method newBaseTLSConfig (line 163) | func (p *Config) newBaseTLSConfig() *tls.Config {
method newBaseTLSClientConfig (line 172) | func (p *Config) newBaseTLSClientConfig() *tls.Config {
method GetClientCertificateFunc (line 181) | func (p *Config) GetClientCertificateFunc(*tls.CertificateRequestInfo)...
method RunNetworkServer (line 216) | func (p *Config) RunNetworkServer(ctx context.Context, l net.Listener,...
method ShutDown (line 410) | func (p *Config) ShutDown() error {
method UpdateSecrets (line 415) | func (p *Config) UpdateSecrets(cert *tls.Certificate, caPool *x509.Cer...
method GetCertificateFunc (line 431) | func (p *Config) GetCertificateFunc(clientHello *tls.ClientHelloInfo) ...
method processAppRequest (line 547) | func (p *Config) processAppRequest(w http.ResponseWriter, r *http.Requ...
method processNetRequest (line 616) | func (p *Config) processNetRequest(w http.ResponseWriter, r *http.Requ...
method policyHook (line 789) | func (p *Config) policyHook(w http.ResponseWriter, r *http.Request) (b...
method certificateHook (line 807) | func (p *Config) certificateHook(w http.ResponseWriter, r *http.Reques...
method keyHook (line 820) | func (p *Config) keyHook(w http.ResponseWriter, r *http.Request) (bool...
method healthHook (line 833) | func (p *Config) healthHook(w http.ResponseWriter, r *http.Request) (b...
method tokenHook (line 848) | func (p *Config) tokenHook(w http.ResponseWriter, r *http.Request) (bo...
method awsInfoHook (line 880) | func (p *Config) awsInfoHook(w http.ResponseWriter, r *http.Request) (...
method awsTokenHook (line 918) | func (p *Config) awsTokenHook(w http.ResponseWriter, r *http.Request) ...
method awsRole (line 962) | func (p *Config) awsRole() (string, string, error) {
function NewHTTPProxy (line 88) | func NewHTTPProxy(
function buildCertChain (line 490) | func buildCertChain(certPEM, caPEM []byte) ([]byte, error) {
function x509CertChainToPem (line 529) | func x509CertChainToPem(certChain []*x509.Certificate) ([]byte, error) {
function x509CertToPem (line 540) | func x509CertToPem(cert *x509.Certificate) ([]byte, error) {
function validateAWSHeaders (line 990) | func validateAWSHeaders(r *http.Request) error {
FILE: controller/internal/enforcer/applicationproxy/http/ping_http.go
constant fourTupleKey (line 23) | fourTupleKey = "fourTuple"
type fourTuple (line 25) | type fourTuple struct
method InitiatePing (line 33) | func (p *Config) InitiatePing(ctx context.Context, sctx *serviceregistry...
method sendPingRequest (line 46) | func (p *Config) sendPingRequest(
function dial (line 221) | func dial(ctx context.Context, addr string, mark int) (net.Conn, error) {
FILE: controller/internal/enforcer/applicationproxy/http/transport.go
type TriremeRoundTripper (line 11) | type TriremeRoundTripper struct
method RoundTrip (line 25) | func (t *TriremeRoundTripper) RoundTrip(req *http.Request) (*http.Resp...
function NewTriremeRoundTripper (line 17) | func NewTriremeRoundTripper(r http.RoundTripper) *TriremeRoundTripper {
FILE: controller/internal/enforcer/applicationproxy/markedconn/mark_linux.go
function makeListenerConfig (line 12) | func makeListenerConfig(mark int) net.ListenConfig {
function ControlFunc (line 28) | func ControlFunc(mark int, block bool, platformData *PlatformData) Contr...
FILE: controller/internal/enforcer/applicationproxy/markedconn/mark_windows.go
function makeListenerConfig (line 13) | func makeListenerConfig(mark int) net.ListenConfig {
function ControlFunc (line 18) | func ControlFunc(mark int, block bool, platformData *PlatformData) Contr...
FILE: controller/internal/enforcer/applicationproxy/markedconn/markedconn.go
type Control (line 17) | type Control
function makeDialer (line 19) | func makeDialer(mark int, platformData *PlatformData) net.Dialer {
function DialMarkedWithContext (line 28) | func DialMarkedWithContext(ctx context.Context, network string, addr str...
function NewSocketListener (line 47) | func NewSocketListener(ctx context.Context, port string, mark int) (net....
type ProxiedConnection (line 65) | type ProxiedConnection struct
method GetOriginalDestination (line 79) | func (p *ProxiedConnection) GetOriginalDestination() (net.IP, int) {
method GetPlatformData (line 84) | func (p *ProxiedConnection) GetPlatformData() *PlatformData {
method GetTCPConnection (line 89) | func (p *ProxiedConnection) GetTCPConnection() *net.TCPConn {
method LocalAddr (line 95) | func (p *ProxiedConnection) LocalAddr() net.Addr {
method RemoteAddr (line 104) | func (p *ProxiedConnection) RemoteAddr() net.Addr {
method Read (line 109) | func (p *ProxiedConnection) Read(b []byte) (n int, err error) {
method Write (line 114) | func (p *ProxiedConnection) Write(b []byte) (n int, err error) {
method Close (line 119) | func (p *ProxiedConnection) Close() error {
method SetDeadline (line 124) | func (p *ProxiedConnection) SetDeadline(t time.Time) error {
method SetReadDeadline (line 129) | func (p *ProxiedConnection) SetReadDeadline(t time.Time) error {
method SetWriteDeadline (line 134) | func (p *ProxiedConnection) SetWriteDeadline(t time.Time) error {
type PlatformData (line 73) | type PlatformData struct
type ProxiedListener (line 139) | type ProxiedListener struct
method Accept (line 167) | func (l ProxiedListener) Accept() (c net.Conn, err error) {
method Addr (line 195) | func (l ProxiedListener) Addr() net.Addr {
method Close (line 200) | func (l ProxiedListener) Close() error {
type passFD (line 145) | type passFD interface
function getOriginalDestination (line 149) | func getOriginalDestination(conn *net.TCPConn) (net.IP, int, *PlatformDa...
function GetInterfaces (line 205) | func GetInterfaces() map[string]struct{} {
FILE: controller/internal/enforcer/applicationproxy/markedconn/markedconn_darwin.go
type Control (line 16) | type Control
function DialMarkedWithContext (line 19) | func DialMarkedWithContext(ctx context.Context, network string, addr str...
function ControlFunc (line 34) | func ControlFunc(mark int, block bool, platformData *PlatformData) Contr...
function NewSocketListener (line 39) | func NewSocketListener(ctx context.Context, port string, mark int) (net....
type ProxiedConnection (line 52) | type ProxiedConnection struct
method GetTCPConnection (line 66) | func (p *ProxiedConnection) GetTCPConnection() *net.TCPConn {
method GetOriginalDestination (line 71) | func (p *ProxiedConnection) GetOriginalDestination() (net.IP, int) {
method GetPlatformData (line 76) | func (p *ProxiedConnection) GetPlatformData() *PlatformData {
type PlatformData (line 60) | type PlatformData struct
type ProxiedListener (line 81) | type ProxiedListener struct
method Accept (line 87) | func (l ProxiedListener) Accept() (c net.Conn, err error) {
method Addr (line 97) | func (l ProxiedListener) Addr() net.Addr {
method Close (line 102) | func (l ProxiedListener) Close() error {
function GetInterfaces (line 107) | func GetInterfaces() map[string]struct{} {
FILE: controller/internal/enforcer/applicationproxy/markedconn/markedconn_test.go
type testPassFD (line 16) | type testPassFD struct
method Control (line 19) | func (*testPassFD) Control(f func(uintptr)) error {
function TestGetOrigDestV4 (line 24) | func TestGetOrigDestV4(t *testing.T) {
function TestGetOrigDestV6 (line 46) | func TestGetOrigDestV6(t *testing.T) {
function TestGetOrigDestV4Err1 (line 66) | func TestGetOrigDestV4Err1(t *testing.T) {
function TestGetOrigDestV6Err1 (line 78) | func TestGetOrigDestV6Err1(t *testing.T) {
function TestGetOrigDestV4Err2 (line 88) | func TestGetOrigDestV4Err2(t *testing.T) {
function TestGetOrigDestV6Err2 (line 99) | func TestGetOrigDestV6Err2(t *testing.T) {
function TestLocalAddr (line 110) | func TestLocalAddr(t *testing.T) {
function TestSocketListener (line 121) | func TestSocketListener(t *testing.T) {
function TestGetInterfaces (line 129) | func TestGetInterfaces(t *testing.T) {
FILE: controller/internal/enforcer/applicationproxy/markedconn/markedconn_windows_test.go
type abi (line 16) | type abi struct
method FrontmanOpenShared (line 29) | func (a *abi) FrontmanOpenShared() (uintptr, error) {
method GetDestInfo (line 33) | func (a *abi) GetDestInfo(driverHandle, socket, destInfo uintptr) (uin...
method ApplyDestHandle (line 49) | func (a *abi) ApplyDestHandle(socket, destHandle uintptr) (uintptr, er...
method FreeDestHandle (line 57) | func (a *abi) FreeDestHandle(destHandle uintptr) (uintptr, error) {
method NewIpset (line 62) | func (a *abi) NewIpset(driverHandle, name, ipsetType, ipset uintptr) (...
method GetIpset (line 66) | func (a *abi) GetIpset(driverHandle, name, ipset uintptr) (uintptr, er...
method DestroyAllIpsets (line 70) | func (a *abi) DestroyAllIpsets(driverHandle, prefix uintptr) (uintptr,...
method ListIpsets (line 74) | func (a *abi) ListIpsets(driverHandle, ipsetNames, ipsetNamesSize, byt...
method IpsetAdd (line 78) | func (a *abi) IpsetAdd(driverHandle, ipset, entry, timeout uintptr) (u...
method IpsetAddOption (line 82) | func (a *abi) IpsetAddOption(driverHandle, ipset, entry, option, timeo...
method IpsetDelete (line 86) | func (a *abi) IpsetDelete(driverHandle, ipset, entry uintptr) (uintptr...
method IpsetDestroy (line 90) | func (a *abi) IpsetDestroy(driverHandle, ipset uintptr) (uintptr, erro...
method IpsetFlush (line 94) | func (a *abi) IpsetFlush(driverHandle, ipset uintptr) (uintptr, error) {
method IpsetTest (line 98) | func (a *abi) IpsetTest(driverHandle, ipset, entry uintptr) (uintptr, ...
method PacketFilterStart (line 102) | func (a *abi) PacketFilterStart(frontman, firewallName, receiveCallbac...
method PacketFilterClose (line 106) | func (a *abi) PacketFilterClose() (uintptr, error) {
method PacketFilterForward (line 110) | func (a *abi) PacketFilterForward(info, packet uintptr) (uintptr, erro...
method AppendFilter (line 114) | func (a *abi) AppendFilter(driverHandle, outbound, filterName, isGotoF...
method InsertFilter (line 118) | func (a *abi) InsertFilter(driverHandle, outbound, priority, filterNam...
method DestroyFilter (line 122) | func (a *abi) DestroyFilter(driverHandle, filterName uintptr) (uintptr...
method EmptyFilter (line 126) | func (a *abi) EmptyFilter(driverHandle, filterName uintptr) (uintptr, ...
method GetFilterList (line 130) | func (a *abi) GetFilterList(driverHandle, outbound, buffer, bufferSize...
method AppendFilterCriteria (line 134) | func (a *abi) AppendFilterCriteria(driverHandle, filterName, criteriaN...
method DeleteFilterCriteria (line 138) | func (a *abi) DeleteFilterCriteria(driverHandle, filterName, criteriaN...
method ListIpsetsDetail (line 142) | func (a *abi) ListIpsetsDetail(driverHandle, format, ipsetNames, ipset...
method GetCriteriaList (line 146) | func (a *abi) GetCriteriaList(driverHandle, format, criteriaList, crit...
type testPassFD (line 150) | type testPassFD struct
method Control (line 153) | func (*testPassFD) Control(f func(uintptr)) error {
function TestWindowsGetOrigDest (line 158) | func TestWindowsGetOrigDest(t *testing.T) {
function TestWindowsGetOrigDestBadDestInfo (line 171) | func TestWindowsGetOrigDestBadDestInfo(t *testing.T) {
function TestWindowsGetOrigDestBadIP (line 184) | func TestWindowsGetOrigDestBadIP(t *testing.T) {
function TestSocketListenerWindows (line 198) | func TestSocketListenerWindows(t *testing.T) {
FILE: controller/internal/enforcer/applicationproxy/markedconn/origdest_linux.go
constant sockOptOriginalDst (line 13) | sockOptOriginalDst = 80
type sockaddr4 (line 16) | type sockaddr4 struct
type sockaddr6 (line 21) | type sockaddr6 struct
type origDest (line 29) | type origDest
function getOriginalDestPlatform (line 31) | func getOriginalDestPlatform(rawConn passFD, v4Proto bool) (net.IP, int,...
function getOriginalDestInternal (line 35) | func getOriginalDestInternal(rawConn passFD, v4Proto bool, getOrigDest o...
FILE: controller/internal/enforcer/applicationproxy/markedconn/origdest_windows.go
function getOriginalDestPlatform (line 13) | func getOriginalDestPlatform(rawConn passFD, v4Proto bool) (net.IP, int,...
FILE: controller/internal/enforcer/applicationproxy/markedconn/platformdata.go
type PlatformDataControl (line 11) | type PlatformDataControl struct
method StorePlatformData (line 20) | func (n *PlatformDataControl) StorePlatformData(ip net.IP, port int, p...
function NewPlatformDataControl (line 15) | func NewPlatformDataControl() *PlatformDataControl {
function RemovePlatformData (line 24) | func RemovePlatformData(l net.Listener, conn net.Conn) *PlatformData {
function TakePlatformData (line 29) | func TakePlatformData(l net.Listener, ip net.IP, port int) *PlatformData {
FILE: controller/internal/enforcer/applicationproxy/markedconn/platformdata_test.go
function TestStoreTake (line 12) | func TestStoreTake(t *testing.T) {
function TestStoreRemove (line 47) | func TestStoreRemove(t *testing.T) {
function TestStoreMultiple (line 89) | func TestStoreMultiple(t *testing.T) {
FILE: controller/internal/enforcer/applicationproxy/markedconn/platformdata_windows.go
type PlatformDataControl (line 14) | type PlatformDataControl struct
method StorePlatformData (line 28) | func (n *PlatformDataControl) StorePlatformData(ip net.IP, port int, p...
method takePlatformData (line 60) | func (n *PlatformDataControl) takePlatformData(ip net.IP, port int) *P...
function NewPlatformDataControl (line 20) | func NewPlatformDataControl() *PlatformDataControl {
function RemovePlatformData (line 37) | func RemovePlatformData(l net.Listener, conn net.Conn) *PlatformData {
function TakePlatformData (line 51) | func TakePlatformData(l net.Listener, ip net.IP, port int) *PlatformData {
function getPlatformDataControlFromListener (line 70) | func getPlatformDataControlFromListener(l net.Listener) *PlatformDataCon...
FILE: controller/internal/enforcer/applicationproxy/pingrequest/pingrequest.go
constant PingHeaderKey (line 14) | PingHeaderKey = "X-APORETO-PING"
function CreateRaw (line 18) | func CreateRaw(host string, pingPayload *policy.PingPayload) ([]byte, er...
function ExtractRaw (line 35) | func ExtractRaw(rawReq []byte) (*policy.PingPayload, error) {
function Create (line 50) | func Create(host string, pingPayload *policy.PingPayload) (*http.Request...
function Extract (line 71) | func Extract(req *http.Request) (*policy.PingPayload, error) {
function encode (line 86) | func encode(pingPayload *policy.PingPayload) ([]byte, error) {
function decode (line 90) | func decode(data []byte) (*policy.PingPayload, error) {
FILE: controller/internal/enforcer/applicationproxy/protomux/protomux.go
type ProtoListener (line 17) | type ProtoListener struct
method Accept (line 32) | func (p *ProtoListener) Accept() (net.Conn, error) {
function NewProtoListener (line 24) | func NewProtoListener(mark int) *ProtoListener {
type MultiplexedListener (line 42) | type MultiplexedListener struct
method RegisterListener (line 76) | func (m *MultiplexedListener) RegisterListener(ltype common.ListenerTy...
method UnregisterListener (line 96) | func (m *MultiplexedListener) UnregisterListener(ltype common.Listener...
method RegisterDefaultListener (line 106) | func (m *MultiplexedListener) RegisterDefaultListener(p *ProtoListener...
method UnregisterDefaultListener (line 119) | func (m *MultiplexedListener) UnregisterDefaultListener() error {
method Close (line 133) | func (m *MultiplexedListener) Close() {
method Serve (line 138) | func (m *MultiplexedListener) Serve(ctx context.Context) error {
method serve (line 198) | func (m *MultiplexedListener) serve(conn net.Conn) {
function NewMultiplexedListener (line 58) | func NewMultiplexedListener(l net.Listener, mark int, puID string) *Mult...
function networkOfAddress (line 265) | func networkOfAddress(addr string) string {
FILE: controller/internal/enforcer/applicationproxy/protomux/protomux_test.go
function TestNetworkAddress (line 11) | func TestNetworkAddress(t *testing.T) {
FILE: controller/internal/enforcer/applicationproxy/servicecache/servicecache.go
type entry (line 13) | type entry struct
type entryList (line 19) | type entryList
method Delete (line 21) | func (e entryList) Delete(i int) entryList {
type ServiceCache (line 29) | type ServiceCache struct
method Add (line 54) | func (s *ServiceCache) Add(e *common.Service, id string, data interfac...
method Find (line 76) | func (s *ServiceCache) Find(ip net.IP, port int, host string, local bo...
method FindListeningServicesForPU (line 91) | func (s *ServiceCache) FindListeningServicesForPU(id string) (interfac...
method DeleteByID (line 104) | func (s *ServiceCache) DeleteByID(id string, local bool) {
method addIPService (line 155) | func (s *ServiceCache) addIPService(e *common.Service, record *entry, ...
method addHostService (line 201) | func (s *ServiceCache) addHostService(e *common.Service, record *entry...
method findIP (line 227) | func (s *ServiceCache) findIP(ip net.IP, port int, local bool) interfa...
method findHost (line 258) | func (s *ServiceCache) findHost(host string, port int, local bool) int...
method addPorts (line 278) | func (s *ServiceCache) addPorts(e *common.Service, record *entry, loca...
function NewTable (line 43) | func NewTable() *ServiceCache {
function deleteMatchingPorts (line 145) | func deleteMatchingPorts(list entryList, id string) entryList {
FILE: controller/internal/enforcer/applicationproxy/servicecache/servicecache_test.go
function TestEntries (line 14) | func TestEntries(t *testing.T) {
function createServices (line 83) | func createServices() (*common.Service, *common.Service, *common.Service) {
function TestServiceCache (line 121) | func TestServiceCache(t *testing.T) {
function TestDelete (line 275) | func TestDelete(t *testing.T) {
function TestFindExistingServices (line 292) | func TestFindExistingServices(t *testing.T) {
FILE: controller/internal/enforcer/applicationproxy/serviceregistry/serviceregistry.go
type ServiceContext (line 23) | type ServiceContext struct
type DependentServiceData (line 36) | type DependentServiceData struct
type PortContext (line 51) | type PortContext struct
type Registry (line 64) | type Registry struct
method Register (line 83) | func (r *Registry) Register(
method updateExposedServices (line 119) | func (r *Registry) updateExposedServices(sctx *ServiceContext, secrets...
method Unregister (line 134) | func (r *Registry) Unregister(puID string) error {
method RetrieveServiceByID (line 145) | func (r *Registry) RetrieveServiceByID(id string) (*ServiceContext, er...
method RetrieveExposedServiceContext (line 159) | func (r *Registry) RetrieveExposedServiceContext(ip net.IP, port int, ...
method RetrieveDependentServiceDataByIDAndNetwork (line 178) | func (r *Registry) RetrieveDependentServiceDataByIDAndNetwork(id strin...
method updateExposedPortAssociations (line 199) | func (r *Registry) updateExposedPortAssociations(sctx *ServiceContext,...
method UpdateDependentServicesByID (line 297) | func (r *Registry) UpdateDependentServicesByID(id string) error {
method updateDependentServices (line 314) | func (r *Registry) updateDependentServices(sctx *ServiceContext) error {
method createOrUpdateAuthProcessor (line 325) | func (r *Registry) createOrUpdateAuthProcessor(sctx *ServiceContext, s...
function Instance (line 76) | func Instance() *Registry {
function updateDependentService (line 270) | func updateDependentService(service *policy.ApplicationService, sctx *Se...
function serviceTypeToNetworkListenerType (line 359) | func serviceTypeToNetworkListenerType(serviceType policy.ServiceType, no...
function serviceTypeToApplicationListenerType (line 371) | func serviceTypeToApplicationListenerType(serviceType policy.ServiceType...
FILE: controller/internal/enforcer/applicationproxy/serviceregistry/serviceregistry_test.go
function newBaseApplicationServices (line 20) | func newBaseApplicationServices(exposedPortValue, publicPortValue, priva...
function newPU (line 84) | func newPU(name string, exposedPort, publicPort, privatePort, dependentP...
function TestRegister (line 127) | func TestRegister(t *testing.T) {
function TestServiceTypeToNetworkListenerType (line 255) | func TestServiceTypeToNetworkListenerType(t *testing.T) {
function TestServiceTypeToApplicationListenerType (line 270) | func TestServiceTypeToApplicationListenerType(t *testing.T) {
FILE: controller/internal/enforcer/applicationproxy/tcp/lookup.go
constant indeterminateRemoteController (line 16) | indeterminateRemoteController = ""
type proxyFlowProperties (line 19) | type proxyFlowProperties struct
type lookup (line 31) | type lookup struct
method IDLookup (line 46) | func (l *lookup) IDLookup(remoteController, remotePUID string, tags *p...
method Policy (line 87) | func (l *lookup) Policy(tags *policy.TagStore) (*policy.FlowPolicy, *p...
method IPLookup (line 103) | func (l *lookup) IPLookup() bool {
method ReportStats (line 169) | func (l *lookup) ReportStats(remoteType collector.EndPointType, remote...
method reportFlow (line 216) | func (l *lookup) reportFlow(flowproperties *proxyFlowProperties, sourc...
method reportAcceptedFlow (line 257) | func (l *lookup) reportAcceptedFlow(flowproperties *proxyFlowPropertie...
method reportRejectedFlow (line 262) | func (l *lookup) reportRejectedFlow(flowproperties *proxyFlowPropertie...
FILE: controller/internal/enforcer/applicationproxy/tcp/ping_tcp.go
method InitiatePing (line 27) | func (p *Proxy) InitiatePing(ctx context.Context, sctx *serviceregistry....
method sendPingRequest (line 40) | func (p *Proxy) sendPingRequest(
method processPingRequest (line 168) | func (p *Proxy) processPingRequest(conn *tls.Conn, pl *lookup) error {
function extract (line 225) | func extract(pr *collector.PingReport, cert *x509.Certificate, pl *looku...
function pingEnabled (line 262) | func pingEnabled(conn *tls.Conn) bool {
function dial (line 273) | func dial(ctx context.Context, ip net.IP, port uint16, mark int) (net.Co...
function write (line 287) | func write(conn net.Conn, data []byte) error {
FILE: controller/internal/enforcer/applicationproxy/tcp/tcp.go
type Proxy (line 29) | type Proxy struct
method RunNetworkServer (line 76) | func (p *Proxy) RunNetworkServer(
method UpdateSecrets (line 101) | func (p *Proxy) UpdateSecrets(
method serve (line 117) | func (p *Proxy) serve(
method ShutDown (line 141) | func (p *Proxy) ShutDown() error {
method getService (line 145) | func (p *Proxy) getService(
method handle (line 176) | func (p *Proxy) handle(ctx context.Context, upConn net.Conn) {
method getPolicyReporter (line 201) | func (p *Proxy) getPolicyReporter(
method handleWithPUAndService (line 232) | func (p *Proxy) handleWithPUAndService(
method startEncryptedClientDataPath (line 265) | func (p *Proxy) startEncryptedClientDataPath(
method startEncryptedServerDataPath (line 319) | func (p *Proxy) startEncryptedServerDataPath(
method copyData (line 398) | func (p *Proxy) copyData(
method proxyData (line 450) | func (p *Proxy) proxyData(
method puContextFromContextID (line 466) | func (p *Proxy) puContextFromContextID(
method initiateDownstreamTCPConnection (line 479) | func (p *Proxy) initiateDownstreamTCPConnection(
method isLocal (line 493) | func (p *Proxy) isLocal(conn net.Conn) bool {
function NewTCPProxy (line 52) | func NewTCPProxy(
type readwithContext (line 415) | type readwithContext
method Read (line 417) | func (r readwithContext) Read(p []byte) (int, error) { return r(p) }
function dataprocessor (line 419) | func dataprocessor(
function logErr (line 509) | func logErr(err error) bool {
function getPublicServerTLSConfig (line 522) | func getPublicServerTLSConfig(
function getExposedServerMTLSConfig (line 566) | func getExposedServerMTLSConfig(
function getServerTLSConfig (line 587) | func getServerTLSConfig(
function getClientTLSConfig (line 605) | func getClientTLSConfig(
FILE: controller/internal/enforcer/applicationproxy/tcp/tcp_test.go
function testTLSCertificate (line 15) | func testTLSCertificate() tls.Certificate {
function Test_getClientTLSConfig (line 39) | func Test_getClientTLSConfig(t *testing.T) {
function Test_getTLSServerName (line 119) | func Test_getTLSServerName(t *testing.T) {
FILE: controller/internal/enforcer/applicationproxy/tcp/verifier/verifier.go
type PolicyReporter (line 21) | type PolicyReporter interface
type Verifier (line 29) | type Verifier interface
type verifier (line 39) | type verifier struct
method TrustCAs (line 77) | func (v *verifier) TrustCAs(caPool *x509.CertPool) {
method VerifyPeerCertificate (line 88) | func (v *verifier) VerifyPeerCertificate(rawCerts [][]byte, verifiedCh...
function init (line 45) | func init() {
function New (line 51) | func New(caPool *x509.CertPool) Verifier {
function certHasDNSOrIPSAN (line 58) | func certHasDNSOrIPSAN(san string, cert *x509.Certificate) bool {
FILE: controller/internal/enforcer/applicationproxy/tcp/verifier/verifier_test.go
function Test_verifier_TrustCAs (line 13) | func Test_verifier_TrustCAs(t *testing.T) {
type policyReporter (line 62) | type policyReporter struct
method IDLookup (line 69) | func (p *policyReporter) IDLookup(remoteController, remotePUID string,...
method IPLookup (line 73) | func (p *policyReporter) IPLookup() bool {
method ReportStats (line 78) | func (p *policyReporter) ReportStats(remoteType collector.EndPointType...
method Policy (line 82) | func (p *policyReporter) Policy(tags *policy.TagStore) (*policy.FlowPo...
function Test_verifier_VerifyPeerCertificate (line 86) | func Test_verifier_VerifyPeerCertificate(t *testing.T) {
FILE: controller/internal/enforcer/applicationproxy/tlshelper/tlshelper.go
function NewBaseTLSClientConfig (line 13) | func NewBaseTLSClientConfig() *tls.Config {
function NewBaseTLSServerConfig (line 25) | func NewBaseTLSServerConfig() *tls.Config {
FILE: controller/internal/enforcer/constants/constants.go
constant TCPAuthenticationOptionBaseLen (line 5) | TCPAuthenticationOptionBaseLen = 4
constant TCPAuthenticationOptionAckLen (line 7) | TCPAuthenticationOptionAckLen = 20
constant TransmitterLabel (line 9) | TransmitterLabel = "AporetoContextID"
constant DefaultNetwork (line 11) | DefaultNetwork = "0.0.0.0/0"
constant DefaultExternalIPTimeout (line 13) | DefaultExternalIPTimeout = "500ms"
FILE: controller/internal/enforcer/dnsproxy/common.go
function configureDependentServices (line 13) | func configureDependentServices(puCtx *pucontext.PUContext, fqdn string,...
FILE: controller/internal/enforcer/dnsproxy/dns.go
type Proxy (line 24) | type Proxy struct
method StartDNSServer (line 152) | func (p *Proxy) StartDNSServer(contextID, port string) error {
method ShutdownDNS (line 179) | func (p *Proxy) ShutdownDNS(contextID string) {
type serveDNS (line 34) | type serveDNS struct
method ServeDNS (line 101) | func (s *serveDNS) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
constant dnsRequestTimeout (line 40) | dnsRequestTimeout = 2 * time.Second
constant proxyMarkInt (line 41) | proxyMarkInt = 0x40
function socketOptions (line 44) | func socketOptions(_, _ string, c syscall.RawConn) error {
function listenUDP (line 59) | func listenUDP(network, addr string) (net.PacketConn, error) {
function forwardDNSReq (line 67) | func forwardDNSReq(r *dns.Msg, ip net.IP, port uint16) (*dns.Msg, []stri...
function New (line 191) | func New(puFromID cache.DataStore, conntrack flowtracking.FlowClient, c ...
FILE: controller/internal/enforcer/dnsproxy/dns_darwin.go
type Proxy (line 11) | type Proxy struct
method ShutdownDNS (line 20) | func (p *Proxy) ShutdownDNS(contextID string) {
method StartDNSServer (line 25) | func (p *Proxy) StartDNSServer(contextID, port string) error {
function New (line 15) | func New(puFromID cache.DataStore, conntrack flowtracking.FlowClient, c ...
FILE: controller/internal/enforcer/dnsproxy/dns_linux.go
type removeExpiredEntryFunc (line 27) | type removeExpiredEntryFunc
type Proxy (line 30) | type Proxy struct
method handleTTLInfoList (line 405) | func (p *Proxy) handleTTLInfoList(contextID, fqdn string, dnsttlinfoli...
method handleTTLInfo (line 412) | func (p *Proxy) handleTTLInfo(contextID, fqdn string, dnsinfo *dnsttli...
method defaultRemoveExpiredEntry (line 458) | func (p *Proxy) defaultRemoveExpiredEntry(ipaddress string) {
method StartDNSServer (line 509) | func (p *Proxy) StartDNSServer(ctx context.Context, contextID, port st...
method shutdownDNS (line 536) | func (p *Proxy) shutdownDNS(contextID string) {
method SyncWithPlatformCache (line 566) | func (p *Proxy) SyncWithPlatformCache(ctx context.Context, pctx *pucon...
method HandleDNSResponsePacket (line 571) | func (p *Proxy) HandleDNSResponsePacket(dnsPacketData []byte, sourceIP...
method Enforce (line 576) | func (p *Proxy) Enforce(ctx context.Context, contextID string, puInfo ...
method doHandleCreate (line 630) | func (p *Proxy) doHandleCreate(_ context.Context, contextID string, pu...
method Unenforce (line 645) | func (p *Proxy) Unenforce(_ context.Context, contextID string) error {
method updateFQDNWithIPs (line 674) | func (p *Proxy) updateFQDNWithIPs(contextID, fqdn string, ips []string) {
method removeIPfromFQDN (line 699) | func (p *Proxy) removeIPfromFQDN(contextID, fqdn string, ipAddress str...
type dnsNamesToIP (line 43) | type dnsNamesToIP struct
method Copy (line 658) | func (d *dnsNamesToIP) Copy() *dnsNamesToIP {
type dnsttlinfo (line 47) | type dnsttlinfo struct
type iptottlinfo (line 52) | type iptottlinfo struct
type serveDNS (line 59) | type serveDNS struct
method ServeDNS (line 208) | func (s *serveDNS) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
constant dnsRequestTimeout (line 65) | dnsRequestTimeout = 2 * time.Second
function socketOptions (line 68) | func socketOptions(_, _ string, c syscall.RawConn) error {
function listenUDP (line 83) | func listenUDP(ctx context.Context, network, addr string) (net.PacketCon...
function forwardDNSReq (line 91) | func forwardDNSReq(r *dns.Msg, ip net.IP, port uint16) ([]byte, []string...
constant strInvalidDNSRequest (line 205) | strInvalidDNSRequest = "invalid DNS request"
function New (line 547) | func New(ctx context.Context, puFromID cache.DataStore, conntrack flowtr...
FILE: controller/internal/enforcer/dnsproxy/dns_linux_test.go
type flowClientDummy (line 28) | type flowClientDummy struct
method Close (line 31) | func (c *flowClientDummy) Close() error {
method UpdateMark (line 35) | func (c *flowClientDummy) UpdateMark(ipSrc, ipDst net.IP, protonum uin...
method UpdateNetworkFlowMark (line 39) | func (c *flowClientDummy) UpdateNetworkFlowMark(ipSrc, ipDst net.IP, p...
method UpdateApplicationFlowMark (line 43) | func (c *flowClientDummy) UpdateApplicationFlowMark(ipSrc, ipDst net.I...
method GetOriginalDest (line 71) | func (c *flowClientDummy) GetOriginalDest(ipSrc, ipDst net.IP, srcport...
function findDNSServerIP (line 47) | func findDNSServerIP() net.IP {
function addDNSNamePolicy (line 78) | func addDNSNamePolicy(context *pucontext.PUContext) {
function CustomDialer (line 91) | func CustomDialer(ctx context.Context, network, address string) (net.Con...
function createCustomResolver (line 96) | func createCustomResolver() *net.Resolver {
type DNSCollector (line 106) | type DNSCollector struct
method CollectFlowEvent (line 109) | func (d *DNSCollector) CollectFlowEvent(record *collector.FlowRecord) {}
method CollectContainerEvent (line 112) | func (d *DNSCollector) CollectContainerEvent(record *collector.Contain...
method CollectUserEvent (line 115) | func (d *DNSCollector) CollectUserEvent(record *collector.UserRecord) {}
method CollectTraceEvent (line 118) | func (d *DNSCollector) CollectTraceEvent(records []string) {}
method CollectPingEvent (line 121) | func (d *DNSCollector) CollectPingEvent(report *collector.PingReport) {}
method CollectPacketEvent (line 124) | func (d *DNSCollector) CollectPacketEvent(report *collector.PacketRepo...
method CollectCounterEvent (line 127) | func (d *DNSCollector) CollectCounterEvent(report *collector.CounterRe...
method CollectConnectionExceptionReport (line 130) | func (d *DNSCollector) CollectConnectionExceptionReport(_ *collector.C...
method CollectDNSRequests (line 137) | func (d *DNSCollector) CollectDNSRequests(report *collector.DNSRequest...
function TestDNS (line 143) | func TestDNS(t *testing.T) {
constant contextID (line 181) | contextID = "host"
constant serviceID (line 182) | serviceID = "serviceID"
constant port80 (line 183) | port80 = "80"
constant fqdn (line 184) | fqdn = "www.example.com."
constant fqdnTwo (line 185) | fqdnTwo = "two.example.com."
constant fqdnKeep (line 186) | fqdnKeep = "keep.example.com."
constant ip192_0_2_1 (line 187) | ip192_0_2_1 = "192.0.2.1"
constant ip192_0_2_2 (line 188) | ip192_0_2_2 = "192.0.2.2"
constant ip192_0_2_3 (line 189) | ip192_0_2_3 = "192.0.2.3"
function TestProxy_removeIPfromFQDN (line 192) | func TestProxy_removeIPfromFQDN(t *testing.T) {
function TestProxy_updateFQDNWithIPs (line 324) | func TestProxy_updateFQDNWithIPs(t *testing.T) {
function TestProxy_defaultRemoveExpiredEntry (line 456) | func TestProxy_defaultRemoveExpiredEntry(t *testing.T) {
function TestProxy_handleTTLInfoList (line 627) | func TestProxy_handleTTLInfoList(t *testing.T) {
function TestProxy_Enforce (line 782) | func TestProxy_Enforce(t *testing.T) {
FILE: controller/internal/enforcer/dnsproxy/dns_report.go
type dnsReport (line 19) | type dnsReport struct
method sendToCollector (line 30) | func (p *Proxy) sendToCollector(report dnsReport, count int) {
method reportDNSRequests (line 45) | func (p *Proxy) reportDNSRequests(ctx context.Context, chreport chan dns...
method reportDNSLookup (line 81) | func (p *Proxy) reportDNSLookup(name string, pucontext *pucontext.PUCont...
FILE: controller/internal/enforcer/dnsproxy/dns_test.go
type flowClientDummy (line 21) | type flowClientDummy struct
method Close (line 24) | func (c *flowClientDummy) Close() error {
method UpdateMark (line 28) | func (c *flowClientDummy) UpdateMark(ipSrc, ipDst net.IP, protonum uin...
method UpdateNetworkFlowMark (line 32) | func (c *flowClientDummy) UpdateNetworkFlowMark(ipSrc, ipDst net.IP, p...
method UpdateApplicationFlowMark (line 36) | func (c *flowClientDummy) UpdateApplicationFlowMark(ipSrc, ipDst net.I...
method GetOriginalDest (line 40) | func (c *flowClientDummy) GetOriginalDest(ipSrc, ipDst net.IP, srcport...
function addDNSNamePolicy (line 44) | func addDNSNamePolicy(context *pucontext.PUContext) {
function CustomDialer (line 57) | func CustomDialer(ctx context.Context, network, address string) (net.Con...
function createCustomResolver (line 62) | func createCustomResolver() *net.Resolver {
type DNSCollector (line 72) | type DNSCollector struct
method CollectFlowEvent (line 75) | func (d *DNSCollector) CollectFlowEvent(record *collector.FlowRecord) {}
method CollectContainerEvent (line 78) | func (d *DNSCollector) CollectContainerEvent(record *collector.Contain...
method CollectUserEvent (line 81) | func (d *DNSCollector) CollectUserEvent(record *collector.UserRecord) {}
method CollectTraceEvent (line 84) | func (d *DNSCollector) CollectTraceEvent(records []string) {}
method CollectPingEvent (line 87) | func (d *DNSCollector) CollectPingEvent(report *collector.PingReport) {}
method CollectPacketEvent (line 90) | func (d *DNSCollector) CollectPacketEvent(report *collector.PacketRepo...
method CollectCounterEvent (line 93) | func (d *DNSCollector) CollectCounterEvent(report *collector.CounterRe...
method CollectDNSRequests (line 99) | func (d *DNSCollector) CollectDNSRequests(report *collector.DNSRequest...
function TestDNS (line 105) | func TestDNS(t *testing.T) {
FILE: controller/internal/enforcer/dnsproxy/dns_unsupported.go
type Proxy (line 17) | type Proxy struct
method ShutdownDNS (line 26) | func (p *Proxy) ShutdownDNS(contextID string) {
method StartDNSServer (line 31) | func (p *Proxy) StartDNSServer(ctx context.Context, contextID, port st...
method SyncWithPlatformCache (line 36) | func (p *Proxy) SyncWithPlatformCache(ctx context.Context, pctx *pucon...
method HandleDNSResponsePacket (line 41) | func (p *Proxy) HandleDNSResponsePacket(dnsPacketData []byte, sourceIP...
method Enforce (line 46) | func (p *Proxy) Enforce(ctx context.Context, contextID string, puInfo ...
method Unenforce (line 51) | func (p *Proxy) Unenforce(_ context.Context, contextID string) error {
function New (line 21) | func New(ctx context.Context, puFromID cache.DataStore, conntrack flowtr...
FILE: controller/internal/enforcer/dnsproxy/dns_windows.go
type Proxy (line 25) | type Proxy struct
method StartDNSServer (line 42) | func (p *Proxy) StartDNSServer(ctx context.Context, contextID, port st...
method ShutdownDNS (line 50) | func (p *Proxy) ShutdownDNS(contextID string) {
method SyncWithPlatformCache (line 58) | func (p *Proxy) SyncWithPlatformCache(ctx context.Context, pctx *pucon...
method HandleDNSResponsePacket (line 67) | func (p *Proxy) HandleDNSResponsePacket(dnsPacketData []byte, sourceIP...
method Enforce (line 146) | func (p *Proxy) Enforce(ctx context.Context, contextID string, puInfo ...
method Unenforce (line 151) | func (p *Proxy) Unenforce(_ context.Context, contextID string) error {
function New (line 34) | func New(ctx context.Context, puFromID cache.DataStore, conntrack flowtr...
function clearWindowsDNSCache (line 132) | func clearWindowsDNSCache() error {
FILE: controller/internal/enforcer/dnsproxy/dns_windows_test.go
function addDNSNamePolicy (line 23) | func addDNSNamePolicy(context *pucontext.PUContext) {
type DNSCollector (line 37) | type DNSCollector struct
method CollectFlowEvent (line 40) | func (d *DNSCollector) CollectFlowEvent(record *collector.FlowRecord) {}
method CollectContainerEvent (line 43) | func (d *DNSCollector) CollectContainerEvent(record *collector.Contain...
method CollectUserEvent (line 46) | func (d *DNSCollector) CollectUserEvent(record *collector.UserRecord) {}
method CollectTraceEvent (line 49) | func (d *DNSCollector) CollectTraceEvent(records []string) {}
method CollectPacketEvent (line 52) | func (d *DNSCollector) CollectPacketEvent(report *collector.PacketRepo...
method CollectCounterEvent (line 55) | func (d *DNSCollector) CollectCounterEvent(report *collector.CounterRe...
method CollectPingEvent (line 58) | func (d *DNSCollector) CollectPingEvent(report *collector.PingReport) {}
method CollectConnectionExceptionReport (line 61) | func (d *DNSCollector) CollectConnectionExceptionReport(_ *collector.C...
method CollectDNSRequests (line 67) | func (d *DNSCollector) CollectDNSRequests(report *collector.DNSRequest...
constant dnsResponseHex1 (line 74) | dnsResponseHex1 = "45200048d22f00006a11ad8f08080808c0a8000e0035e75600343...
constant dnsResponseHex2 (line 75) | dnsResponseHex2 = "45200054eb6700006a11944b08080808c0a8000e0035e75700408...
function TestDNS (line 78) | func TestDNS(t *testing.T) {
FILE: controller/internal/enforcer/dnsproxy/dnsproxy.go
type DNSProxy (line 12) | type DNSProxy interface
FILE: controller/internal/enforcer/dnsproxy/mockdnsproxy/mockdnsproxy.go
type MockDNSProxy (line 19) | type MockDNSProxy struct
method EXPECT (line 40) | func (m *MockDNSProxy) EXPECT() *MockDNSProxyMockRecorder {
method StartDNSServer (line 46) | func (m *MockDNSProxy) StartDNSServer(ctx context.Context, contextID, ...
method Enforce (line 62) | func (m *MockDNSProxy) Enforce(ctx context.Context, contextID string, ...
method Unenforce (line 78) | func (m *MockDNSProxy) Unenforce(ctx context.Context, contextID string...
method SyncWithPlatformCache (line 94) | func (m *MockDNSProxy) SyncWithPlatformCache(ctx context.Context, pctx...
method HandleDNSResponsePacket (line 110) | func (m *MockDNSProxy) HandleDNSResponsePacket(dnsPacketData []byte, s...
type MockDNSProxyMockRecorder (line 26) | type MockDNSProxyMockRecorder struct
method StartDNSServer (line 55) | func (mr *MockDNSProxyMockRecorder) StartDNSServer(ctx, contextID, por...
method Enforce (line 71) | func (mr *MockDNSProxyMockRecorder) Enforce(ctx, contextID, puInfo int...
method Unenforce (line 87) | func (mr *MockDNSProxyMockRecorder) Unenforce(ctx, contextID interface...
method SyncWithPlatformCache (line 103) | func (mr *MockDNSProxyMockRecorder) SyncWithPlatformCache(ctx, pctx in...
method HandleDNSResponsePacket (line 119) | func (mr *MockDNSProxyMockRecorder) HandleDNSResponsePacket(dnsPacketD...
function NewMockDNSProxy (line 32) | func NewMockDNSProxy(ctrl *gomock.Controller) *MockDNSProxy {
FILE: controller/internal/enforcer/dnsproxy/mutex_map.go
type mutexMap (line 8) | type mutexMap struct
method Remove (line 27) | func (m *mutexMap) Remove(entry string) {
method Lock (line 34) | func (m *mutexMap) Lock(entry string) unlocker {
type unlocker (line 16) | type unlocker interface
function newMutexMap (line 22) | func newMutexMap() *mutexMap {
FILE: controller/internal/enforcer/enforcer.go
type Enforcer (line 32) | type Enforcer interface
type DebugInfo (line 68) | type DebugInfo interface
type enforcer (line 83) | type enforcer struct
method Run (line 89) | func (e *enforcer) Run(ctx context.Context) error {
method Enforce (line 107) | func (e *enforcer) Enforce(ctx context.Context, contextID string, puIn...
method Unenforce (line 125) | func (e *enforcer) Unenforce(ctx context.Context, contextID string) er...
method SetTargetNetworks (line 154) | func (e *enforcer) SetTargetNetworks(cfg *runtime.Configuration) error {
method UpdateSecrets (line 159) | func (e *enforcer) UpdateSecrets(secrets secrets.Secrets) error {
method SetLogLevel (line 176) | func (e *enforcer) SetLogLevel(level constants.LogLevel) error {
method CleanUp (line 188) | func (e *enforcer) CleanUp() error {
method GetBPFObject (line 196) | func (e *enforcer) GetBPFObject() ebpf.BPFModule {
method GetServiceMeshType (line 201) | func (e *enforcer) GetServiceMeshType() policy.ServiceMesh {
method GetFilterQueue (line 206) | func (e *enforcer) GetFilterQueue() fqconfig.FilterQueue {
method EnableDatapathPacketTracing (line 211) | func (e *enforcer) EnableDatapathPacketTracing(ctx context.Context, co...
method EnableIPTablesPacketTracing (line 217) | func (e *enforcer) EnableIPTablesPacketTracing(ctx context.Context, co...
method Ping (line 222) | func (e *enforcer) Ping(ctx context.Context, contextID string, pingCon...
method DebugCollect (line 254) | func (e *enforcer) DebugCollect(ctx context.Context, contextID string,...
function New (line 260) | func New(
FILE: controller/internal/enforcer/envoyauthorizer/envoyauthorizerenforcer.go
type Enforcer (line 31) | type Enforcer struct
method Secrets (line 93) | func (e *Enforcer) Secrets() (secrets.Secrets, func()) {
method Enforce (line 104) | func (e *Enforcer) Enforce(ctx context.Context, contextID string, puIn...
method processCertificateUpdates (line 176) | func (e *Enforcer) processCertificateUpdates(puInfo *policy.PUInfo, se...
method expandCAPool (line 210) | func (e *Enforcer) expandCAPool(externalCAs [][]byte) *x509.CertPool {
method Unenforce (line 229) | func (e *Enforcer) Unenforce(ctx context.Context, contextID string) er...
method UpdateSecrets (line 292) | func (e *Enforcer) UpdateSecrets(secrets secrets.Secrets) error {
method SetTargetNetworks (line 300) | func (e *Enforcer) SetTargetNetworks(cfg *runtime.Configuration) error {
method SetLogLevel (line 305) | func (e *Enforcer) SetLogLevel(level constants.LogLevel) error {
method CleanUp (line 310) | func (e *Enforcer) CleanUp() error {
method Run (line 315) | func (e *Enforcer) Run(ctx context.Context) error {
method GetBPFObject (line 320) | func (e *Enforcer) GetBPFObject() ebpf.BPFModule {
method GetServiceMeshType (line 325) | func (e *Enforcer) GetServiceMeshType() policy.ServiceMesh {
method GetFilterQueue (line 330) | func (e *Enforcer) GetFilterQueue() fqconfig.FilterQueue {
method EnableDatapathPacketTracing (line 335) | func (e *Enforcer) EnableDatapathPacketTracing(ctx context.Context, co...
method EnableIPTablesPacketTracing (line 340) | func (e *Enforcer) EnableIPTablesPacketTracing(ctx context.Context, co...
method Ping (line 345) | func (e *Enforcer) Ping(ctx context.Context, contextID string, pingCon...
method DebugCollect (line 350) | func (e *Enforcer) DebugCollect(ctx context.Context, contextID string,...
type envoyServers (line 47) | type envoyServers struct
function NewEnvoyAuthorizerEnforcer (line 54) | func NewEnvoyAuthorizerEnforcer(mode constants.ModeType, eventCollector ...
FILE: controller/internal/enforcer/envoyauthorizer/envoyproxy/auth_server.go
constant IngressSocketPath (line 34) | IngressSocketPath = "127.0.0.1:1999"
constant EgressSocketPath (line 37) | EgressSocketPath = "127.0.0.1:1998"
constant aporetoKeyHeader (line 41) | aporetoKeyHeader = "x-aporeto-key"
constant aporetoAuthHeader (line 44) | aporetoAuthHeader = "x-aporeto-auth"
type Direction (line 53) | type Direction
method String (line 69) | func (d Direction) String() string {
constant UnknownDirection (line 57) | UnknownDirection Direction = 0
constant IngressDirection (line 61) | IngressDirection Direction = 1
constant EgressDirection (line 65) | EgressDirection Direction = 2
type AuthServer (line 83) | type AuthServer struct
method UpdateSecrets (line 153) | func (s *AuthServer) UpdateSecrets(cert *tls.Certificate, caPool *x509...
method run (line 161) | func (s *AuthServer) run(lis net.Listener) {
method Stop (line 170) | func (s *AuthServer) Stop() {
method GracefulStop (line 175) | func (s *AuthServer) GracefulStop() {
method Check (line 180) | func (s *AuthServer) Check(ctx context.Context, checkRequest *ext_auth...
method ingressCheck (line 193) | func (s *AuthServer) ingressCheck(ctx context.Context, checkRequest *e...
method egressCheck (line 302) | func (s *AuthServer) egressCheck(_ context.Context, checkRequest *ext_...
function NewExtAuthzServer (line 104) | func NewExtAuthzServer(puID string, puContexts cache.DataStore, collecto...
function createDeniedCheckResponse (line 413) | func createDeniedCheckResponse(rpcCode code.Code, httpCode envoy_type.St...
FILE: controller/internal/enforcer/envoyauthorizer/envoyproxy/sds_server.go
constant SdsSocketpath (line 34) | SdsSocketpath = "127.0.0.1:2999"
constant typeCertificate (line 36) | typeCertificate = "CERTIFICATE"
type Options (line 40) | type Options struct
type sdsCerts (line 45) | type sdsCerts struct
type SdsDiscoveryStream (line 52) | type SdsDiscoveryStream interface
type SdsServer (line 61) | type SdsServer struct
method CreateSdsService (line 148) | func (s *SdsServer) CreateSdsService(options *Options) error { // noli...
method Run (line 189) | func (s *SdsServer) Run() {
method Stop (line 202) | func (s *SdsServer) Stop() {
method GracefulStop (line 212) | func (s *SdsServer) GracefulStop() {
method register (line 217) | func (s *SdsServer) register(sdsGrpcServer *grpc.Server) {
method UpdateSecrets (line 225) | func (s *SdsServer) UpdateSecrets(cert *tls.Certificate, caPool *x509....
method DeltaSecrets (line 245) | func (s *SdsServer) DeltaSecrets(stream sds.SecretDiscoveryService_Del...
method StreamSecrets (line 267) | func (s *SdsServer) StreamSecrets(stream sds.SecretDiscoveryService_St...
method sendUpdatedCerts (line 390) | func (s *SdsServer) sendUpdatedCerts(apoSecret sdsCerts, conn *clientC...
method checkSecretPresent (line 444) | func (s *SdsServer) checkSecretPresent(connID string, req *v2.Discover...
method FetchSecrets (line 463) | func (s *SdsServer) FetchSecrets(ctx context.Context, req *v2.Discover...
method generateSecret (line 505) | func (s *SdsServer) generateSecret(req *v2.DiscoveryRequest, token str...
type secretItem (line 80) | type secretItem struct
type clientConn (line 109) | type clientConn struct
function NewSdsServer (line 120) | func NewSdsServer(contextID string, puInfo *policy.PUInfo, caPool *x509....
function startStreaming (line 249) | func startStreaming(stream SdsDiscoveryStream, discoveryReqCh chan *v2.D...
function createConnID (line 453) | func createConnID(clientID, resourceName string) string {
function buildCertChain (line 568) | func buildCertChain(certPEM, caPEM []byte) ([]byte, error) {
function x509CertToPem (line 607) | func x509CertToPem(cert *x509.Certificate) ([]byte, error) {
function x509CertChainToPem (line 616) | func x509CertChainToPem(certChain []*x509.Certificate) ([]byte, error) {
function getTopRootCa (line 627) | func getTopRootCa(certPEMBlock []byte) ([]byte, error) {
function getExpTimeFromCert (line 653) | func getExpTimeFromCert(cert []byte) (time.Time, error) {
function getRootCert (line 667) | func getRootCert(secret *secretItem) *envoy_api_v2_auth.Secret_Validatio...
function getTLScerts (line 679) | func getTLScerts(secret *secretItem) *envoy_api_v2_auth.Secret_TlsCertif...
FILE: controller/internal/enforcer/flowstats/state.go
type ConnectionState (line 16) | type ConnectionState struct
function NewAppConnectionState (line 22) | func NewAppConnectionState(nativeID string, r *http.Request, authRequest...
function NewNetworkConnectionState (line 68) | func NewNetworkConnectionState(nativeID string, userID string, r *apiaut...
FILE: controller/internal/enforcer/lookup/lookup.go
type ForwardingPolicy (line 16) | type ForwardingPolicy struct
type intList (line 24) | type intList
method sortedInsert (line 54) | func (array intList) sortedInsert(value int) intList {
type PolicyDB (line 27) | type PolicyDB struct
method AddPolicy (line 82) | func (m *PolicyDB) AddPolicy(selector policy.TagSelector) (policyID in...
method tagSplit (line 159) | func (m *PolicyDB) tagSplit(tag string, k *string, v *string) error {
method Search (line 184) | func (m *PolicyDB) Search(tags *policy.TagStore) (int, interface{}) {
method PrintPolicyDB (line 291) | func (m *PolicyDB) PrintPolicyDB() {
function NewPolicyDB (line 39) | func NewPolicyDB() (m *PolicyDB) {
function searchInMapTable (line 260) | func searchInMapTable(table []*ForwardingPolicy, ports *portspec.PortSpe...
function parseTagValueRange (line 330) | func parseTagValueRange(value string) (string, *portspec.PortSpec, error) {
FILE: controller/internal/enforcer/lookup/lookup_test.go
function TestConstructorNewPolicyDB (line 142) | func TestConstructorNewPolicyDB(t *testing.T) {
function TestFuncAddPolicy (line 154) | func TestFuncAddPolicy(t *testing.T) {
function TestFuncSearch (line 222) | func TestFuncSearch(t *testing.T) {
function TestFuncDumpDB (line 418) | func TestFuncDumpDB(t *testing.T) {
FILE: controller/internal/enforcer/metadata/metadata.go
type Client (line 17) | type Client struct
method UpdateSecrets (line 35) | func (c *Client) UpdateSecrets(cert, key []byte) {
method GetCertificate (line 44) | func (c *Client) GetCertificate() []byte {
method GetPrivateKey (line 52) | func (c *Client) GetPrivateKey() []byte {
method GetCurrentPolicy (line 61) | func (c *Client) GetCurrentPolicy() ([]byte, *policy.PUPolicyPublic, e...
method IssueToken (line 82) | func (c *Client) IssueToken(ctx context.Context, stype common.ServiceT...
method Authorize (line 88) | func (c *Client) Authorize(request *apiauth.Request) error {
function NewClient (line 27) | func NewClient(puContext string, t common.ServiceTokenIssuer) *Client {
FILE: controller/internal/enforcer/mockenforcer/mockenforcer.go
type MockEnforcer (line 24) | type MockEnforcer struct
method EXPECT (line 45) | func (m *MockEnforcer) EXPECT() *MockEnforcerMockRecorder {
method Enforce (line 51) | func (m *MockEnforcer) Enforce(ctx context.Context, contextID string, ...
method Unenforce (line 67) | func (m *MockEnforcer) Unenforce(ctx context.Context, contextID string...
method GetFilterQueue (line 83) | func (m *MockEnforcer) GetFilterQueue() fqconfig.FilterQueue {
method GetBPFObject (line 99) | func (m *MockEnforcer) GetBPFObject() ebpf.BPFModule {
method Run (line 115) | func (m *MockEnforcer) Run(ctx context.Context) error {
method UpdateSecrets (line 131) | func (m *MockEnforcer) UpdateSecrets(secrets secrets.Secrets) error {
method SetTargetNetworks (line 147) | func (m *MockEnforcer) SetTargetNetworks(cfg *runtime.Configuration) e...
method SetLogLevel (line 163) | func (m *MockEnforcer) SetLogLevel(level constants.LogLevel) error {
method CleanUp (line 179) | func (m *MockEnforcer) CleanUp() error {
method GetServiceMeshType (line 195) | func (m *MockEnforcer) GetServiceMeshType() policy.ServiceMesh {
method EnableDatapathPacketTracing (line 211) | func (m *MockEnforcer) EnableDatapathPacketTracing(ctx context.Context...
method EnableIPTablesPacketTracing (line 227) | func (m *MockEnforcer) EnableIPTablesPacketTracing(ctx context.Context...
method Ping (line 243) | func (m *MockEnforcer) Ping(ctx context.Context, contextID string, pin...
method DebugCollect (line 259) | func (m *MockEnforcer) DebugCollect(ctx context.Context, contextID str...
type MockEnforcerMockRecorder (line 31) | type MockEnforcerMockRecorder struct
method Enforce (line 60) | func (mr *MockEnforcerMockRecorder) Enforce(ctx, contextID, puInfo int...
method Unenforce (line 76) | func (mr *MockEnforcerMockRecorder) Unenforce(ctx, contextID interface...
method GetFilterQueue (line 92) | func (mr *MockEnforcerMockRecorder) GetFilterQueue() *gomock.Call {
method GetBPFObject (line 108) | func (mr *MockEnforcerMockRecorder) GetBPFObject() *gomock.Call {
method Run (line 124) | func (mr *MockEnforcerMockRecorder) Run(ctx interface{}) *gomock.Call {
method UpdateSecrets (line 140) | func (mr *MockEnforcerMockRecorder) UpdateSecrets(secrets interface{})...
method SetTargetNetworks (line 156) | func (mr *MockEnforcerMockRecorder) SetTargetNetworks(cfg interface{})...
method SetLogLevel (line 172) | func (mr *MockEnforcerMockRecorder) SetLogLevel(level interface{}) *go...
method CleanUp (line 188) | func (mr *MockEnforcerMockRecorder) CleanUp() *gomock.Call {
method GetServiceMeshType (line 204) | func (mr *MockEnforcerMockRecorder) GetServiceMeshType() *gomock.Call {
method EnableDatapathPacketTracing (line 220) | func (mr *MockEnforcerMockRecorder) EnableDatapathPacketTracing(ctx, c...
method EnableIPTablesPacketTracing (line 236) | func (mr *MockEnforcerMockRecorder) EnableIPTablesPacketTracing(ctx, c...
method Ping (line 252) | func (mr *MockEnforcerMockRecorder) Ping(ctx, contextID, pingConfig in...
method DebugCollect (line 268) | func (mr *MockEnforcerMockRecorder) DebugCollect(ctx, contextID, debug...
function NewMockEnforcer (line 37) | func NewMockEnforcer(ctrl *gomock.Controller) *MockEnforcer {
type MockDebugInfo (line 275) | type MockDebugInfo struct
method EXPECT (line 296) | func (m *MockDebugInfo) EXPECT() *MockDebugInfoMockRecorder {
method EnableDatapathPacketTracing (line 302) | func (m *MockDebugInfo) EnableDatapathPacketTracing(ctx context.Contex...
method EnableIPTablesPacketTracing (line 318) | func (m *MockDebugInfo) EnableIPTablesPacketTracing(ctx context.Contex...
method Ping (line 334) | func (m *MockDebugInfo) Ping(ctx context.Context, contextID string, pi...
method DebugCollect (line 350) | func (m *MockDebugInfo) DebugCollect(ctx context.Context, contextID st...
type MockDebugInfoMockRecorder (line 282) | type MockDebugInfoMockRecorder struct
method EnableDatapathPacketTracing (line 311) | func (mr *MockDebugInfoMockRecorder) EnableDatapathPacketTracing(ctx, ...
method EnableIPTablesPacketTracing (line 327) | func (mr *MockDebugInfoMockRecorder) EnableIPTablesPacketTracing(ctx, ...
method Ping (line 343) | func (mr *MockDebugInfoMockRecorder) Ping(ctx, contextID, pingConfig i...
method DebugCollect (line 359) | func (mr *MockDebugInfoMockRecorder) DebugCollect(ctx, contextID, debu...
function NewMockDebugInfo (line 288) | func NewMockDebugInfo(ctrl *gomock.Controller) *MockDebugInfo {
FILE: controller/internal/enforcer/nfqdatapath/afinetrawsocket/afinetrawsocket.go
type socketv4 (line 15) | type socketv4 struct
type socketv6 (line 20) | type socketv6 struct
type rawsocket (line 25) | type rawsocket struct
method WriteSocket (line 127) | func (sock *rawsocket) WriteSocket(buf []byte, version packet.IPver, d...
constant RawSocketMark (line 32) | RawSocketMark = 0x63
constant NetworkRawSocketMark (line 35) | NetworkRawSocketMark = 0x40000063
constant ApplicationRawSocketMark (line 38) | ApplicationRawSocketMark = 0x40000062
type SocketWriter (line 42) | type SocketWriter interface
function CreateSocket (line 47) | func CreateSocket(mark int, deviceName string) (SocketWriter, error) {
function IsIpv6Supported (line 147) | func IsIpv6Supported() bool {
FILE: controller/internal/enforcer/nfqdatapath/afinetrawsocket/afinetrawsocket_osx.go
constant RawSocketMark (line 9) | RawSocketMark = 0x63
constant NetworkRawSocketMark (line 12) | NetworkRawSocketMark = 0x40000063
constant ApplicationRawSocketMark (line 15) | ApplicationRawSocketMark = 0x40000062
type SocketWriter (line 19) | type SocketWriter interface
type rawsocket (line 24) | type rawsocket struct
method WriteSocket (line 33) | func (sock *rawsocket) WriteSocket(buf []byte, version packet.IPver, d...
method CloseSocket (line 40) | func (sock *rawsocket) CloseSocket() error {
function CreateSocket (line 28) | func CreateSocket(mark int, deviceName string) (SocketWriter, error) {
FILE: controller/internal/enforcer/nfqdatapath/afinetrawsocket/afinetrawsocket_windows.go
type rawsocket (line 12) | type rawsocket struct
method WriteSocket (line 46) | func (sock *rawsocket) WriteSocket(buf []byte, version packet.IPver, d...
type WindowPlatformMetadata (line 16) | type WindowPlatformMetadata struct
method Clone (line 58) | func (w *WindowPlatformMetadata) Clone() packet.PlatformMetadata {
method forwardPacket (line 68) | func (w *WindowPlatformMetadata) forwardPacket(buf []byte, version pac...
constant RawSocketMark (line 26) | RawSocketMark = 0x63
constant NetworkRawSocketMark (line 29) | NetworkRawSocketMark = 0x40000063
constant ApplicationRawSocketMark (line 32) | ApplicationRawSocketMark = 0x40000062
type SocketWriter (line 36) | type SocketWriter interface
function CreateSocket (line 41) | func CreateSocket(mark int, deviceName string) (SocketWriter, error) {
FILE: controller/internal/enforcer/nfqdatapath/autoport.go
type readSystemFiles (line 14) | type readSystemFiles interface
type defaultRead (line 21) | type defaultRead struct
function init (line 27) | func init() {
method autoPortDiscovery (line 33) | func (d *Datapath) autoPortDiscovery() {
method resync (line 41) | func (d *Datapath) resync(newPortMap map[string]map[string]bool) {
method findPorts (line 91) | func (d *Datapath) findPorts() {
FILE: controller/internal/enforcer/nfqdatapath/autoport_nonwindows.go
constant procNetTCPFile (line 18) | procNetTCPFile = "/proc/net/tcp"
constant uidFieldOffset (line 19) | uidFieldOffset = 7
constant inodeFieldOffset (line 20) | inodeFieldOffset = 9
constant procHeaderLineNum (line 21) | procHeaderLineNum = 0
constant portOffset (line 22) | portOffset = 1
constant ipPortOffset (line 23) | ipPortOffset = 1
constant sockStateOffset (line 24) | sockStateOffset = 3
constant sockListeningState (line 25) | sockListeningState = "0A"
constant hexFormat (line 26) | hexFormat = 16
constant integerSize (line 27) | integerSize = 64
constant minimumFields (line 28) | minimumFields = 2
function getUserName (line 31) | func getUserName(uid string) (string, error) {
method readProcNetTCP (line 40) | func (d *defaultRead) readProcNetTCP() (inodeMap map[string]string, user...
method readOpenSockFD (line 108) | func (d *defaultRead) readOpenSockFD(pid string) []string {
method getCgroupList (line 143) | func (d *defaultRead) getCgroupList() []string {
method listCgroupProcesses (line 147) | func (d *defaultRead) listCgroupProcesses(cgroupname string) ([]string, ...
FILE: controller/internal/enforcer/nfqdatapath/autoport_windows.go
method readProcNetTCP (line 5) | func (d *defaultRead) readProcNetTCP() (inodeMap map[string]string, user...
method readOpenSockFD (line 13) | func (d *defaultRead) readOpenSockFD(pid string) []string {
method getCgroupList (line 19) | func (d *defaultRead) getCgroupList() []string {
method listCgroupProcesses (line 23) | func (d *defaultRead) listCgroupProcesses(cgroupname string) ([]string, ...
FILE: controller/internal/enforcer/nfqdatapath/countererrors.go
function appSynCounterFromError (line 8) | func appSynCounterFromError(err error) counters.CounterType {
function appSynAckCounterFromError (line 28) | func appSynAckCounterFromError(err error) counters.CounterType {
function appAckCounterFromError (line 48) | func appAckCounterFromError(err error) counters.CounterType {
function netSynCounterFromError (line 64) | func netSynCounterFromError(err error) counters.CounterType {
function netSynAckCounterFromError (line 88) | func netSynAckCounterFromError(err error) counters.CounterType {
function netAckCounterFromError (line 112) | func netAckCounterFromError(err error) counters.CounterType {
function appUDPSynCounterFromError (line 137) | func appUDPSynCounterFromError(err error) counters.CounterType {
function appUDPSynAckCounterFromError (line 157) | func appUDPSynAckCounterFromError(err error) counters.CounterType {
function appUDPAckCounterFromError (line 177) | func appUDPAckCounterFromError(err error) counters.CounterType {
function netUDPSynCounterFromError (line 193) | func netUDPSynCounterFromError(err error) counters.CounterType {
function netUDPSynAckCounterFromError (line 217) | func netUDPSynAckCounterFromError(err error) counters.CounterType {
function netUDPAckCounterFromError (line 241) | func netUDPAckCounterFromError(err error) counters.CounterType {
FILE: controller/internal/enforcer/nfqdatapath/datapath.go
constant DefaultExternalIPTimeout (line 44) | DefaultExternalIPTimeout = "500ms"
type debugpacketmessage (line 51) | type debugpacketmessage struct
type Datapath (line 61) | type Datapath struct
method cachePut (line 166) | func (d *Datapath) cachePut(cache connection.TCPCache, key string, con...
method cacheGet (line 174) | func (d *Datapath) cacheGet(cache connection.TCPCache, key string) (*c...
method cacheRemove (line 178) | func (d *Datapath) cacheRemove(cache connection.TCPCache, key string) {
method collectCounters (line 300) | func (d *Datapath) collectCounters() {
method counterCollector (line 326) | func (d *Datapath) counterCollector(ctx context.Context) {
method reportErrorCounters (line 339) | func (d *Datapath) reportErrorCounters(pu *pucontext.PUContext) {
method Enforce (line 350) | func (d *Datapath) Enforce(ctx context.Context, contextID string, puIn...
method Unenforce (line 430) | func (d *Datapath) Unenforce(ctx context.Context, contextID string) er...
method SetTargetNetworks (line 506) | func (d *Datapath) SetTargetNetworks(cfg *runtime.Configuration) error {
method GetBPFObject (line 529) | func (d *Datapath) GetBPFObject() ebpf.BPFModule {
method GetFilterQueue (line 534) | func (d *Datapath) GetFilterQueue() fqconfig.FilterQueue {
method Run (line 540) | func (d *Datapath) Run(ctx context.Context) error {
method UpdateSecrets (line 563) | func (d *Datapath) UpdateSecrets(s secrets.Secrets) error {
method secrets (line 573) | func (d *Datapath) secrets() secrets.Secrets {
method PacketLogsEnabled (line 582) | func (d *Datapath) PacketLogsEnabled() bool {
method SetLogLevel (line 590) | func (d *Datapath) SetLogLevel(level constants.LogLevel) error {
method CleanUp (line 604) | func (d *Datapath) CleanUp() error {
method puContextDelegate (line 614) | func (d *Datapath) puContextDelegate(hash string) (*pucontext.PUContex...
method reportFlow (line 624) | func (d *Datapath) reportFlow(p *packet.Packet, src, dst *collector.En...
method contextFromIP (line 662) | func (d *Datapath) contextFromIP(app bool, mark string, port uint16, p...
method EnableDatapathPacketTracing (line 719) | func (d *Datapath) EnableDatapathPacketTracing(ctx context.Context, co...
method EnableIPTablesPacketTracing (line 736) | func (d *Datapath) EnableIPTablesPacketTracing(ctx context.Context, co...
method DebugCollect (line 741) | func (d *Datapath) DebugCollect(ctx context.Context, contextID string,...
method collectUDPPacket (line 746) | func (d *Datapath) collectUDPPacket(msg *debugpacketmessage) {
method collectTCPPacket (line 808) | func (d *Datapath) collectTCPPacket(msg *debugpacketmessage) {
method Ping (line 881) | func (d *Datapath) Ping(ctx context.Context, contextID string, pingCon...
method tcpConnectionExpirationFunc (line 901) | func (d *Datapath) tcpConnectionExpirationFunc(conn *connection.TCPCon...
method GetServiceMeshType (line 945) | func (d *Datapath) GetServiceMeshType() policy.ServiceMesh {
type tracingCacheEntry (line 140) | type tracingCacheEntry struct
function createPolicy (line 144) | func createPolicy(networks []string) policy.IPRuleList {
constant waitBeforeRemovingConn (line 186) | waitBeforeRemovingConn = 5 * time.Second
function New (line 191) | func New(
FILE: controller/internal/enforcer/nfqdatapath/datapath_common_test.go
constant testSrcIP (line 35) | testSrcIP = "10.1.10.76"
constant testDstIP (line 36) | testDstIP = "164.67.228.152"
function procSetValueMock (line 43) | func procSetValueMock(procName string, value int) error {
function newWithDefaults (line 48) | func newWithDefaults(
function NewWithMocks (line 115) | func NewWithMocks(
function testConnectionExpirationNotifier (line 165) | func testConnectionExpirationNotifier(conn *connection.TCPConnection) {
function MockGetUDPRawSocket (line 171) | func MockGetUDPRawSocket() func() {
function CreatePUContext (line 182) | func CreatePUContext(enforcer *Datapath, contextID, namespace string, pu...
function CreatePortPolicy (line 193) | func CreatePortPolicy(enforcer *Datapath, contextID, namespace string, p...
function CreateFlowRecord (line 214) | func CreateFlowRecord(count int, srcIP, destIP string, srcPort, destPort...
function createEnforcerWithPolicy (line 233) | func createEnforcerWithPolicy(ctrl *gomock.Controller, mode constants.Mo...
function createEnforcer (line 250) | func createEnforcer(ctrl *gomock.Controller, mode constants.ModeType) (*...
function createPolicies (line 277) | func createPolicies(srcIP, dstIP string) (*policy.PUInfo, *policy.PUInfo) {
FILE: controller/internal/enforcer/nfqdatapath/datapath_darwin.go
function adjustConntrack (line 16) | func adjustConntrack(mode constants.ModeType) {
method setMark (line 19) | func (d *Datapath) setMark(pkt *packet.Packet, mark uint32) error {
method reverseFlow (line 23) | func (d *Datapath) reverseFlow(pkt *packet.Packet) error {
method drop (line 27) | func (d *Datapath) drop(pkt *packet.Packet) error {
method dropFlow (line 31) | func (d *Datapath) dropFlow(pkt *packet.Packet) error {
method ignoreFlow (line 35) | func (d *Datapath) ignoreFlow(pkt *packet.Packet) error {
method setFlowState (line 39) | func (d *Datapath) setFlowState(pkt *packet.Packet, accepted bool) error {
method startInterceptors (line 43) | func (d *Datapath) startInterceptors(ctx context.Context) {
type pingConn (line 46) | type pingConn struct
method Close (line 55) | func (p *pingConn) Close() error {
method Write (line 60) | func (p *pingConn) Write(data []byte) (int, error) {
method ConstructWirePacket (line 65) | func (p *pingConn) ConstructWirePacket(srcIP, dstIP net.IP, transport ...
function dialIP (line 49) | func dialIP(srcIP, dstIP net.IP) (PingConn, error) {
function bindRandomPort (line 69) | func bindRandomPort(tcpConn *connection.TCPConnection) (uint16, error) {
function closeRandomPort (line 73) | func closeRandomPort(tcpConn *connection.TCPConnection) error {
function isAddrInUseErrno (line 77) | func isAddrInUseErrno(errNo syscall.Errno) bool {
FILE: controller/internal/enforcer/nfqdatapath/datapath_icmp.go
type icmpActionType (line 11) | type icmpActionType
constant icmpAccept (line 14) | icmpAccept icmpActionType = iota
constant icmpDrop (line 15) | icmpDrop
method processNetworkICMPPacket (line 18) | func (d *Datapath) processNetworkICMPPacket(context *pucontext.PUContext...
method processApplicationICMPPacket (line 33) | func (d *Datapath) processApplicationICMPPacket(context *pucontext.PUCon...
FILE: controller/internal/enforcer/nfqdatapath/datapath_linux.go
function procSetValue (line 27) | func procSetValue(procName string, value int) error {
function adjustConntrack (line 43) | func adjustConntrack(mode constants.ModeType) {
method setMark (line 58) | func (d *Datapath) setMark(pkt *packet.Packet, mark uint32) error {
method reverseFlow (line 62) | func (d *Datapath) reverseFlow(pkt *packet.Packet) error {
method drop (line 66) | func (d *Datapath) drop(pkt *packet.Packet) error {
method dropFlow (line 70) | func (d *Datapath) dropFlow(pkt *packet.Packet) error {
method ignoreFlow (line 74) | func (d *Datapath) ignoreFlow(pkt *packet.Packet) error {
method setFlowState (line 78) | func (d *Datapath) setFlowState(pkt *packet.Packet, accepted bool) error {
method startInterceptors (line 82) | func (d *Datapath) startInterceptors(ctx context.Context) {
type pingConn (line 86) | type pingConn struct
method Close (line 108) | func (p *pingConn) Close() error {
method Write (line 113) | func (p *pingConn) Write(data []byte) (int, error) {
method ConstructWirePacket (line 128) | func (p *pingConn) ConstructWirePacket(srcIP, dstIP net.IP, transport ...
function dialIP (line 90) | func dialIP(srcIP, dstIP net.IP) (PingConn, error) {
function bindRandomPort (line 132) | func bindRandomPort(tcpConn *connection.TCPConnection) (uint16, error) {
function closeRandomPort (line 162) | func closeRandomPort(tcpConn *connection.TCPConnection) error {
function packLayers (line 170) | func packLayers(srcIP, dstIP net.IP, transport gpacket.Packet, payload g...
function isAddrInUseErrno (line 190) | func isAddrInUseErrno(errNo syscall.Errno) bool {
FILE: controller/internal/enforcer/nfqdatapath/datapath_tcp.go
method processNetworkTCPPackets (line 38) | func (d *Datapath) processNetworkTCPPackets(p *packet.Packet) (*connecti...
method processApplicationTCPPackets (line 114) | func (d *Datapath) processApplicationTCPPackets(p *packet.Packet) (conn ...
method processApplicationTCPPacket (line 201) | func (d *Datapath) processApplicationTCPPacket(tcpPacket *packet.Packet,...
method processApplicationSynPacket (line 222) | func (d *Datapath) processApplicationSynPacket(tcpPacket *packet.Packet,...
method processApplicationSynAckPacket (line 250) | func (d *Datapath) processApplicationSynAckPacket(tcpPacket *packet.Pack...
method processApplicationAckPacket (line 286) | func (d *Datapath) processApplicationAckPacket(tcpPacket *packet.Packet,...
method processNetworkTCPPacket (line 366) | func (d *Datapath) processNetworkTCPPacket(tcpPacket *packet.Packet, con...
method clientIdentityAllowed (line 387) | func (d *Datapath) clientIdentityAllowed(context *pucontext.PUContext, t...
method processNetworkSynPacket (line 468) | func (d *Datapath) processNetworkSynPacket(context *pucontext.PUContext,...
type policyPair (line 559) | type policyPair struct
method processNetworkSynAckPacket (line 565) | func (d *Datapath) processNetworkSynAckPacket(context *pucontext.PUConte...
method serverIdentityAllowed (line 681) | func (d *Datapath) serverIdentityAllowed(context *pucontext.PUContext, t...
method processNetworkAckPacket (line 743) | func (d *Datapath) processNetworkAckPacket(context *pucontext.PUContext,...
method appSynRetrieveState (line 856) | func (d *Datapath) appSynRetrieveState(p *packet.Packet) (*connection.TC...
method appSynAckRetrieveState (line 882) | func (d *Datapath) appSynAckRetrieveState(p *packet.Packet) (*connection...
method appRetrieveState (line 895) | func (d *Datapath) appRetrieveState(p *packet.Packet) (*connection.TCPCo...
method netSynRetrieveState (line 933) | func (d *Datapath) netSynRetrieveState(p *packet.Packet) (*connection.TC...
method netSynAckRetrieveState (line 961) | func (d *Datapath) netSynAckRetrieveState(p *packet.Packet) (*connection...
method netRetrieveState (line 975) | func (d *Datapath) netRetrieveState(p *packet.Packet) (*connection.TCPCo...
method releaseExternalFlow (line 1011) | func (d *Datapath) releaseExternalFlow(context *pucontext.PUContext, rep...
method releaseUnmonitoredFlow (line 1024) | func (d *Datapath) releaseUnmonitoredFlow(tcpPacket *packet.Packet) {
FILE: controller/internal/enforcer/nfqdatapath/datapath_test.go
function TestEnforcerExternalNetworks (line 36) | func TestEnforcerExternalNetworks(t *testing.T) {
function TestInvalidContext (line 91) | func TestInvalidContext(t *testing.T) {
function TestPacketHandlingFirstThreePacketsHavePayload (line 123) | func TestPacketHandlingFirstThreePacketsHavePayload(t *testing.T) {
function TestInvalidIPContext (line 232) | func TestInvalidIPContext(t *testing.T) {
function TestEnforcerConnUnknownState (line 293) | func TestEnforcerConnUnknownState(t *testing.T) {
function TestInvalidTokenContext (line 349) | func TestInvalidTokenContext(t *testing.T) {
function TestPacketHandlingDstPortCacheBehavior (line 404) | func TestPacketHandlingDstPortCacheBehavior(t *testing.T) {
function TestAckLost (line 498) | func TestAckLost(t *testing.T) {
function TestConnectionTrackerStateLocalContainer (line 626) | func TestConnectionTrackerStateLocalContainer(t *testing.T) {
function CheckAfterAppSynPacket (line 809) | func CheckAfterAppSynPacket(enforcer *Datapath, tcpPacket *packet.Packet) {
function CheckAfterNetSynPacket (line 815) | func CheckAfterNetSynPacket(enforcer *Datapath, tcpPacket, outPacket *pa...
function CheckAfterNetSynAckPacket (line 821) | func CheckAfterNetSynAckPacket(t *testing.T, enforcer *Datapath, tcpPack...
function CheckAfterAppAckPacket (line 827) | func CheckAfterAppAckPacket(enforcer *Datapath, tcpPacket *packet.Packet) {
function CheckBeforeNetAckPacket (line 833) | func CheckBeforeNetAckPacket(enforcer *Datapath, tcpPacket, outPacket *p...
function TestCacheState (line 843) | func TestCacheState(t *testing.T) {
function TestDoCreatePU (line 909) | func TestDoCreatePU(t *testing.T) {
function TestContextFromIP (line 1010) | func TestContextFromIP(t *testing.T) {
function TestInvalidPacket (line 1099) | func TestInvalidPacket(t *testing.T) {
function TestFlowReportingInvalidSyn (line 1147) | func TestFlowReportingInvalidSyn(t *testing.T) {
function TestFlowReportingUptoInvalidSynAck (line 1250) | func TestFlowReportingUptoInvalidSynAck(t *testing.T) {
function TestForPacketsWithRandomFlags (line 1365) | func TestForPacketsWithRandomFlags(t *testing.T) {
function TestPUPortCreation (line 1456) | func TestPUPortCreation(t *testing.T) {
function TestCollectTCPPacket (line 1491) | func TestCollectTCPPacket(t *testing.T) {
function TestEnableDatapathPacketTracing (line 1575) | func TestEnableDatapathPacketTracing(t *testing.T) {
function Test_CheckCounterCollection (line 1603) | func Test_CheckCounterCollection(t *testing.T) {
function Test_CounterReportedOnAuthSetAppSyn (line 1694) | func Test_CounterReportedOnAuthSetAppSyn(t *testing.T) {
function Test_CounterOnSynCacheTimeout (line 1731) | func Test_CounterOnSynCacheTimeout(t *testing.T) {
function Test_NOClaims (line 1777) | func Test_NOClaims(t *testing.T) {
function newPacket (line 1802) | func newPacket(context uint64, tcpFlags uint8, src, dst string, srcPort,...
function TestCheckConnectionDeletion (line 1825) | func TestCheckConnectionDeletion(t *testing.T) {
function TestNetSynRetrieveState (line 1872) | func TestNetSynRetrieveState(t *testing.T) {
function TestAppSynRetrieveState (line 1928) | func TestAppSynRetrieveState(t *testing.T) {
function TestAppSynAckRetrieveState (line 1979) | func TestAppSynAckRetrieveState(t *testing.T) {
function TestNetSynAckRetrieveState (line 2011) | func TestNetSynAckRetrieveState(t *testing.T) {
function TestAppRetrieveState (line 2050) | func TestAppRetrieveState(t *testing.T) {
function TestNetRetrieveState (line 2120) | func TestNetRetrieveState(t *testing.T) {
function TestProcessNetworkSynPacket (line 2199) | func TestProcessNetworkSynPacket(t *testing.T) {
function TestProcessNetworkSynAckPacket (line 2238) | func TestProcessNetworkSynAckPacket(t *testing.T) {
FILE: controller/internal/enforcer/nfqdatapath/datapath_udp.go
constant retransmitDelay (line 24) | retransmitDelay = 200
constant retransmitRetries (line 26) | retransmitRetries = 3
constant ACLCheckMultipler (line 28) | ACLCheckMultipler = retransmitDelay * 12
type DropReason (line 32) | type DropReason
constant InvalidUDPState (line 36) | InvalidUDPState DropReason = "invalidUDPState"
constant PolicyDrop (line 37) | PolicyDrop DropReason = "policyDrop"
function calculatedelay (line 43) | func calculatedelay(retransmitDelay uint32, multiplier uint32) time.Dura...
method ProcessNetworkUDPPacket (line 48) | func (d *Datapath) ProcessNetworkUDPPacket(p *packet.Packet) (conn *conn...
method netSynUDPRetrieveState (line 204) | func (d *Datapath) netSynUDPRetrieveState(p *packet.Packet) (*connection...
method netSynAckUDPRetrieveState (line 224) | func (d *Datapath) netSynAckUDPRetrieveState(p *packet.Packet) (*connect...
method netUDPAckRetrieveState (line 233) | func (d *Datapath) netUDPAckRetrieveState(p *packet.Packet) (*connection...
method processNetUDPPacket (line 251) | func (d *Datapath) processNetUDPPacket(udpPacket *packet.Packet, context...
method ProcessApplicationUDPPacket (line 326) | func (d *Datapath) ProcessApplicationUDPPacket(p *packet.Packet) (conn *...
method appUDPRetrieveState (line 402) | func (d *Datapath) appUDPRetrieveState(p *packet.Packet) (*connection.UD...
method triggerNegotiation (line 423) | func (d *Datapath) triggerNegotiation(udpPacket *packet.Packet, context ...
method writeWithRetransmit (line 535) | func (d *Datapath) writeWithRetransmit(udpPacket *packet.Packet, conn *c...
method clonePacketHeaders (line 571) | func (d *Datapath) clonePacketHeaders(p *packet.Packet) (*packet.Packet,...
method sendUDPSynAckPacket (line 584) | func (d *Datapath) sendUDPSynAckPacket(udpPacket *packet.Packet, context...
method sendUDPAckPacket (line 635) | func (d *Datapath) sendUDPAckPacket(udpPacket *packet.Packet, context *p...
method processNetworkUDPSynPacket (line 720) | func (d *Datapath) processNetworkUDPSynPacket(context *pucontext.PUConte...
method processNetworkUDPSynAckPacket (line 789) | func (d *Datapath) processNetworkUDPSynAckPacket(udpPacket *packet.Packe...
method processNetworkUDPAckPacket (line 827) | func (d *Datapath) processNetworkUDPAckPacket(udpPacket *packet.Packet, ...
method sendUDPFinPacket (line 858) | func (d *Datapath) sendUDPFinPacket(udpPacket *packet.Packet) (err error) {
method sendUDPRstPacket (line 882) | func (d *Datapath) sendUDPRstPacket(udpPacket *packet.Packet, conn *conn...
method processUDPPolicyRstPacket (line 925) | func (d *Datapath) processUDPPolicyRstPacket(udpPacket *packet.Packet, c...
method processUDPFinPacket (line 952) | func (d *Datapath) processUDPFinPacket(udpPacket *packet.Packet) (err er...
method writeUDPSocket (line 990) | func (d *Datapath) writeUDPSocket(buf []byte, udpPacket *packet.Packet) ...
FILE: controller/internal/enforcer/nfqdatapath/datapath_windows.go
function adjustConntrack (line 26) | func adjustConntrack(mode constants.ModeType) {
method reverseFlow (line 29) | func (d *Datapath) reverseFlow(pkt *packet.Packet) error {
method drop (line 46) | func (d *Datapath) drop(pkt *packet.Packet) error {
method setMark (line 55) | func (d *Datapath) setMark(pkt *packet.Packet, mark uint32) error {
method ignoreFlow (line 66) | func (d *Datapath) ignoreFlow(pkt *packet.Packet) error {
method dropFlow (line 76) | func (d *Datapath) dropFlow(pkt *packet.Packet) error {
method setFlowState (line 86) | func (d *Datapath) setFlowState(pkt *packet.Packet, accepted bool) error {
method startInterceptors (line 110) | func (d *Datapath) startInterceptors(ctx context.Context) {
type pingConn (line 117) | type pingConn struct
method Close (line 129) | func (p *pingConn) Close() error {
method Write (line 134) | func (p *pingConn) Write(data []byte) (int, error) {
method ConstructWirePacket (line 163) | func (p *pingConn) ConstructWirePacket(srcIP, dstIP net.IP, transport ...
function dialIP (line 124) | func dialIP(srcIP, dstIP net.IP) (PingConn, error) {
function bindRandomPort (line 186) | func bindRandomPort(tcpConn *connection.TCPConnection) (uint16, error) {
function closeRandomPort (line 216) | func closeRandomPort(tcpConn *connection.TCPConnection) error {
function convertToDriverFormat (line 224) | func convertToDriverFormat(ip net.IP) [4]uint32 {
function isAddrInUseErrno (line 231) | func isAddrInUseErrno(errNo syscall.Errno) bool {
FILE: controller/internal/enforcer/nfqdatapath/diagnostics_tcp.go
method initiateDiagnostics (line 33) | func (d *Datapath) initiateDiagnostics(_ context.Context, contextID stri...
method sendSynPacket (line 76) | func (d *Datapath) sendSynPacket(context *pucontext.PUContext, pingConfi...
method processDiagnosticNetSynPacket (line 142) | func (d *Datapath) processDiagnosticNetSynPacket(
method processDiagnosticNetSynAckPacket (line 219) | func (d *Datapath) processDiagnosticNetSynAckPacket(
function constructTCPPacket (line 280) | func constructTCPPacket(srcIP, dstIP net.IP, srcPort, dstPort uint16, fl...
function getSrcIP (line 326) | func getSrcIP(dstIP net.IP) (net.IP, error) {
function flowTuple (line 342) | func flowTuple(stage uint64, srcIP, dstIP string, srcPort, dstPort uint1...
function packetTuple (line 352) | func packetTuple(stage uint64, srcIP, dstIP string, srcPort, dstPort uin...
function dialWithMark (line 362) | func dialWithMark(srcIP, dstIP net.IP) (net.Conn, error) {
function write (line 381) | func write(conn net.Conn, data []byte) error {
method sendOriginPingReport (line 396) | func (d *Datapath) sendOriginPingReport(
method sendReplyPingReport (line 422) | func (d *Datapath) sendReplyPingReport(
method sendPingReport (line 445) | func (d *Datapath) sendPingReport(
type customIdentity (line 481) | type customIdentity struct
method encode (line 489) | func (c *customIdentity) encode() ([]byte, error) {
method decode (line 504) | func (c *customIdentity) decode(b []byte) error {
FILE: controller/internal/enforcer/nfqdatapath/interfaces.go
type ContextProcessor (line 10) | type ContextProcessor interface
type RuleProcessor (line 16) | type RuleProcessor interface
type Accessor (line 24) | type Accessor interface
type PingConn (line 31) | type PingConn interface
FILE: controller/internal/enforcer/nfqdatapath/nflog/nflog_common.go
type NFLogger (line 20) | type NFLogger interface
type GetPUContextFunc (line 25) | type GetPUContextFunc
function recordCounters (line 27) | func recordCounters(protocol uint8, dstport uint16, srcport uint16, pu *...
function recordDroppedPacket (line 59) | func recordDroppedPacket(payload []byte, protocol uint8, srcIP, dstIP ne...
function recordFromNFLogData (line 104) | func recordFromNFLogData(payload []byte, prefix string, protocol uint8, ...
function handleFlowReport (line 210) | func handleFlowReport(flowReportCache cache.DataStore, eventCollector co...
FILE: controller/internal/enforcer/nfqdatapath/nflog/nflog_darwin.go
type nfLog (line 12) | type nfLog struct
method Run (line 21) | func (n *nfLog) Run(ctx context.Context) {}
function NewNFLogger (line 17) | func NewNFLogger(ipv4groupSource, ipv4groupDest uint16, getPUContext Get...
FILE: controller/internal/enforcer/nfqdatapath/nflog/nflog_linux.go
type nfLog (line 17) | type nfLog struct
method Run (line 41) | func (a *nfLog) Run(ctx context.Context) {
method sourceNFLogsHanlder (line 57) | func (a *nfLog) sourceNFLogsHanlder(buf *nflog.NfPacket, _ interface{}) {
method destNFLogsHandler (line 72) | func (a *nfLog) destNFLogsHandler(buf *nflog.NfPacket, _ interface{}) {
method nflogErrorHandler (line 87) | func (a *nfLog) nflogErrorHandler(err error) {
method recordFromNFLogBuffer (line 92) | func (a *nfLog) recordFromNFLogBuffer(buf *nflog.NfPacket, puIsSource ...
method logExpirationNotifier (line 96) | func (a *nfLog) logExpirationNotifier(_ interface{}, item interface{}) {
function NewNFLogger (line 29) | func NewNFLogger(ipv4groupSource, ipv4groupDest uint16, getPUContext Get...
FILE: controller/internal/enforcer/nfqdatapath/nflog/nflog_test.go
function TestRecordDroppedPacket (line 21) | func TestRecordDroppedPacket(t *testing.T) {
function dummyPUContext (line 83) | func dummyPUContext(string) (*pucontext.PUContext, error) {
function TestRecordFromNFLogBuffer (line 86) | func TestRecordFromNFLogBuffer(t *testing.T) {
function Test_RecordCounters (line 132) | func Test_RecordCounters(t *testing.T) {
FILE: controller/internal/enforcer/nfqdatapath/nflog/nflog_windows.go
type NfLogWindows (line 20) | type NfLogWindows struct
method Run (line 41) | func (n *NfLogWindows) Run(ctx context.Context) {
method NfLogHandler (line 45) | func (n *NfLogWindows) NfLogHandler(logPacketInfo *frontman.LogPacketI...
method logExpirationNotifier (line 80) | func (n *NfLogWindows) logExpirationNotifier(_ interface{}, item inter...
function NewNFLogger (line 29) | func NewNFLogger(ipv4groupSource, ipv4groupDest uint16, getPUContext Get...
FILE: controller/internal/enforcer/nfqdatapath/nfq_darwin.go
method cleanupPlatform (line 5) | func (d *Datapath) cleanupPlatform() {}
FILE: controller/internal/enforcer/nfqdatapath/nfq_linux.go
constant allow (line 24) | allow = 1
constant drop (line 25) | drop = 0
constant repeat (line 26) | repeat = 4
constant maxTriesNfq (line 31) | maxTriesNfq = 5
method errorCallback (line 34) | func (d *Datapath) errorCallback(err error, _ interface{}) {
method callback (line 38) | func (d *Datapath) callback(packet *nfqueue.NFPacket, _ interface{}) {
method startInterceptor (line 50) | func (d *Datapath) startInterceptor(ctx context.Context) {
method processNetworkPacketsFromNFQ (line 69) | func (d *Datapath) processNetworkPacketsFromNFQ(p *nfqueue.NFPacket) {
method processApplicationPacketsFromNFQ (line 194) | func (d *Datapath) processApplicationPacketsFromNFQ(p *nfqueue.NFPacket) {
method cleanupPlatform (line 320) | func (d *Datapath) cleanupPlatform() {}
FILE: controller/internal/enforcer/nfqdatapath/nfq_windows.go
method startFrontmanPacketFilter (line 20) | func (d *Datapath) startFrontmanPacketFilter(_ context.Context, nflogger...
method cleanupPlatform (line 184) | func (d *Datapath) cleanupPlatform() {
FILE: controller/internal/enforcer/nfqdatapath/nfq_windows_test.go
type forwardedPacket (line 29) | type forwardedPacket struct
type fakeWrapper (line 37) | type fakeWrapper struct
method queuePacket (line 43) | func (w *fakeWrapper) queuePacket(p *forwardedPacket) {
method GetForwardedPackets (line 49) | func (w *fakeWrapper) GetForwardedPackets() []*forwardedPacket {
method PacketFilterStart (line 57) | func (w *fakeWrapper) PacketFilterStart(firewallName string, receiveCa...
method PacketFilterForward (line 63) | func (w *fakeWrapper) PacketFilterForward(info *frontman.PacketInfo, p...
method GetDestInfo (line 221) | func (w *fakeWrapper) GetDestInfo(socket uintptr, destInfo *frontman.D...
method ApplyDestHandle (line 225) | func (w *fakeWrapper) ApplyDestHandle(socket, destHandle uintptr) error {
method FreeDestHandle (line 229) | func (w *fakeWrapper) FreeDestHandle(destHandle uintptr) error {
method NewIpset (line 233) | func (w *fakeWrapper) NewIpset(name, ipsetType string) (uintptr, error) {
method GetIpset (line 237) | func (w *fakeWrapper) GetIpset(name string) (uintptr, error) {
method DestroyAllIpsets (line 241) | func (w *fakeWrapper) DestroyAllIpsets(prefix string) error {
method ListIpsets (line 245) | func (w *fakeWrapper) ListIpsets() ([]string, error) {
method ListIpsetsDetail (line 249) | func (w *fakeWrapper) ListIpsetsDetail(format int) (string, error) {
method IpsetAdd (line 253) | func (w *fakeWrapper) IpsetAdd(ipsetHandle uintptr, entry string, time...
method IpsetAddOption (line 257) | func (w *fakeWrapper) IpsetAddOption(ipsetHandle uintptr, entry, optio...
method IpsetDelete (line 261) | func (w *fakeWrapper) IpsetDelete(ipsetHandle uintptr, entry string) e...
method IpsetDestroy (line 265) | func (w *fakeWrapper) IpsetDestroy(ipsetHandle uintptr, name string) e...
method IpsetFlush (line 269) | func (w *fakeWrapper) IpsetFlush(ipsetHandle uintptr) error {
method IpsetTest (line 273) | func (w *fakeWrapper) IpsetTest(ipsetHandle uintptr, entry string) (bo...
method AppendFilter (line 277) | func (w *fakeWrapper) AppendFilter(outbound bool, filterName string, i...
method InsertFilter (line 281) | func (w *fakeWrapper) InsertFilter(outbound bool, priority int, filter...
method DestroyFilter (line 285) | func (w *fakeWrapper) DestroyFilter(filterName string) error {
method EmptyFilter (line 289) | func (w *fakeWrapper) EmptyFilter(filterName string) error {
method GetFilterList (line 293) | func (w *fakeWrapper) GetFilterList(outbound bool) ([]string, error) {
method AppendFilterCriteria (line 297) | func (w *fakeWrapper) AppendFilterCriteria(filterName, criteriaName st...
method DeleteFilterCriteria (line 301) | func (w *fakeWrapper) DeleteFilterCriteria(filterName, criteriaName st...
method GetCriteriaList (line 305) | func (w *fakeWrapper) GetCriteriaList(format int) (string, error) {
method PacketFilterClose (line 309) | func (w *fakeWrapper) PacketFilterClose() error {
function Test_WindowsPacketCallbacks (line 78) | func Test_WindowsPacketCallbacks(t *testing.T) {
FILE: controller/internal/enforcer/nfqdatapath/ping_tcp.go
method initiatePingHandshake (line 47) | func (d *Datapath) initiatePingHandshake(_ context.Context, context *puc...
method sendSynPacket (line 72) | func (d *Datapath) sendSynPacket(context *pucontext.PUContext, pingConfi...
method processPingNetSynPacket (line 162) | func (d *Datapath) processPingNetSynPacket(
method sendSynAckPacket (line 221) | func (d *Datapath) sendSynAckPacket(
method processPingNetSynAckPacket (line 287) | func (d *Datapath) processPingNetSynAckPacket(
function respondWithRstPacket (line 364) | func respondWithRstPacket(tcpPacket *tpacket.Packet, payload []byte) err...
method sendRequestRecvReport (line 395) | func (d *Datapath) sendRequestRecvReport(
method sendResponseRecvReport (line 439) | func (d *Datapath) sendResponseRecvReport(
method sendExtResponseRecvReport (line 498) | func (d *Datapath) sendExtResponseRecvReport(
method sendPingReport (line 539) | func (d *Datapath) sendPingReport(
function constructTCPPacket (line 602) | func constructTCPPacket(conn PingConn, srcIP, dstIP net.IP, srcPort, dst...
function getSrcIP (line 647) | func getSrcIP(dstIP net.IP) (net.IP, error) {
function flowTuple (line 663) | func flowTuple(stage uint64, srcIP, dstIP net.IP, srcPort, dstPort uint1...
function isAppListeningInPort (line 675) | func isAppListeningInPort(port uint16) (bool, error) {
function isAddressInUse (line 687) | func isAddressInUse(err error) bool {
FILE: controller/internal/enforcer/nfqdatapath/ping_test.go
function switchAppListening (line 56) | func switchAppListening(enable bool) {
function init (line 66) | func init() {
function setupDatapathAndPUs (line 105) | func setupDatapathAndPUs(ctrl *gomock.Controller, collector collector.Ev...
function wrapIP (line 169) | func wrapIP(d []byte, swap bool, changeSeqNum bool, flags tcp.Flags) ([]...
function Test_ValidPing (line 214) | func Test_ValidPing(t *testing.T) {
function Test_ValidPingAppListening (line 402) | func Test_ValidPingAppListening(t *testing.T) {
function Test_ValidPingAppListeningNoReply (line 592) | func Test_ValidPingAppListeningNoReply(t *testing.T) {
function Test_ValidPingReject (line 785) | func Test_ValidPingReject(t *testing.T) {
function Test_ValidPingUnequalSeqNum (line 972) | func Test_ValidPingUnequalSeqNum(t *testing.T) {
function Test_ValidPingExtNet (line 1139) | func Test_ValidPingExtNet(t *testing.T) {
function Test_PingRequestTimeout (line 1235) | func Test_PingRequestTimeout(t *testing.T) {
FILE: controller/internal/enforcer/nfqdatapath/test_utils.go
type endpointTypeMatcher (line 12) | type endpointTypeMatcher struct
method Matches (line 17) | func (m *endpointTypeMatcher) Matches(x interface{}) bool {
method String (line 33) | func (m *endpointTypeMatcher) String() string {
function EndpointTypeMatcher (line 44) | func EndpointTypeMatcher(x interface{}) gomock.Matcher {
type myMatcher (line 48) | type myMatcher struct
method Matches (line 52) | func (m *myMatcher) Matches(x interface{}) bool {
method String (line 66) | func (m *myMatcher) String() string {
type myGotFormatter (line 72) | type myGotFormatter struct
method Got (line 74) | func (g *myGotFormatter) Got(got interface{}) string {
function MyMatcher (line 81) | func MyMatcher(x interface{}) gomock.Matcher {
type packetEventMatcher (line 85) | type packetEventMatcher struct
method Matches (line 89) | func (p *packetEventMatcher) Matches(x interface{}) bool {
method String (line 95) | func (p *packetEventMatcher) String() string {
function PacketEventMatcher (line 100) | func PacketEventMatcher(x interface{}) gomock.Matcher {
type myCounterMatcher (line 104) | type myCounterMatcher struct
method Matches (line 108) | func (m *myCounterMatcher) Matches(x interface{}) bool {
method String (line 117) | func (m *myCounterMatcher) String() string {
function MyCounterMatcher (line 122) | func MyCounterMatcher(x *collector.CounterReport) gomock.Matcher {
type fakeSecrets (line 126) | type fakeSecrets struct
method setID (line 131) | func (f *fakeSecrets) setID(id string) {
method getID (line 135) | func (f *fakeSecrets) getID() string {
FILE: controller/internal/enforcer/nfqdatapath/test_utils_linux.go
type fakeConn (line 12) | type fakeConn struct
method Close (line 18) | func (f *fakeConn) Close() error {
method Write (line 22) | func (f *fakeConn) Write(b []byte) (int, error) {
method data (line 30) | func (f *fakeConn) data() []byte {
method ConstructWirePacket (line 37) | func (f *fakeConn) ConstructWirePacket(srcIP, dstIP net.IP, transport ...
FILE: controller/internal/enforcer/nfqdatapath/tokenaccessor/interfaces.go
type TokenAccessor (line 15) | type TokenAccessor interface
FILE: controller/internal/enforcer/nfqdatapath/tokenaccessor/mocktokenaccessor/mocktokenaccessor.go
type MockTokenAccessor (line 21) | type MockTokenAccessor struct
method EXPECT (line 39) | func (m *MockTokenAccessor) EXPECT() *MockTokenAccessorMockRecorder {
method GetTokenValidity (line 44) | func (m *MockTokenAccessor) GetTokenValidity() time.Duration {
method GetTokenServerID (line 56) | func (m *MockTokenAccessor) GetTokenServerID() string {
method CreateAckPacketToken (line 68) | func (m *MockTokenAccessor) CreateAckPacketToken(proto314 bool, secret...
method CreateSynPacketToken (line 81) | func (m *MockTokenAccessor) CreateSynPacketToken(claims *tokens.Connec...
method CreateSynAckPacketToken (line 94) | func (m *MockTokenAccessor) CreateSynAckPacketToken(proto314 bool, cla...
method ParsePacketToken (line 107) | func (m *MockTokenAccessor) ParsePacketToken(privateKey *ephemeralkeys...
method ParseAckToken (line 125) | func (m *MockTokenAccessor) ParseAckToken(proto314 bool, secretKey, no...
method Randomize (line 137) | func (m *MockTokenAccessor) Randomize(arg0, arg1 []byte) error {
method Sign (line 149) | func (m *MockTokenAccessor) Sign(arg0 []byte, arg1 *ecdsa.PrivateKey) ...
type MockTokenAccessorMockRecorder (line 27) | type MockTokenAccessorMockRecorder struct
method GetTokenValidity (line 51) | func (mr *MockTokenAccessorMockRecorder) GetTokenValidity() *gomock.Ca...
method GetTokenServerID (line 63) | func (mr *MockTokenAccessorMockRecorder) GetTokenServerID() *gomock.Ca...
method CreateAckPacketToken (line 76) | func (mr *MockTokenAccessorMockRecorder) CreateAckPacketToken(proto314...
method CreateSynPacketToken (line 89) | func (mr *MockTokenAccessorMockRecorder) CreateSynPacketToken(claims, ...
method CreateSynAckPacketToken (line 102) | func (mr *MockTokenAccessorMockRecorder) CreateSynAckPacketToken(proto...
method ParsePacketToken (line 120) | func (mr *MockTokenAccessorMockRecorder) ParsePacketToken(privateKey, ...
method ParseAckToken (line 132) | func (mr *MockTokenAccessorMockRecorder) ParseAckToken(proto314, secre...
method Randomize (line 144) | func (mr *MockTokenAccessorMockRecorder) Randomize(arg0, arg1 interfac...
method Sign (line 157) | func (mr *MockTokenAccessorMockRecorder) Sign(arg0, arg1 interface{}) ...
function NewMockTokenAccessor (line 32) | func NewMockTokenAccessor(ctrl *gomock.Controller) *MockTokenAccessor {
FILE: controller/internal/enforcer/nfqdatapath/tokenaccessor/tokenaccessor.go
type tokenAccessor (line 19) | type tokenAccessor struct
method GetTokenValidity (line 44) | func (t *tokenAccessor) GetTokenValidity() time.Duration {
method GetTokenServerID (line 49) | func (t *tokenAccessor) GetTokenServerID() string {
method CreateAckPacketToken (line 54) | func (t *tokenAccessor) CreateAckPacketToken(proto314 bool, secretKey ...
method Randomize (line 64) | func (t *tokenAccessor) Randomize(token []byte, nonce []byte) error {
method Sign (line 68) | func (t *tokenAccessor) Sign(buf []byte, key *ecdsa.PrivateKey) ([]byt...
method CreateSynPacketToken (line 73) | func (t *tokenAccessor) CreateSynPacketToken(claims *tokens.Connection...
method CreateSynAckPacketToken (line 84) | func (t *tokenAccessor) CreateSynAckPacketToken(proto314 bool, claims ...
method ParsePacketToken (line 95) | func (t *tokenAccessor) ParsePacketToken(privateKey *ephemeralkeys.Pri...
method ParseAckToken (line 118) | func (t *tokenAccessor) ParseAckToken(proto314 bool, secretKey []byte,...
function New (line 26) | func New(serverID string, validity time.Duration, secret secrets.Secrets...
FILE: controller/internal/enforcer/nfqdatapath/tokenaccessor/tokenaccessor_test.go
function Test_NewTokenAccessor (line 13) | func Test_NewTokenAccessor(t *testing.T) {
FILE: controller/internal/enforcer/nfqdatapath/utils.go
method reportAcceptedFlow (line 11) | func (d *Datapath) reportAcceptedFlow(p *packet.Packet, conn *connection...
method reportRejectedFlow (line 28) | func (d *Datapath) reportRejectedFlow(p *packet.Packet, conn *connection...
method reportUDPAcceptedFlow (line 47) | func (d *Datapath) reportUDPAcceptedFlow(p *packet.Packet, conn *connect...
method reportUDPRejectedFlow (line 56) | func (d *Datapath) reportUDPRejectedFlow(p *packet.Packet, conn *connect...
method reportExternalServiceFlowCommon (line 73) | func (d *Datapath) reportExternalServiceFlowCommon(context *pucontext.PU...
method reportExternalServiceFlow (line 119) | func (d *Datapath) reportExternalServiceFlow(context *pucontext.PUContex...
method reportReverseExternalServiceFlow (line 134) | func (d *Datapath) reportReverseExternalServiceFlow(context *pucontext.P...
method generateEndpoints (line 149) | func (d *Datapath) generateEndpoints(p *packet.Packet, sourceID string, ...
function getTCPConnectionInfo (line 179) | func getTCPConnectionInfo(conn *connection.TCPConnection) (string, strin...
function getUDPConnectionInfo (line 187) | func getUDPConnectionInfo(conn *connection.UDPConnection) (string, strin...
FILE: controller/internal/enforcer/nfqdatapath/utils_test.go
function setupDatapath (line 31) | func setupDatapath(ctrl *gomock.Controller, collector collector.EventCol...
function generateCommonTestData (line 43) | func generateCommonTestData(action policy.ActionType, oaction policy.Obs...
function generateTestEndpoints (line 55) | func generateTestEndpoints(reverse bool) (*collector.EndPoint, *collecto...
function TestReportAcceptedFlow (line 75) | func TestReportAcceptedFlow(t *testing.T) {
function TestReportExternalServiceFlow (line 145) | func TestReportExternalServiceFlow(t *testing.T) {
function TestReportUDPAcceptedFlow (line 198) | func TestReportUDPAcceptedFlow(t *testing.T) {
function TestReportRejectedFlow (line 250) | func TestReportRejectedFlow(t *testing.T) {
function TestReportUDPRejectedFlow (line 323) | func TestReportUDPRejectedFlow(t *testing.T) {
function TestReportDefaultEndpoint (line 396) | func TestReportDefaultEndpoint(t *testing.T) {
FILE: controller/internal/enforcer/proxy/enforcerproxy.go
type ProxyInfo (line 32) | type ProxyInfo struct
method Enforce (line 58) | func (s *ProxyInfo) Enforce(ctx context.Context, contextID string, puI...
method Unenforce (line 109) | func (s *ProxyInfo) Unenforce(ctx context.Context, contextID string) e...
method UpdateSecrets (line 125) | func (s *ProxyInfo) UpdateSecrets(token secrets.Secrets) error {
method SetLogLevel (line 153) | func (s *ProxyInfo) SetLogLevel(level constants.LogLevel) error {
method CleanUp (line 178) | func (s *ProxyInfo) CleanUp() error {
method EnableDatapathPacketTracing (line 239) | func (s *ProxyInfo) EnableDatapathPacketTracing(ctx context.Context, c...
method EnableIPTablesPacketTracing (line 259) | func (s *ProxyInfo) EnableIPTablesPacketTracing(ctx context.Context, c...
method SetTargetNetworks (line 278) | func (s *ProxyInfo) SetTargetNetworks(cfg *runtime.Configuration) error {
method GetBPFObject (line 306) | func (s *ProxyInfo) GetBPFObject() ebpf.BPFModule {
method GetServiceMeshType (line 311) | func (s *ProxyInfo) GetServiceMeshType() policy.ServiceMesh {
method GetFilterQueue (line 316) | func (s *ProxyInfo) GetFilterQueue() fqconfig.FilterQueue {
method Run (line 321) | func (s *ProxyInfo) Run(ctx context.Context) error {
method Ping (line 338) | func (s *ProxyInfo) Ping(ctx context.Context, contextID string, pingCo...
method DebugCollect (line 359) | func (s *ProxyInfo) DebugCollect(ctx context.Context, contextID string...
method initRemoteEnforcer (line 383) | func (s *ProxyInfo) initRemoteEnforcer(contextID string) error {
function NewProxyEnforcer (line 408) | func NewProxyEnforcer(
FILE: controller/internal/enforcer/proxy/enforcerproxy_test.go
constant procMountPoint (line 27) | procMountPoint = "/proc"
function init (line 34) | func init() {
function eventCollector (line 81) | func eventCollector() collector.EventCollector {
function secretGen (line 86) | func secretGen() secrets.Secrets {
function createPUInfo (line 92) | func createPUInfo() *policy.PUInfo {
function setupProxyEnforcer (line 122) | func setupProxyEnforcer() enforcer.Enforcer {
function TestNewDefaultProxyEnforcer (line 155) | func TestNewDefaultProxyEnforcer(t *testing.T) {
function TestInitRemoteEnforcer (line 172) | func TestInitRemoteEnforcer(t *testing.T) {
function TestEnforce (line 193) | func TestEnforce(t *testing.T) {
function TestUnenforce (line 246) | func TestUnenforce(t *testing.T) {
function TestUpdateSecrets (line 277) | func TestUpdateSecrets(t *testing.T) {
function TestCleanup (line 314) | func TestCleanup(t *testing.T) {
function TestEnableDatapathPacketTracing (line 342) | func TestEnableDatapathPacketTracing(t *testing.T) {
function TestEnableIPTablesPacketTracing (line 371) | func TestEnableIPTablesPacketTracing(t *testing.T) {
function TestSetTargetNetworks (line 400) | func TestSetTargetNetworks(t *testing.T) {
function TestPostReportEvent (line 436) | func TestPostReportEvent(t *testing.T) {
FILE: controller/internal/enforcer/proxy/rpcserver.go
type ProxyRPCServer (line 15) | type ProxyRPCServer struct
method PostStats (line 24) | func (r *ProxyRPCServer) PostStats(req rpcwrapper.Request, resp *rpcwr...
method RetrieveToken (line 46) | func (r *ProxyRPCServer) RetrieveToken(req rpcwrapper.Request, resp *r...
method PostReportEvent (line 75) | func (r *ProxyRPCServer) PostReportEvent(req rpcwrapper.Request, resp ...
FILE: controller/internal/enforcer/secretsproxy/secretsproxy.go
type SecretsProxy (line 31) | type SecretsProxy struct
method Run (line 56) | func (s *SecretsProxy) Run(ctx context.Context) error {
method Enforce (line 84) | func (s *SecretsProxy) Enforce(puInfo *policy.PUInfo) error {
method Unenforce (line 89) | func (s *SecretsProxy) Unenforce(contextID string) error {
method GetFilterQueue (line 94) | func (s *SecretsProxy) GetFilterQueue() *fqconfig.FilterQueue {
method UpdateSecrets (line 100) | func (s *SecretsProxy) UpdateSecrets(secret secrets.Secrets) error {
method apiProcessor (line 107) | func (s *SecretsProxy) apiProcessor(w http.ResponseWriter, r *http.Req...
method updateService (line 192) | func (s *SecretsProxy) updateService(puInfo *policy.PUInfo) error {
method deleteService (line 242) | func (s *SecretsProxy) deleteService(contextID string) error {
function NewSecretsProxy (line 43) | func NewSecretsProxy() *SecretsProxy {
function httpError (line 258) | func httpError(w http.ResponseWriter, err error, msg string, number int) {
function ValidateOriginProcess (line 264) | func ValidateOriginProcess(pid string) (string, error) {
function processCgroups (line 288) | func processCgroups(pid string, cgroupType string) (string, error) {
function findParentCgroup (line 316) | func findParentCgroup(pid string) (string, error) {
FILE: controller/internal/enforcer/secretsproxy/secretsproxy_windows.go
type SecretsProxy (line 15) | type SecretsProxy struct
method Run (line 25) | func (s *SecretsProxy) Run(ctx context.Context) error {
method Enforce (line 30) | func (s *SecretsProxy) Enforce(puInfo *policy.PUInfo) error {
method Unenforce (line 35) | func (s *SecretsProxy) Unenforce(contextID string) error {
method GetFilterQueue (line 40) | func (s *SecretsProxy) GetFilterQueue() *fqconfig.FilterQueue {
method UpdateSecrets (line 46) | func (s *SecretsProxy) UpdateSecrets(secret secrets.Secrets) error {
function NewSecretsProxy (line 19) | func NewSecretsProxy() *SecretsProxy {
FILE: controller/internal/enforcer/secretsproxy/transformer.go
type SecretsDriver (line 15) | type SecretsDriver interface
type GenericSecretsDriver (line 22) | type GenericSecretsDriver struct
method Transport (line 68) | func (k *GenericSecretsDriver) Transport() http.RoundTripper {
method Transform (line 73) | func (k *GenericSecretsDriver) Transform(r *http.Request) error {
function NewGenericSecretsDriver (line 31) | func NewGenericSecretsDriver(ca []byte, token string, network *common.Se...
FILE: controller/internal/enforcer/utils/ephemeralkeys/ephemeralkeys.go
type PrivateKey (line 15) | type PrivateKey struct
type ephemeralKey (line 20) | type ephemeralKey struct
method PrivateKey (line 92) | func (k *ephemeralKey) PrivateKey() *PrivateKey {
method DecodingKeyV1 (line 98) | func (k *ephemeralKey) DecodingKeyV1() []byte {
method DecodingKeyV2 (line 104) | func (k *ephemeralKey) DecodingKeyV2() []byte {
constant keyInterval (line 27) | keyInterval = 5 * time.Minute
function New (line 30) | func New() (KeyAccessor, error) {
function NewWithRenewal (line 50) | func NewWithRenewal() (KeyAccessor, error) {
function GetDatapathSecret (line 114) | func GetDatapathSecret() secrets.Secrets {
function UpdateDatapathSecrets (line 121) | func UpdateDatapathSecrets(s secrets.Secrets) {
FILE: controller/internal/enforcer/utils/ephemeralkeys/interfaces.go
type KeyAccessor (line 4) | type KeyAccessor interface
FILE: controller/internal/enforcer/utils/ephemeralkeys/mockephemeralkeys/mockephemeralkeys.go
type MockKeyAccessor (line 16) | type MockKeyAccessor struct
method EXPECT (line 37) | func (m *MockKeyAccessor) EXPECT() *MockKeyAccessorMockRecorder {
method PrivateKey (line 43) | func (m *MockKeyAccessor) PrivateKey() *ecdsa.PrivateKey {
method DecodingKey (line 59) | func (m *MockKeyAccessor) DecodingKey() []byte {
type MockKeyAccessorMockRecorder (line 23) | type MockKeyAccessorMockRecorder struct
method PrivateKey (line 52) | func (mr *MockKeyAccessorMockRecorder) PrivateKey() *gomock.Call {
method DecodingKey (line 68) | func (mr *MockKeyAccessorMockRecorder) DecodingKey() *gomock.Call {
function NewMockKeyAccessor (line 29) | func NewMockKeyAccessor(ctrl *gomock.Controller) *MockKeyAccessor {
FILE: controller/internal/enforcer/utils/nsenter/nsenter.c
function nsexec (line 16) | void nsexec(void) {
FILE: controller/internal/enforcer/utils/packetgen/interfaces.go
type PacketFlowType (line 9) | type PacketFlowType
constant PacketFlowTypeGenerateGoodFlow (line 13) | PacketFlowTypeGenerateGoodFlow PacketFlowType = iota
constant PacketFlowTypeGoodFlowTemplate (line 15) | PacketFlowTypeGoodFlowTemplate
constant PacketFlowTypeMultipleGoodFlow (line 17) | PacketFlowTypeMultipleGoodFlow
constant PacketFlowTypeMultipleIntervenedFlow (line 19) | PacketFlowTypeMultipleIntervenedFlow
type EthernetPacketManipulator (line 23) | type EthernetPacketManipulator interface
type IPPacketManipulator (line 31) | type IPPacketManipulator interface
type TCPPacketManipulator (line 41) | type TCPPacketManipulator interface
type PacketHelper (line 90) | type PacketHelper interface
type PacketManipulator (line 98) | type PacketManipulator interface
type PacketFlowManipulator (line 107) | type PacketFlowManipulator interface
type Packet (line 135) | type Packet struct
type PacketFlow (line 144) | type PacketFlow struct
FILE: controller/internal/enforcer/utils/packetgen/packet_gen.go
function NewPacket (line 16) | func NewPacket() PacketManipulator {
method AddEthernetLayer (line 22) | func (p *Packet) AddEthernetLayer(srcMACstr string, dstMACstr string) er...
method GetEthernetPacket (line 55) | func (p *Packet) GetEthernetPacket() layers.Ethernet {
method AddIPLayer (line 61) | func (p *Packet) AddIPLayer(srcIPstr string, dstIPstr string) error {
method GetIPChecksum (line 96) | func (p *Packet) GetIPChecksum() uint16 {
method GetIPPacket (line 102) | func (p *Packet) GetIPPacket() layers.IPv4 {
method AddTCPLayer (line 108) | func (p *Packet) AddTCPLayer(srcPort layers.TCPPort, dstPort layers.TCPP...
method GetTCPPacket (line 145) | func (p *Packet) GetTCPPacket() layers.TCP {
method GetTCPSequenceNumber (line 151) | func (p *Packet) GetTCPSequenceNumber() uint32 {
method GetTCPAcknowledgementNumber (line 157) | func (p *Packet) GetTCPAcknowledgementNumber() uint32 {
method GetTCPWindow (line 163) | func (p *Packet) GetTCPWindow() uint16 {
method GetTCPSyn (line 169) | func (p *Packet) GetTCPSyn() bool {
method GetTCPAck (line 175) | func (p *Packet) GetTCPAck() bool {
method GetTCPFin (line 181) | func (p *Packet) GetTCPFin() bool {
method GetTCPChecksum (line 187) | func (p *Packet) GetTCPChecksum() uint16 {
method SetTCPSequenceNumber (line 193) | func (p *Packet) SetTCPSequenceNumber(seqNum uint32) {
method SetTCPAcknowledgementNumber (line 200) | func (p *Packet) SetTCPAcknowledgementNumber(ackNum uint32) {
method SetTCPWindow (line 207) | func (p *Packet) SetTCPWindow(window uint16) {
method SetTCPSyn (line 214) | func (p *Packet) SetTCPSyn() {
method SetTCPSynAck (line 222) | func (p *Packet) SetTCPSynAck() {
method SetTCPAck (line 230) | func (p *Packet) SetTCPAck() {
method SetTCPCwr (line 238) | func (p *Packet) SetTCPCwr() {
method SetTCPEce (line 243) | func (p *Packet) SetTCPEce() {
method SetTCPUrg (line 248) | func (p *Packet) SetTCPUrg() {
method SetTCPPsh (line 253) | func (p *Packet) SetTCPPsh() {
method SetTCPRst (line 258) | func (p *Packet) SetTCPRst() {
method SetTCPFin (line 263) | func (p *Packet) SetTCPFin() {
method NewTCPPayload (line 268) | func (p *Packet) NewTCPPayload(newPayload string) error {
method ToBytes (line 280) | func (p *Packet) ToBytes() ([]byte, error) {
function NewTemplateFlow (line 308) | func NewTemplateFlow() PacketFlowManipulator {
method AddPacket (line 314) | func (p *Packet) AddPacket(packet gopacket.Packet) {
method DecodePacket (line 321) | func (p *Packet) DecodePacket() PacketManipulator {
function NewPacketFlow (line 381) | func NewPacketFlow(smac string, dmac string, sip string, dip string, spo...
method GenerateTCPFlow (line 397) | func (p *PacketFlow) GenerateTCPFlow(pt PacketFlowType) (PacketFlowManip...
method GenerateTCPFlowPayload (line 503) | func (p *PacketFlow) GenerateTCPFlowPayload(newPayload string) PacketFlo...
method AppendPacket (line 509) | func (p *PacketFlow) AppendPacket(pm PacketManipulator) int {
method getMatchPackets (line 517) | func (p *PacketFlow) getMatchPackets(syn, ack, fin bool) PacketFlowManip...
method GetFirstSynPacket (line 531) | func (p *PacketFlow) GetFirstSynPacket() PacketManipulator {
method GetFirstSynAckPacket (line 537) | func (p *PacketFlow) GetFirstSynAckPacket() PacketManipulator {
method GetFirstAckPacket (line 543) | func (p *PacketFlow) GetFirstAckPacket() PacketManipulator {
method GetSynPackets (line 549) | func (p *PacketFlow) GetSynPackets() PacketFlowManipulator {
method GetSynAckPackets (line 555) | func (p *PacketFlow) GetSynAckPackets() PacketFlowManipulator {
method GetAckPackets (line 561) | func (p *PacketFlow) GetAckPackets() PacketFlowManipulator {
method GetUptoFirstSynAckPacket (line 567) | func (p *PacketFlow) GetUptoFirstSynAckPacket() PacketFlowManipulator {
method GetUptoFirstAckPacket (line 585) | func (p *PacketFlow) GetUptoFirstAckPacket() PacketFlowManipulator {
method GetNthPacket (line 603) | func (p *PacketFlow) GetNthPacket(index int) PacketManipulator {
method GetNumPackets (line 615) | func (p *PacketFlow) GetNumPackets() int {
FILE: controller/internal/enforcer/utils/packetgen/packet_gen_test.go
function TestTypeInterface (line 11) | func TestTypeInterface(t *testing.T) {
FILE: controller/internal/enforcer/utils/packetgen/packet_templates.go
function init (line 12) | func init() {
FILE: controller/internal/enforcer/utils/rpcwrapper/interfaces.go
type RPCClient (line 6) | type RPCClient interface
type RPCServer (line 16) | type RPCServer interface
FILE: controller/internal/enforcer/utils/rpcwrapper/mockrpcwrapper/mockrpcwrapper.go
type MockRPCClient (line 17) | type MockRPCClient struct
method EXPECT (line 38) | func (m *MockRPCClient) EXPECT() *MockRPCClientMockRecorder {
method NewRPCClient (line 44) | func (m *MockRPCClient) NewRPCClient(contextID, channel, rpcSecret str...
method GetRPCClient (line 60) | func (m *MockRPCClient) GetRPCClient(contextID string) (*rpcwrapper.RP...
method RemoteCall (line 77) | func (m *MockRPCClient) RemoteCall(contextID, methodName string, req *...
method DestroyRPCClient (line 93) | func (m *MockRPCClient) DestroyRPCClient(contextID string) {
method ContextList (line 107) | func (m *MockRPCClient) ContextList() []string {
method CheckValidity (line 123) | func (m *MockRPCClient) CheckValidity(req *rpcwrapper.Request, secret ...
type MockRPCClientMockRecorder (line 24) | type MockRPCClientMockRecorder struct
method NewRPCClient (line 53) | func (mr *MockRPCClientMockRecorder) NewRPCClient(contextID, channel, ...
method GetRPCClient (line 70) | func (mr *MockRPCClientMockRecorder) GetRPCClient(contextID interface{...
method RemoteCall (line 86) | func (mr *MockRPCClientMockRecorder) RemoteCall(contextID, methodName,...
method DestroyRPCClient (line 100) | func (mr *MockRPCClientMockRecorder) DestroyRPCClient(contextID interf...
method ContextList (line 116) | func (mr *MockRPCClientMockRecorder) ContextList() *gomock.Call {
method CheckValidity (line 132) | func (mr *MockRPCClientMockRecorder) CheckValidity(req, secret interfa...
function NewMockRPCClient (line 30) | func NewMockRPCClient(ctrl *gomock.Controller) *MockRPCClient {
type MockRPCServer (line 139) | type MockRPCServer struct
method EXPECT (line 160) | func (m *MockRPCServer) EXPECT() *MockRPCServerMockRecorder {
method StartServer (line 166) | func (m *MockRPCServer) StartServer(ctx context.Context, protocol, pat...
method ProcessMessage (line 182) | func (m *MockRPCServer) ProcessMessage(req *rpcwrapper.Request, secret...
method CheckValidity (line 198) | func (m *MockRPCServer) CheckValidity(req *rpcwrapper.Request, secret ...
type MockRPCServerMockRecorder (line 146) | type MockRPCServerMockRecorder struct
method StartServer (line 175) | func (mr *MockRPCServerMockRecorder) StartServer(ctx, protocol, path, ...
method ProcessMessage (line 191) | func (mr *MockRPCServerMockRecorder) ProcessMessage(req, secret interf...
method CheckValidity (line 207) | func (mr *MockRPCServerMockRecorder) CheckValidity(req, secret interfa...
function NewMockRPCServer (line 152) | func NewMockRPCServer(ctrl *gomock.Controller) *MockRPCServer {
FILE: controller/internal/enforcer/utils/rpcwrapper/rpc_handle.go
type RPCHdl (line 28) | type RPCHdl struct
type RPCWrapper (line 35) | type RPCWrapper struct
method NewRPCClient (line 57) | func (r *RPCWrapper) NewRPCClient(contextID string, channel string, sh...
method GetRPCClient (line 87) | func (r *RPCWrapper) GetRPCClient(contextID string) (*RPCHdl, error) {
method RemoteCall (line 101) | func (r *RPCWrapper) RemoteCall(contextID string, methodName string, r...
method CheckValidity (line 124) | func (r *RPCWrapper) CheckValidity(req *Request, secret string) bool {
method StartServer (line 149) | func (r *RPCWrapper) StartServer(ctx context.Context, protocol string,...
method DestroyRPCClient (line 199) | func (r *RPCWrapper) DestroyRPCClient(contextID string) {
method ContextList (line 231) | func (r *RPCWrapper) ContextList() []string {
method ProcessMessage (line 243) | func (r *RPCWrapper) ProcessMessage(req *Request, secret string) bool {
function NewRPCWrapper (line 42) | func NewRPCWrapper() *RPCWrapper {
constant maxRetries (line 52) | maxRetries = 10000
constant envRetryString (line 53) | envRetryString = "REMOTE_RPCRETRIES"
function NewRPCServer (line 141) | func NewRPCServer() RPCServer {
function payloadHash (line 249) | func payloadHash(payload interface{}) ([]byte, error) {
function RegisterTypes (line 261) | func RegisterTypes() {
FILE: controller/internal/enforcer/utils/rpcwrapper/rpc_handlemock.go
type MockRPCHdl (line 11) | type MockRPCHdl struct
type mockedMethods (line 16) | type mockedMethods struct
type TestRPCClient (line 28) | type TestRPCClient interface
type TestRPCServer (line 39) | type TestRPCServer interface
type testRPC (line 46) | type testRPC struct
method MockNewRPCClient (line 69) | func (m *testRPC) MockNewRPCClient(t *testing.T, impl func(contextID s...
method MockGetRPCClient (line 74) | func (m *testRPC) MockGetRPCClient(t *testing.T, impl func(contextID s...
method MockRemoteCall (line 79) | func (m *testRPC) MockRemoteCall(t *testing.T, impl func(contextID str...
method MockDestroyRPCClient (line 84) | func (m *testRPC) MockDestroyRPCClient(t *testing.T, impl func(context...
method MockStartServer (line 89) | func (m *testRPC) MockStartServer(t *testing.T, impl func(ctx context....
method MockProcessMessage (line 95) | func (m *testRPC) MockProcessMessage(t *testing.T, impl func(req *Requ...
method MockContextList (line 100) | func (m *testRPC) MockContextList(t *testing.T, impl func() []string) {
method MockCheckValidity (line 105) | func (m *testRPC) MockCheckValidity(t *testing.T, impl func(req *Reque...
method NewRPCClient (line 110) | func (m *testRPC) NewRPCClient(contextID string, channel string, secre...
method GetRPCClient (line 118) | func (m *testRPC) GetRPCClient(contextID string) (*RPCHdl, error) {
method RemoteCall (line 126) | func (m *testRPC) RemoteCall(contextID string, methodName string, req ...
method DestroyRPCClient (line 134) | func (m *testRPC) DestroyRPCClient(contextID string) {
method CheckValidity (line 142) | func (m *testRPC) CheckValidity(req *Request, secret string) bool {
method StartServer (line 150) | func (m *testRPC) StartServer(ctx context.Context, protocol string, pa...
method ProcessMessage (line 158) | func (m *testRPC) ProcessMessage(req *Request, secret string) bool {
method ContextList (line 166) | func (m *testRPC) ContextList() []string {
method currentMocks (line 174) | func (m *testRPC) currentMocks(t *testing.T) *mockedMethods {
function NewTestRPCServer (line 53) | func NewTestRPCServer() TestRPCServer {
function NewTestRPCClient (line 61) | func NewTestRPCClient() TestRPCClient {
FILE: controller/internal/enforcer/utils/rpcwrapper/rpc_handletest.go
constant defaultchannel (line 12) | defaultchannel = "/tmp/test.sock"
function TestNewRPCClient (line 16) | func TestNewRPCClient(t *testing.T) {
FILE: controller/internal/enforcer/utils/rpcwrapper/rpc_testhelper.go
function asyncRpcclient (line 3) | func asyncRpcclient(resp chan<- error, rpchdl *RPCWrapper) {
FILE: controller/internal/enforcer/utils/rpcwrapper/types.go
type CaptureType (line 16) | type CaptureType
constant IPTables (line 20) | IPTables CaptureType = iota
constant IPSets (line 22) | IPSets
type PayloadType (line 26) | type PayloadType
constant PacketReport (line 30) | PacketReport PayloadType = iota
constant DNSReport (line 31) | DNSReport
constant CounterReport (line 32) | CounterReport
constant PingReport (line 33) | PingReport
constant ConnectionExceptionReport (line 34) | ConnectionExceptionReport
type Request (line 38) | type Request struct
constant SUCCESS (line 46) | SUCCESS = 0
type Response (line 51) | type Response struct
type InitRequestPayload (line 57) | type InitRequestPayload struct
type UpdateSecretsPayload (line 73) | type UpdateSecretsPayload struct
type EnforcePayload (line 78) | type EnforcePayload struct
type UnEnforcePayload (line 85) | type UnEnforcePayload struct
type SetLogLevelPayload (line 90) | type SetLogLevelPayload struct
type StatsPayload (line 95) | type StatsPayload struct
type ReportPayload (line 101) | type ReportPayload struct
type SetTargetNetworksPayload (line 107) | type SetTargetNetworksPayload struct
type EnableIPTablesPacketTracingPayLoad (line 112) | type EnableIPTablesPacketTracingPayLoad struct
type EnableDatapathPacketTracingPayLoad (line 119) | type EnableDatapathPacketTracingPayLoad struct
type TokenRequestPayload (line 126) | type TokenRequestPayload struct
type TokenResponsePayload (line 134) | type TokenResponsePayload struct
type PingPayload (line 139) | type PingPayload struct
type DebugCollectPayload (line 145) | type DebugCollectPayload struct
type DebugCollectResponsePayload (line 153) | type DebugCollectResponsePayload struct
FILE: controller/internal/processmon/interfaces.go
type ProcessManager (line 8) | type ProcessManager interface
FILE: controller/internal/processmon/mockprocessmon/mockprocessmon.go
type MockProcessManager (line 16) | type MockProcessManager struct
method EXPECT (line 37) | func (m *MockProcessManager) EXPECT() *MockProcessManagerMockRecorder {
method KillRemoteEnforcer (line 43) | func (m *MockProcessManager) KillRemoteEnforcer(contextID string, forc...
method LaunchRemoteEnforcer (line 59) | func (m *MockProcessManager) LaunchRemoteEnforcer(contextID string, re...
type MockProcessManagerMockRecorder (line 23) | type MockProcessManagerMockRecorder struct
method KillRemoteEnforcer (line 52) | func (mr *MockProcessManagerMockRecorder) KillRemoteEnforcer(contextID...
method LaunchRemoteEnforcer (line 69) | func (mr *MockProcessManagerMockRecorder) LaunchRemoteEnforcer(context...
function NewMockProcessManager (line 29) | func NewMockProcessManager(ctrl *gomock.Controller) *MockProcessManager {
FILE: controller/internal/processmon/processmon.go
constant processMonitorCacheName (line 33) | processMonitorCacheName = "ProcessMonitorCache"
constant secretLength (line 34) | secretLength = 32
type RemoteMonitor (line 46) | type RemoteMonitor struct
method LaunchRemoteEnforcer (line 113) | func (p *RemoteMonitor) LaunchRemoteEnforcer(
method KillRemoteEnforcer (line 251) | func (p *RemoteMonitor) KillRemoteEnforcer(contextID string, force boo...
method collectChildExitStatus (line 305) | func (p *RemoteMonitor) collectChildExitStatus(ctx context.Context) {
method getLaunchProcessEnvVars (line 376) | func (p *RemoteMonitor) getLaunchProcessEnvVars(
type processInfo (line 72) | type processInfo struct
type exitStatus (line 79) | type exitStatus struct
function New (line 88) | func New(ctx context.Context, p *env.RemoteParameters, c chan *policy.Ru...
function getCmdReader (line 356) | func getCmdReader(cmd *exec.Cmd) (io.ReadCloser, error) {
function getLaunchProcessCmd (line 369) | func getLaunchProcessCmd(arg string) (cmd *exec.Cmd, cmdName string, cmd...
function contextID2SocketPath (line 416) | func contextID2SocketPath(contextID string) string {
FILE: controller/internal/processmon/processmon_linux_test.go
constant testDirBase (line 21) | testDirBase = "/tmp"
function TestLaunchProcess (line 24) | func TestLaunchProcess(t *testing.T) {
FILE: controller/internal/processmon/processmon_test.go
function launchContainer (line 25) | func launchContainer(path string) int {
function killContainer (line 49) | func killContainer() {
function fakeExecCommand (line 55) | func fakeExecCommand(command string, args ...string) *exec.Cmd {
function cleanupErrChannel (line 64) | func cleanupErrChannel(errChannel chan *policy.RuntimeError) {
function TestCmdHelper (line 77) | func TestCmdHelper(t *testing.T) {
function Test_KillRemoteEnforcer (line 85) | func Test_KillRemoteEnforcer(t *testing.T) {
function Test_CollectExitStatus (line 191) | func Test_CollectExitStatus(t *testing.T) {
FILE: controller/internal/processmon/processmon_windows.go
type remoteMonitor (line 14) | type remoteMonitor struct
method LaunchRemoteEnforcer (line 23) | func (p *remoteMonitor) LaunchRemoteEnforcer(
method KillRemoteEnforcer (line 36) | func (p *remoteMonitor) KillRemoteEnforcer(contextID string, force boo...
function New (line 18) | func New(ctx context.Context, p *env.RemoteParameters, c chan *policy.Ru...
FILE: controller/internal/processmon/testbinary/testbinary.go
function main (line 5) | func main() {
FILE: controller/internal/supervisor/interfaces.go
type Supervisor (line 13) | type Supervisor interface
type Implementor (line 35) | type Implementor interface
FILE: controller/internal/supervisor/iptablesctrl/acls.go
constant numPackets (line 23) | numPackets = "100"
constant initialCount (line 24) | initialCount = "99"
function init (line 35) | func init() {
type rulesInfo (line 46) | type rulesInfo struct
method cgroupChainRules (line 60) | func (i *iptables) cgroupChainRules(cfg *ACLInfo) [][]string {
method containerChainRules (line 96) | func (i *iptables) containerChainRules(cfg *ACLInfo) [][]string {
method istioRules (line 111) | func (i *iptables) istioRules(cfg *ACLInfo) [][]string {
method proxyRules (line 130) | func (i *iptables) proxyRules(cfg *ACLInfo) [][]string {
method proxyDNSRules (line 148) | func (i *iptables) proxyDNSRules(cfg *ACLInfo) [][]string {
method extractPreNetworkACLRules (line 166) | func (i *iptables) extractPreNetworkACLRules(cfg *ACLInfo) [][]string {
method trapRules (line 182) | func (i *iptables) trapRules(cfg *ACLInfo, isHostPU bool, appAnyRules, n...
method getProtocolAnyRules (line 248) | func (i *iptables) getProtocolAnyRules(cfg *ACLInfo, appRules, netRules ...
function extractACLsFromTemplate (line 272) | func extractACLsFromTemplate(rulesBucket *rulesInfo) ([][]string, error) {
function extractProtocolAnyRules (line 290) | func extractProtocolAnyRules(rules []aclIPset) (anyRules []aclIPset, oth...
method processRulesFromList (line 309) | func (i *iptables) processRulesFromList(rulelist [][]string, methodType ...
method addChainRules (line 349) | func (i *iptables) addChainRules(cfg *ACLInfo) error {
method addPacketTrap (line 358) | func (i *iptables) addPacketTrap(cfg *ACLInfo, isHostPU bool, appAnyRule...
method programExtensionsRules (line 364) | func (i *iptables) programExtensionsRules(contextID string, rule *aclIPs...
method programNflogExtensionRule (line 394) | func (i *iptables) programNflogExtensionRule(contextID string, rule *acl...
method sortACLsInBuckets (line 429) | func (i *iptables) sortACLsInBuckets(cfg *ACLInfo, chain string, reverse...
method addExternalACLs (line 496) | func (i *iptables) addExternalACLs(cfg *ACLInfo, chain string, reverseCh...
method addPreNetworkACLRules (line 516) | func (i *iptables) addPreNetworkACLRules(cfg *ACLInfo) error {
method deleteChainRules (line 528) | func (i *iptables) deleteChainRules(cfg *ACLInfo) error {
method setGlobalRules (line 538) | func (i *iptables) setGlobalRules() error {
method removeGlobalHooks (line 653) | func (i *iptables) removeGlobalHooks(cfg *ACLInfo) error {
method generateACLRules (line 670) | func (i *iptables) generateACLRules(cfg *ACLInfo, rule *aclIPset, chain ...
FILE: controller/internal/supervisor/iptablesctrl/acls_darwin.go
method aclSkipProto (line 3) | func (i *iptables) aclSkipProto(proto string) bool {
method legacyPuChainRules (line 7) | func (i *iptables) legacyPuChainRules(cfg *ACLInfo) ([][]string, bool) {
FILE: controller/internal/supervisor/iptablesctrl/acls_linux.go
method aclSkipProto (line 5) | func (i *iptables) aclSkipProto(proto string) bool {
method legacyPuChainRules (line 9) | func (i *iptables) legacyPuChainRules(cfg *ACLInfo) ([][]string, bool) {
FILE: controller/internal/supervisor/iptablesctrl/acls_nonwindows.go
method addContainerChain (line 22) | func (i *iptables) addContainerChain(cfg *ACLInfo) error {
method deletePUChains (line 42) | func (i *iptables) deletePUChains(cfg *ACLInfo) error {
function transformACLRules (line 79) | func transformACLRules(aclRules [][]string, cfg *ACLInfo, rulesBucket *r...
method platformInit (line 84) | func (i *iptables) platformInit() error {
method cleanACLs (line 88) | func (i *iptables) cleanACLs() error { // nolint
function generateUDPACLRule (line 105) | func generateUDPACLRule() []string {
function targetUDPNetworkClause (line 109) | func targetUDPNetworkClause(rule *aclIPset, targetUDPName string, ipMatc...
function connmarkUDPConnmarkClause (line 113) | func connmarkUDPConnmarkClause() []string {
FILE: controller/internal/supervisor/iptablesctrl/acls_rhel6.go
constant tcpProto (line 17) | tcpProto = "tcp"
constant icmpProto (line 18) | icmpProto = "icmp"
constant udpProto (line 19) | udpProto = "udp"
method aclSkipProto (line 22) | func (i *iptables) aclSkipProto(proto string) bool {
method legacyPuChainRules (line 31) | func (i *iptables) legacyPuChainRules(cfg *ACLInfo) ([][]string, bool) {
method legacyProxyRules (line 157) | func (i *iptables) legacyProxyRules(tcpPorts, proxyPort, destSetName, sr...
FILE: controller/internal/supervisor/iptablesctrl/acls_windows.go
function getGrandparentPid (line 33) | func getGrandparentPid() (int, error) {
method aclSkipProto (line 60) | func (i *iptables) aclSkipProto(proto string) bool {
method legacyPuChainRules (line 64) | func (i *iptables) legacyPuChainRules(cfg *ACLInfo) ([][]string, bool) {
method platformInit (line 69) | func (i *iptables) platformInit() error {
method addContainerChain (line 147) | func (i *iptables) addContainerChain(cfg *ACLInfo) error {
method deletePUChains (line 160) | func (i *iptables) deletePUChains(cfg *ACLInfo) error {
function makeTerminatingRuleFromPair (line 198) | func makeTerminatingRuleFromPair(aclRule1, aclRule2 []string) *winipt.Wi...
function processWindowsACLRule (line 250) | func processWindowsACLRule(table, _ string, winRuleSpec *winipt.WindowsR...
function transformACLRules (line 284) | func transformACLRules(aclRules [][]string, cfg *ACLInfo, rulesBucket *r...
method cleanACLs (line 364) | func (i *iptables) cleanACLs() error { // nolint
method cleanACLSection (line 386) | func (i *iptables) cleanACLSection(context, chainPrefix string) {
function generateUDPACLRule (line 421) | func generateUDPACLRule() []string {
function targetUDPNetworkClause (line 426) | func targetUDPNetworkClause(rule *aclIPset, targetUDPName string, ipMatc...
function connmarkUDPConnmarkClause (line 433) | func connmarkUDPConnmarkClause() []string {
FILE: controller/internal/supervisor/iptablesctrl/acls_windows_test.go
constant sampleTCPPorts (line 17) | sampleTCPPorts = "80,443"
constant sampleUDPPorts (line 18) | sampleUDPPorts = ""
function TestTransformACLRuleHost (line 21) | func TestTransformACLRuleHost(t *testing.T) {
function TestTransformACLRuleHostNet (line 138) | func TestTransformACLRuleHostNet(t *testing.T) {
function TestTransformACLRuleHostSvc (line 191) | func TestTransformACLRuleHostSvc(t *testing.T) {
function TestTransformACLRuleHostSvcNet (line 219) | func TestTransformACLRuleHostSvcNet(t *testing.T) {
function TestTransformACLRuleIcmp (line 274) | func TestTransformACLRuleIcmp(t *testing.T) {
FILE: controller/internal/supervisor/iptablesctrl/comparators.go
function testObserveContinue (line 5) | func testObserveContinue(p *policy.FlowPolicy) bool {
function testNotObserved (line 9) | func testNotObserved(p *policy.FlowPolicy) bool {
function testObserveApply (line 13) | func testObserveApply(p *policy.FlowPolicy) bool {
function testReject (line 17) | func testReject(p *policy.FlowPolicy) bool {
function testAccept (line 21) | func testAccept(p *policy.FlowPolicy) bool {
FILE: controller/internal/supervisor/iptablesctrl/constants_nonwindows.go
constant ipTableSectionOutput (line 6) | ipTableSectionOutput = "OUTPUT"
constant ipTableSectionPreRouting (line 7) | ipTableSectionPreRouting = "PREROUTING"
constant appPacketIPTableContext (line 8) | appPacketIPTableContext = "mangle"
constant netPacketIPTableContext (line 9) | netPacketIPTableContext = "mangle"
constant appProxyIPTableContext (line 10) | appProxyIPTableContext = "nat"
constant customQOSChainNFHook (line 12) | customQOSChainNFHook = "POSTROUTING"
constant customQOSChainTable (line 13) | customQOSChainTable = "mangle"
constant CustomQOSChain (line 15) | CustomQOSChain = "POST-CUSTOM-QOS"
FILE: controller/internal/supervisor/iptablesctrl/constants_windows.go
constant ipTableSectionOutput (line 6) | ipTableSectionOutput = "OUTPUT"
constant ipTableSectionPreRouting (line 7) | ipTableSectionPreRouting = "PREROUTING"
constant appPacketIPTableContext (line 8) | appPacketIPTableContext = "OUTPUT"
constant appProxyIPTableContext (line 9) | appProxyIPTableContext = "OUTPUT"
constant customQOSChainNFHook (line 10) | customQOSChainNFHook = "POSTROUTING"
constant customQOSChainTable (line 11) | customQOSChainTable = "mangle"
constant CustomQOSChain (line 13) | CustomQOSChain = "POST-CUSTOM-QOS"
constant netPacketIPTableContext (line 14) | netPacketIPTableContext = "INPUT"
FILE: controller/internal/supervisor/iptablesctrl/icmp_linux.go
function icmpRule (line 52) | func icmpRule(icmpTypeCode string, policyRestrictions []string) []string {
function getICMPv6 (line 57) | func getICMPv6() string {
function compileExprToBPF (line 82) | func compileExprToBPF(expr string) string {
function getBPFCode (line 94) | func getBPFCode(icmpTypeCode string, policyRestriction []string) string {
function generateExpr (line 107) | func generateExpr(icmpTypeCode string, policyRestriction []string) string {
function allowICMPv6 (line 209) | func allowICMPv6(cfg *ACLInfo) {
FILE: controller/internal/supervisor/iptablesctrl/icmp_linux_test.go
function Test_getICMPv6 (line 7) | func Test_getICMPv6(t *testing.T) {
function Test_generateExpr (line 23) | func Test_generateExpr(t *testing.T) {
FILE: controller/internal/supervisor/iptablesctrl/icmp_rhel6.go
function icmpRule (line 5) | func icmpRule(icmpTypeCode string, policyRestrictions []string) []string {
function allowICMPv6 (line 9) | func allowICMPv6(cfg *ACLInfo) {
FILE: controller/internal/supervisor/iptablesctrl/icmp_windows.go
function allowICMPv6 (line 10) | func allowICMPv6(cfg *ACLInfo) {
function icmpRule (line 14) | func icmpRule(icmpTypeCode string, policyRestrictions []string) []string {
FILE: controller/internal/supervisor/iptablesctrl/instance.go
constant IPV4 (line 21) | IPV4 = iota
constant IPV6 (line 23) | IPV6
type Instance (line 27) | type Instance struct
method SetTargetNetworks (line 37) | func (i *Instance) SetTargetNetworks(c *runtime.Configuration) error {
method Run (line 51) | func (i *Instance) Run(ctx context.Context) error {
method ConfigureRules (line 68) | func (i *Instance) ConfigureRules(version int, contextID string, pu *p...
method DeleteRules (line 84) | func (i *Instance) DeleteRules(version int, contextID string, tcpPorts...
method UpdateRules (line 103) | func (i *Instance) UpdateRules(version int, contextID string, containe...
method CleanUp (line 118) | func (i *Instance) CleanUp() error {
method CreateCustomRulesChain (line 132) | func (i *Instance) CreateCustomRulesChain() error {
method ACLProvider (line 235) | func (i *Instance) ACLProvider() []provider.IptablesProvider {
function NewInstance (line 193) | func NewInstance(fqc fqconfig.FilterQueue, mode constants.ModeType, ipv6...
function newInstanceWithProviders (line 224) | func newInstanceWithProviders(iptv4 *iptables, iptv6 *iptables) (*Instan...
FILE: controller/internal/supervisor/iptablesctrl/ipsets.go
method updateTargetNetworks (line 14) | func (i *iptables) updateTargetNetworks(set provider.Ipset, old, new []s...
method createProxySets (line 42) | func (i *iptables) createProxySets(portSetName string) error {
method updateProxySet (line 59) | func (i *iptables) updateProxySet(policy *policy.PUPolicy, portSetName s...
method getSetNames (line 110) | func (i *iptables) getSetNames(portSetName string) (string, string) {
FILE: controller/internal/supervisor/iptablesctrl/iptables.go
constant mainAppChain (line 23) | mainAppChain = constants.ChainPrefix + "App"
constant mainNetChain (line 24) | mainNetChain = constants.ChainPrefix + "Net"
constant appChainPrefix (line 25) | appChainPrefix = constants.ChainPrefix + "App-"
constant netChainPrefix (line 26) | netChainPrefix = constants.ChainPrefix + "Net-"
constant natProxyOutputChain (line 27) | natProxyOutputChain = constants.ChainPrefix + "Redir-App"
constant natProxyInputChain (line 28) | natProxyInputChain = constants.ChainPrefix + "Redir-Net"
constant proxyOutputChain (line 29) | proxyOutputChain = constants.ChainPrefix + "Prx-App"
constant proxyInputChain (line 30) | proxyInputChain = constants.ChainPrefix + "Prx-Net"
constant istioChain (line 31) | istioChain = constants.ChainPrefix + "Istio"
constant TriremeInput (line 34) | TriremeInput = constants.ChainPrefix + "Pid-Net"
constant TriremeOutput (line 36) | TriremeOutput = constants.ChainPrefix + "Pid-App"
constant NetworkSvcInput (line 39) | NetworkSvcInput = constants.ChainPrefix + "Svc-Net"
constant NetworkSvcOutput (line 42) | NetworkSvcOutput = constants.ChainPrefix + "Svc-App"
constant HostModeInput (line 45) | HostModeInput = constants.ChainPrefix + "Hst-Net"
constant HostModeOutput (line 48) | HostModeOutput = constants.ChainPrefix + "Hst-App"
constant NfqueueOutput (line 50) | NfqueueOutput = constants.ChainPrefix + "Nfq-OUT"
constant NfqueueInput (line 52) | NfqueueInput = constants.ChainPrefix + "Nfq-IN"
constant IstioUID (line 55) | IstioUID = "1337"
constant IstioRedirPort (line 59) | IstioRedirPort = "15001"
type iptables (line 62) | type iptables struct
method SetTargetNetworks (line 95) | func (i *iptables) SetTargetNetworks(c *runtime.Configuration) error {
method Run (line 112) | func (i *iptables) Run(ctx context.Context) error {
method ConfigureRules (line 162) | func (i *iptables) ConfigureRules(version int, contextID string, pu *p...
method DeleteRules (line 213) | func (i *iptables) DeleteRules(version int, contextID string, tcpPorts...
method UpdateRules (line 265) | func (i *iptables) UpdateRules(version int, contextID string, containe...
method CleanUp (line 309) | func (i *iptables) CleanUp() error {
method initializeChains (line 325) | func (i *iptables) initializeChains() error {
method configureContainerRules (line 359) | func (i *iptables) configureContainerRules(cfg *ACLInfo) error {
method configureLinuxRules (line 364) | func (i *iptables) configureLinuxRules(cfg *ACLInfo) error {
method getACLIPSets (line 384) | func (i *iptables) getACLIPSets(ipRules policy.IPRuleList) []aclIPset {
method installRules (line 400) | func (i *iptables) installRules(cfg *ACLInfo, containerInfo *policy.PU...
method updateProxySet (line 455) | func (i *iptables) updateProxySet(contextID string, policy *policy.PUP...
type IPImpl (line 72) | type IPImpl interface
type ipFilter (line 81) | type ipFilter
function createIPInstance (line 83) | func createIPInstance(impl IPImpl, ipsetmanager ipsetmanager.IPSetManage...
type aclIPset (line 379) | type aclIPset struct
FILE: controller/internal/supervisor/iptablesctrl/iptablesV4_test.go
function TestNewInstanceV4 (line 27) | func TestNewInstanceV4(t *testing.T) {
function Test_NegativeConfigureRulesV4 (line 71) | func Test_NegativeConfigureRulesV4(t *testing.T) {
function Test_OperationWithLinuxServicesV4 (line 749) | func Test_OperationWithLinuxServicesV4(t *testing.T) {
function Test_OperationWithLinuxServicesV4Istio (line 1068) | func Test_OperationWithLinuxServicesV4Istio(t *testing.T) {
function Test_Extensions1V4 (line 1282) | func Test_Extensions1V4(t *testing.T) {
function Test_Extensions2V4 (line 1462) | func Test_Extensions2V4(t *testing.T) {
function Test_Extensions3V4 (line 1642) | func Test_Extensions3V4(t *testing.T) {
function Test_OperationNomatchIpsetsV4 (line 1822) | func Test_OperationNomatchIpsetsV4(t *testing.T) {
function Test_OperationNomatchIpsetsInExternalNetworksV4 (line 1896) | func Test_OperationNomatchIpsetsInExternalNetworksV4(t *testing.T) {
function Test_OperationWithContainersV4 (line 2391) | func Test_OperationWithContainersV4(t *testing.T) {
function Test_OperationWithContainersV4Istio (line 2567) | func Test_OperationWithContainersV4Istio(t *testing.T) {
function TestImplDefaultLock (line 2743) | func TestImplDefaultLock(t *testing.T) {
function TestImplWithLock (line 2752) | func TestImplWithLock(t *testing.T) {
function printTable (line 2763) | func printTable(t map[string]map[string][]string) {
FILE: controller/internal/supervisor/iptablesctrl/iptablesV6_test.go
function testICMPAllow (line 26) | func testICMPAllow() string {
function TestNewInstanceV6 (line 30) | func TestNewInstanceV6(t *testing.T) {
function Test_NegativeConfigureRulesV6 (line 61) | func Test_NegativeConfigureRulesV6(t *testing.T) {
function Test_OperationWithLinuxServicesV6 (line 359) | func Test_OperationWithLinuxServicesV6(t *testing.T) {
function Test_OperationNomatchIpsetsV6 (line 638) | func Test_OperationNomatchIpsetsV6(t *testing.T) {
function Test_OperationNomatchIpsetsInExternalNetworksV6 (line 688) | func Test_OperationNomatchIpsetsInExternalNetworksV6(t *testing.T) {
function Test_OperationWithContainersV6 (line 921) | func Test_OperationWithContainersV6(t *testing.T) {
function TestIpv6Disable (line 1099) | func TestIpv6Disable(t *testing.T) {
FILE: controller/internal/supervisor/iptablesctrl/iptables_linux_test.go
function createTestInstance (line 17) | func createTestInstance(ips ipsetmanager.IpsetProvider, iptv4 provider.I...
type baseIpt (line 37) | type baseIpt struct
method Append (line 40) | func (b *baseIpt) Append(table, chain string, rulespec ...string) erro...
method Insert (line 43) | func (b *baseIpt) Insert(table, chain string, pos int, rulespec ...str...
method Delete (line 46) | func (b *baseIpt) Delete(table, chain string, rulespec ...string) erro...
method ListChains (line 49) | func (b *baseIpt) ListChains(table string) ([]string, error) { return ...
method ClearChain (line 52) | func (b *baseIpt) ClearChain(table, chain string) error { return nil }
method DeleteChain (line 55) | func (b *baseIpt) DeleteChain(table, chain string) error { return nil }
method NewChain (line 58) | func (b *baseIpt) NewChain(table, chain string) error { return nil }
method ListRules (line 61) | func (b *baseIpt) ListRules(table, chain string) ([]string, error) { r...
type memoryIPSet (line 65) | type memoryIPSet struct
method Add (line 69) | func (m *memoryIPSet) Add(entry string, timeout int) error {
method AddOption (line 74) | func (m *memoryIPSet) AddOption(entry string, option string, timeout i...
method Del (line 82) | func (m *memoryIPSet) Del(entry string) error {
method Destroy (line 90) | func (m *memoryIPSet) Destroy() error {
method Flush (line 95) | func (m *memoryIPSet) Flush() error {
method Test (line 100) | func (m *memoryIPSet) Test(entry string) (bool, error) {
type memoryIPSetProvider (line 108) | type memoryIPSetProvider struct
method NewIpset (line 112) | func (m *memoryIPSetProvider) NewIpset(name string, hasht string, p *i...
method GetIpset (line 128) | func (m *memoryIPSetProvider) GetIpset(name string) ipsetmanager.Ipset {
method DestroyAll (line 132) | func (m *memoryIPSetProvider) DestroyAll(prefix string) error {
method ListIPSets (line 142) | func (m *memoryIPSetProvider) ListIPSets() ([]string, error) {
FILE: controller/internal/supervisor/iptablesctrl/iptables_rhel6_test.go
function testICMPAllow (line 21) | func testICMPAllow() string {
function Test_Rhel6ConfigureRulesV4 (line 332) | func Test_Rhel6ConfigureRulesV4(t *testing.T) {
function Test_Rhel6ConfigureRulesV6 (line 952) | func Test_Rhel6ConfigureRulesV6(t *testing.T) {
FILE: controller/internal/supervisor/iptablesctrl/iptables_windows_test.go
constant errInvalidParameter (line 27) | errInvalidParameter = syscall.Errno(0xC000000D)
constant errInsufficientBuffer (line 28) | errInsufficientBuffer = syscall.Errno(122)
constant errAlreadyExists (line 29) | errAlreadyExists = syscall.Errno(183)
type abi (line 32) | type abi struct
method FrontmanOpenShared (line 41) | func (a *abi) FrontmanOpenShared() (uintptr, error) {
method GetDestInfo (line 45) | func (a *abi) GetDestInfo(driverHandle, socket, destInfo uintptr) (uin...
method ApplyDestHandle (line 49) | func (a *abi) ApplyDestHandle(socket, destHandle uintptr) (uintptr, er...
method FreeDestHandle (line 53) | func (a *abi) FreeDestHandle(destHandle uintptr) (uintptr, error) {
method NewIpset (line 57) | func (a *abi) NewIpset(driverHandle, name, ipsetType, ipset uintptr) (...
method GetIpset (line 73) | func (a *abi) GetIpset(driverHandle, name, ipset uintptr) (uintptr, er...
method DestroyAllIpsets (line 90) | func (a *abi) DestroyAllIpsets(driverHandle, prefix uintptr) (uintptr,...
method ListIpsets (line 111) | func (a *abi) ListIpsets(driverHandle, ipsetNames, ipsetNamesSize, byt...
method IpsetAdd (line 140) | func (a *abi) IpsetAdd(driverHandle, ipset, entry, timeout uintptr) (u...
method IpsetAddOption (line 144) | func (a *abi) IpsetAddOption(driverHandle, ipset, entry, option, timeo...
method IpsetDelete (line 176) | func (a *abi) IpsetDelete(driverHandle, ipset, entry uintptr) (uintptr...
method IpsetDestroy (line 206) | func (a *abi) IpsetDestroy(driverHandle, ipset uintptr) (uintptr, erro...
method IpsetFlush (line 219) | func (a *abi) IpsetFlush(driverHandle, ipset uintptr) (uintptr, error) {
method IpsetTest (line 231) | func (a *abi) IpsetTest(driverHandle, ipset, entry uintptr) (uintptr, ...
method PacketFilterStart (line 254) | func (a *abi) PacketFilterStart(frontman, firewallName, receiveCallbac...
method PacketFilterClose (line 258) | func (a *abi) PacketFilterClose() (uintptr, error) {
method PacketFilterForward (line 262) | func (a *abi) PacketFilterForward(info, packet uintptr) (uintptr, erro...
method AppendFilter (line 266) | func (a *abi) AppendFilter(driverHandle, outbound, filterName, isGotoF...
method InsertFilter (line 270) | func (a *abi) InsertFilter(driverHandle, outbound, priority, filterNam...
method DestroyFilter (line 281) | func (a *abi) DestroyFilter(driverHandle, filterName uintptr) (uintptr...
method EmptyFilter (line 292) | func (a *abi) EmptyFilter(driverHandle, filterName uintptr) (uintptr, ...
method GetFilterList (line 303) | func (a *abi) GetFilterList(driverHandle, outbound, buffer, bufferSize...
method AppendFilterCriteria (line 332) | func (a *abi) AppendFilterCriteria(driverHandle, filterName, criteriaN...
method DeleteFilterCriteria (line 348) | func (a *abi) DeleteFilterCriteria(driverHandle, filterName, criteriaN...
method ListIpsetsDetail (line 364) | func (a *abi) ListIpsetsDetail(driverHandle, format, ipsetNames, ipset...
method GetCriteriaList (line 368) | func (a *abi) GetCriteriaList(driverHandle, format, criteriaList, crit...
function Test_WindowsNomatchIpsets (line 372) | func Test_WindowsNomatchIpsets(t *testing.T) {
function Test_WindowsNomatchIpsetsInExternalNetworks (line 456) | func Test_WindowsNomatchIpsetsInExternalNetworks(t *testing.T) {
function newFilterQueueWithDefaults (line 675) | func newFilterQueueWithDefaults() fqconfig.FilterQueue {
function Test_WindowsConfigureRulesV4 (line 679) | func Test_WindowsConfigureRulesV4(t *testing.T) {
function Test_WindowsConfigureRulesV6 (line 812) | func Test_WindowsConfigureRulesV6(t *testing.T) {
function Test_WindowsConfigureRulesManagedByCns (line 927) | func Test_WindowsConfigureRulesManagedByCns(t *testing.T) {
FILE: controller/internal/supervisor/iptablesctrl/ipv4.go
constant IPv4DefaultIP (line 15) | IPv4DefaultIP = "0.0.0.0/0"
type ipv4 (line 20) | type ipv4 struct
method IPVersion (line 39) | func (i *ipv4) IPVersion() int {
method IPFilter (line 43) | func (i *ipv4) IPFilter() func(net.IP) bool {
method GetDefaultIP (line 51) | func (i *ipv4) GetDefaultIP() string {
method NeedICMP (line 55) | func (i *ipv4) NeedICMP() bool {
method ProtocolAllowed (line 59) | func (i *ipv4) ProtocolAllowed(proto string) bool {
method Append (line 64) | func (i *ipv4) Append(table, chain string, rulespec ...string) error {
method Insert (line 68) | func (i *ipv4) Insert(table, chain string, pos int, rulespec ...string...
method ListChains (line 72) | func (i *ipv4) ListChains(table string) ([]string, error) {
method ClearChain (line 76) | func (i *ipv4) ClearChain(table, chain string) error {
method DeleteChain (line 80) | func (i *ipv4) DeleteChain(table, chain string) error {
method NewChain (line 84) | func (i *ipv4) NewChain(table, chain string) error {
method Commit (line 88) | func (i *ipv4) Commit() error {
method Delete (line 92) | func (i *ipv4) Delete(table, chain string, rulespec ...string) error {
method RetrieveTable (line 96) | func (i *ipv4) RetrieveTable() map[string]map[string][]string {
method ResetRules (line 100) | func (i *ipv4) ResetRules(subs string) error {
method ListRules (line 104) | func (i *ipv4) ListRules(table, chain string) ([]string, error) {
function init (line 24) | func init() {
function GetIPv4Impl (line 30) | func GetIPv4Impl() (IPImpl, error) {
FILE: controller/internal/supervisor/iptablesctrl/ipv6.go
constant IPv6DefaultIP (line 14) | IPv6DefaultIP = "::/0"
type ipv6 (line 17) | type ipv6 struct
method IPVersion (line 28) | func (i *ipv6) IPVersion() int {
method IPFilter (line 32) | func (i *ipv6) IPFilter() func(net.IP) bool {
method GetDefaultIP (line 40) | func (i *ipv6) GetDefaultIP() string {
method NeedICMP (line 44) | func (i *ipv6) NeedICMP() bool {
method ProtocolAllowed (line 48) | func (i *ipv6) ProtocolAllowed(proto string) bool {
method Append (line 52) | func (i *ipv6) Append(table, chain string, rulespec ...string) error {
method Insert (line 60) | func (i *ipv6) Insert(table, chain string, pos int, rulespec ...string...
method ListChains (line 68) | func (i *ipv6) ListChains(table string) ([]string, error) {
method ClearChain (line 76) | func (i *ipv6) ClearChain(table, chain string) error {
method DeleteChain (line 84) | func (i *ipv6) DeleteChain(table, chain string) error {
method NewChain (line 92) | func (i *ipv6) NewChain(table, chain string) error {
method Commit (line 100) | func (i *ipv6) Commit() error {
method Delete (line 108) | func (i *ipv6) Delete(table, chain string, rulespec ...string) error {
method RetrieveTable (line 116) | func (i *ipv6) RetrieveTable() map[string]map[string][]string {
method ResetRules (line 120) | func (i *ipv6) ResetRules(subs string) error {
method ListRules (line 128) | func (i *ipv6) ListRules(table, chain string) ([]string, error) {
function init (line 24) | func init() {
FILE: controller/internal/supervisor/iptablesctrl/ipv6_nonwindows.go
function GetIPv6Impl (line 11) | func GetIPv6Impl(ipv6Enabled bool) (IPImpl, error) {
FILE: controller/internal/supervisor/iptablesctrl/ipv6_windows.go
function GetIPv6Impl (line 11) | func GetIPv6Impl(ipv6Enabled bool) (IPImpl, error) {
FILE: controller/internal/supervisor/iptablesctrl/legacyacls.go
method legacyPuChainRules (line 14) | func (i *iptables) legacyPuChainRules(contextID, appChain string, netCha...
method legacyProxyRules (line 126) | func (i *iptables) legacyProxyRules(tcpPorts string, proxyPort string, p...
FILE: controller/internal/supervisor/iptablesctrl/portset.go
method getPortSet (line 10) | func (i *iptables) getPortSet(contextID string) string {
method createPortSet (line 21) | func (i *iptables) createPortSet(contextID string, username string) error {
method deletePortSet (line 47) | func (i *iptables) deletePortSet(contextID string) error {
method DeletePortFromPortSet (line 71) | func (i *iptables) DeletePortFromPortSet(contextID string, port string) ...
method DeletePortFromPortSet (line 87) | func (i *Instance) DeletePortFromPortSet(contextID string, port string) ...
method AddPortToPortSet (line 101) | func (i *iptables) AddPortToPortSet(contextID string, port string) error {
method AddPortToPortSet (line 116) | func (i *Instance) AddPortToPortSet(contextID string, port string) error {
FILE: controller/internal/supervisor/iptablesctrl/templates.go
function extractRulesFromTemplate (line 23) | func extractRulesFromTemplate(tmpl *template.Template, data interface{})...
type ACLInfo (line 50) | type ACLInfo struct
function chainName (line 142) | func chainName(contextID string, version int) (app, net string, err erro...
method newACLInfo (line 161) | func (i *iptables) newACLInfo(version int, contextID string, p *policy.P...
FILE: controller/internal/supervisor/iptablesctrl/templates_test.go
function TestChainName (line 11) | func TestChainName(t *testing.T) {
FILE: controller/internal/supervisor/mocksupervisor/mocksupervisor.go
type MockSupervisor (line 20) | type MockSupervisor struct
method EXPECT (line 41) | func (m *MockSupervisor) EXPECT() *MockSupervisorMockRecorder {
method Supervise (line 47) | func (m *MockSupervisor) Supervise(contextID string, puInfo *policy.PU...
method Unsupervise (line 63) | func (m *MockSupervisor) Unsupervise(contextID string) error {
method Run (line 79) | func (m *MockSupervisor) Run(ctx context.Context) error {
method SetTargetNetworks (line 95) | func (m *MockSupervisor) SetTargetNetworks(cfg *runtime.Configuration)...
method CleanUp (line 111) | func (m *MockSupervisor) CleanUp() error {
method EnableIPTablesPacketTracing (line 127) | func (m *MockSupervisor) EnableIPTablesPacketTracing(ctx context.Conte...
type MockSupervisorMockRecorder (line 27) | type MockSupervisorMockRecorder struct
method Supervise (line 56) | func (mr *MockSupervisorMockRecorder) Supervise(contextID, puInfo inte...
method Unsupervise (line 72) | func (mr *MockSupervisorMockRecorder) Unsupervise(contextID interface{...
method Run (line 88) | func (mr *MockSupervisorMockRecorder) Run(ctx interface{}) *gomock.Call {
method SetTargetNetworks (line 104) | func (mr *MockSupervisorMockRecorder) SetTargetNetworks(cfg interface{...
method CleanUp (line 120) | func (mr *MockSupervisorMockRecorder) CleanUp() *gomock.Call {
method EnableIPTablesPacketTracing (line 136) | func (mr *MockSupervisorMockRecorder) EnableIPTablesPacketTracing(ctx,...
function NewMockSupervisor (line 33) | func NewMockSupervisor(ctrl *gomock.Controller) *MockSupervisor {
type MockImplementor (line 143) | type MockImplementor struct
method EXPECT (line 164) | func (m *MockImplementor) EXPECT() *MockImplementorMockRecorder {
method ConfigureRules (line 170) | func (m *MockImplementor) ConfigureRules(version int, contextID string...
method UpdateRules (line 186) | func (m *MockImplementor) UpdateRules(version int, contextID string, c...
method DeleteRules (line 202) | func (m *MockImplementor) DeleteRules(version int, context, tcpPorts, ...
method SetTargetNetworks (line 218) | func (m *MockImplementor) SetTargetNetworks(cfg *runtime.Configuration...
method Run (line 234) | func (m *MockImplementor) Run(ctx context.Context) error {
method CleanUp (line 250) | func (m *MockImplementor) CleanUp() error {
method ACLProvider (line 266) | func (m *MockImplementor) ACLProvider() []provider.IptablesProvider {
method CreateCustomRulesChain (line 282) | func (m *MockImplementor) CreateCustomRulesChain() error {
type MockImplementorMockRecorder (line 150) | type MockImplementorMockRecorder struct
method ConfigureRules (line 179) | func (mr *MockImplementorMockRecorder) ConfigureRules(version, context...
method UpdateRules (line 195) | func (mr *MockImplementorMockRecorder) UpdateRules(version, contextID,...
method DeleteRules (line 211) | func (mr *MockImplementorMockRecorder) DeleteRules(version, context, t...
method SetTargetNetworks (line 227) | func (mr *MockImplementorMockRecorder) SetTargetNetworks(cfg interface...
method Run (line 243) | func (mr *MockImplementorMockRecorder) Run(ctx interface{}) *gomock.Ca...
method CleanUp (line 259) | func (mr *MockImplementorMockRecorder) CleanUp() *gomock.Call {
method ACLProvider (line 275) | func (mr *MockImplementorMockRecorder) ACLProvider() *gomock.Call {
method CreateCustomRulesChain (line 291) | func (mr *MockImplementorMockRecorder) CreateCustomRulesChain() *gomoc...
function NewMockImplementor (line 156) | func NewMockImplementor(ctrl *gomock.Controller) *MockImplementor {
FILE: controller/internal/supervisor/noop/supervisornoop.go
type NoopSupervisor (line 15) | type NoopSupervisor struct
method Supervise (line 18) | func (s *NoopSupervisor) Supervise(contextID string, puInfo *policy.PU...
method Unsupervise (line 24) | func (s *NoopSupervisor) Unsupervise(contextID string) error {
method SetTargetNetworks (line 30) | func (s *NoopSupervisor) SetTargetNetworks(cfg *runtime.Configuration)...
method CleanUp (line 35) | func (s *NoopSupervisor) CleanUp() error {
method Run (line 40) | func (s *NoopSupervisor) Run(ctx context.Context) error {
method EnableIPTablesPacketTracing (line 45) | func (s *NoopSupervisor) EnableIPTablesPacketTracing(ctx context.Conte...
function NewNoopSupervisor (line 50) | func NewNoopSupervisor() *NoopSupervisor {
FILE: controller/internal/supervisor/supervisor.go
type cacheData (line 26) | type cacheData struct
type Config (line 37) | type Config struct
method Run (line 100) | func (s *Config) Run(ctx context.Context) error {
method Supervise (line 122) | func (s *Config) Supervise(contextID string, pu *policy.PUInfo) error {
method Unsupervise (line 140) | func (s *Config) Unsupervise(contextID string) error {
method CleanUp (line 168) | func (s *Config) CleanUp() error {
method SetTargetNetworks (line 176) | func (s *Config) SetTargetNetworks(cfg *runtime.Configuration) error {
method ACLProvider (line 187) | func (s *Config) ACLProvider() []provider.IptablesProvider {
method doCreatePU (line 191) | func (s *Config) doCreatePU(contextID string, pu *policy.PUInfo) error {
method doUpdatePU (line 242) | func (s *Config) doUpdatePU(contextID string, pu *policy.PUInfo) error {
method EnableIPTablesPacketTracing (line 295) | func (s *Config) EnableIPTablesPacketTracing(ctx context.Context, cont...
function NewSupervisor (line 57) | func NewSupervisor(
function debugRules (line 332) | func debugRules(data *cacheData, mode constants.ModeType) [][]string {
FILE: controller/internal/supervisor/supervisor_test.go
function newSupervisor (line 32) | func newSupervisor(
function createPUInfo (line 46) | func createPUInfo() *policy.PUInfo {
function newFilterQueueWithDefaults (line 97) | func newFilterQueueWithDefaults() fqconfig.FilterQueue {
function newWithDefaults (line 102) | func newWithDefaults(
function TestNewSupervisor (line 145) | func TestNewSupervisor(t *testing.T) {
function TestSupervise (line 188) | func TestSupervise(t *testing.T) {
function TestUnsupervise (line 268) | func TestUnsupervise(t *testing.T) {
function TestStart (line 318) | func TestStart(t *testing.T) {
function TestStop (line 364) | func TestStop(t *testing.T) {
function TestEnableIPTablesPacketTracing (line 400) | func TestEnableIPTablesPacketTracing(t *testing.T) {
function TestDebugRules (line 453) | func TestDebugRules(t *testing.T) {
FILE: controller/internal/windows/rulespec_windows.go
type WindowsRuleRange (line 21) | type WindowsRuleRange struct
method Equal (line 805) | func (w *WindowsRuleRange) Equal(other *WindowsRuleRange) bool {
type WindowsRuleIcmpMatch (line 27) | type WindowsRuleIcmpMatch struct
method Equal (line 813) | func (w *WindowsRuleIcmpMatch) Equal(other *WindowsRuleIcmpMatch) bool {
type WindowsRuleMatchSet (line 34) | type WindowsRuleMatchSet struct
method Equal (line 792) | func (w *WindowsRuleMatchSet) Equal(other *WindowsRuleMatchSet) bool {
type WindowsRuleSpec (line 44) | type WindowsRuleSpec struct
method Equal (line 834) | func (w *WindowsRuleSpec) Equal(other *WindowsRuleSpec) bool {
function MakeRuleSpecText (line 73) | func MakeRuleSpecText(winRuleSpec *WindowsRuleSpec, validate bool) (stri...
function ParsePortString (line 218) | func ParsePortString(portString string) ([]*WindowsRuleRange, error) {
function ReduceIcmpProtoString (line 252) | func ReduceIcmpProtoString(icmpProtoTypeCode string, policyRestrictions ...
function TransformIcmpProtoString (line 405) | func TransformIcmpProtoString(icmpProtoTypeCode string) []string {
function GetIcmpNoMatch (line 418) | func GetIcmpNoMatch() []string {
function ParseIcmpTypeCode (line 424) | func ParseIcmpTypeCode(icmpTypeCo
Condensed preview — 549 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (4,469K chars).
[
{
"path": ".github/ISSUE_TEMPLATE.md",
"chars": 407,
"preview": "#### Actual behavior\n*Description of the actual behavior.*\n\n#### Expected behavior\n*Description of the expected behavior"
},
{
"path": ".github/PULL_REQUEST_TEMPLATE.md",
"chars": 154,
"preview": "#### Description\n*Changes proposed in this pull request.*\n\n#### Test plan\n*Outline the test plan used to test this chang"
},
{
"path": ".gitignore",
"chars": 122,
"preview": ".DS_Store\nexample/example\nvendor\ncoverage.txt\ncontroller/internal/processmon/testbinary/testbinary\nGopkg.lock\nprofile.ou"
},
{
"path": ".lint.windows.sh",
"chars": 826,
"preview": "#!/usr/bin/env bash\n\n# goimports and gofmt complain about cr-lf line endings, so don't run them on \n#\ta Windows machine "
},
{
"path": ".test.sh",
"chars": 989,
"preview": "#!/usr/bin/env bash\n\nset -e\necho \"\" > coverage.txt\n\n./mockgen.sh\n./fix_bpf\n\n## FIX ME. go1.14 automatically enables unsa"
},
{
"path": ".test.windows.sh",
"chars": 594,
"preview": "#!/usr/bin/env bash\n\n# use wine to execute if not running tests on a Windows machine\nOS=`uname -s`\nif [[ $OS == *\"NT-\"* "
},
{
"path": ".travis.yml",
"chars": 1302,
"preview": "language: go\nsudo: required\ndist: bionic\n\ngo_import_path: go.aporeto.io/trireme-lib\n\nmatrix:\n include:\n - go: \"1.13."
},
{
"path": "CONTRIBUTING.md",
"chars": 9313,
"preview": "Contributing\n------------\n\nAs an open source project, your contributions are important to the future of Trireme. Whether"
},
{
"path": "Gopkg.toml",
"chars": 1840,
"preview": "required = [\"github.com/docker/distribution\"]\n\n[[constraint]]\n branch = \"master\"\n name = \"github.com/aporeto-inc/go-ip"
},
{
"path": "LICENSE",
"chars": 11357,
"preview": " Apache License\n Version 2.0, January 2004\n "
},
{
"path": "Makefile",
"chars": 518,
"preview": "\n## all: default is to show the help text\n.PHONY: all help\nall: help\n\nci: test lint\n\n## vet: run go vet on the source\nve"
},
{
"path": "NOTICE",
"chars": 133,
"preview": "\nTrirem Project - \n\nCopyright (c) 2016 Aporeto, Inc. All Rights Reserved\n\nThis product includes software developed at A"
},
{
"path": "README.md",
"chars": 11659,
"preview": "# Trireme\n\n<img src=\"docs/trireme.png\" width=\"400\">\n\n[![Build Status](https://travis-ci.org/aporeto-inc/trireme-lib.svg?"
},
{
"path": "buildflags/buildflags.go",
"chars": 409,
"preview": "// +build !rhel6\n\npackage buildflags\n\n// Distro constants\nconst (\n\tRhel6 = \"\"\n\tRhel5 = \"\"\n)\n\n// IsRHEL6 returns true if "
},
{
"path": "buildflags/buildflags_rhel.go",
"chars": 416,
"preview": "// +build rhel6\n\npackage buildflags\n\n// Distro constants\nconst (\n\tRhel6 = \"rhel6\"\n\tRhel5 = \"rhel5\"\n)\n\n// IsRHEL6 returns"
},
{
"path": "cmd/systemdutil/exec.go",
"chars": 317,
"preview": "// +build !windows\n\npackage systemdutil\n\nimport (\n\t\"syscall\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/common\"\n)\n\nfunc exec"
},
{
"path": "cmd/systemdutil/exec_windows.go",
"chars": 434,
"preview": "package systemdutil\n\nimport (\n\t\"os\"\n\t\"os/exec\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/common\"\n)\n\n// execve does not exis"
},
{
"path": "cmd/systemdutil/systemdutil.go",
"chars": 10418,
"preview": "package systemdutil\n\nimport (\n\t\"encoding/hex\"\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path\"\n\t\"regexp\"\n\t\"strings\"\n\n\t\"go.apore"
},
{
"path": "collector/default.go",
"chars": 3793,
"preview": "package collector\n\nimport (\n\t\"encoding/binary\"\n\n\t\"github.com/cespare/xxhash\"\n\t\"go.aporeto.io/underwater/core/policy/serv"
},
{
"path": "collector/default_test.go",
"chars": 2920,
"preview": "package collector\n\nimport (\n\t\"testing\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/policy\"\n)\n\nfunc TestStatsUserHash(t *testi"
},
{
"path": "collector/interfaces.go",
"chars": 9665,
"preview": "package collector\n\nimport (\n\t\"fmt\"\n\t\"time\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packettracing\"\n\t\"go.apo"
},
{
"path": "collector/mockcollector/mockcollector.go",
"chars": 6157,
"preview": "// Code generated by MockGen. DO NOT EDIT.\n// Source: collector/interfaces.go\n\n// Package mockcollector is a generated G"
},
{
"path": "common/events.go",
"chars": 4388,
"preview": "package common\n\nimport (\n\t\"context\"\n)\n\n// TriremeSocket is the standard API server Trireme socket path\n// it is set via "
},
{
"path": "common/hooks.go",
"chars": 570,
"preview": "package common\n\n// Values for hook methods\nconst (\n\tMetadataHookPolicy = \"metadata:policy\"\n\tMetadataHookHealth "
},
{
"path": "common/oauthtokens.go",
"chars": 692,
"preview": "package common\n\nimport (\n\t\"context\"\n\t\"time\"\n)\n\n// ServiceTokenType is the type of the token.\ntype ServiceTokenType strin"
},
{
"path": "common/service.go",
"chars": 1761,
"preview": "package common\n\nimport (\n\t\"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet\"\n\t\"go.aporeto.io/enforcerd/trireme-"
},
{
"path": "controller/config.go",
"chars": 8877,
"preview": "package controller\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/blang/semver\"\n\t\"go.aporeto.io/enforcerd/tri"
},
{
"path": "controller/config_nonwindows.go",
"chars": 939,
"preview": "// +build !windows\n\npackage controller\n\nimport (\n\t\"go.aporeto.io/enforcerd/trireme-lib/controller/constants\"\n\t\"go.aporet"
},
{
"path": "controller/config_windows.go",
"chars": 273,
"preview": "// +build windows\n\npackage controller\n\nimport (\n\t\"go.aporeto.io/enforcerd/trireme-lib/controller/internal/supervisor\"\n)\n"
},
{
"path": "controller/constants/constants.go",
"chars": 7598,
"preview": "package constants\n\nimport (\n\t\"path/filepath\"\n\t\"time\"\n)\n\nconst (\n\t// DefaultProcMountPoint The default proc mountpoint\n\tD"
},
{
"path": "controller/constants/constants_nonrhel6.go",
"chars": 121,
"preview": "// +build !rhel6\n\npackage constants\n\n// IpsetBinaryName is the ipset binary name\nconst IpsetBinaryName = \"aporeto-ipset\""
},
{
"path": "controller/constants/constants_rhel6.go",
"chars": 130,
"preview": "// +build rhel6\n\npackage constants\n\n// IpsetBinaryName is the (system) ipset binary name on RHEL6\nconst IpsetBinaryName "
},
{
"path": "controller/constants/constants_test.go",
"chars": 1050,
"preview": "package constants\n\nimport (\n\t\"path/filepath\"\n\t\"testing\"\n)\n\nfunc TestConfigureRemoteEnforcerPath(t *testing.T) {\n\targ := "
},
{
"path": "controller/controller.go",
"chars": 13973,
"preview": "package controller\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"os/exec\"\n\t\"sync\"\n\t\"time\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/collect"
},
{
"path": "controller/helpers.go",
"chars": 1718,
"preview": "package controller\n\nimport (\n\t\"context\"\n\n\t\"github.com/blang/semver\"\n\tenforcerconstants \"go.aporeto.io/enforcerd/trireme-"
},
{
"path": "controller/interfaces.go",
"chars": 2620,
"preview": "package controller\n\nimport (\n\t\"context\"\n\t\"time\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packettracing\"\n\t\"g"
},
{
"path": "controller/internal/enforcer/acls/acl.go",
"chars": 6759,
"preview": "package acls\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"net\"\n\t\"reflect\"\n\t\"strings\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/controller/c"
},
{
"path": "controller/internal/enforcer/acls/acl_test.go",
"chars": 18187,
"preview": "package acls\n\nimport (\n\t\"net\"\n\t\"testing\"\n\n\t. \"github.com/smartystreets/goconvey/convey\"\n\t\"go.aporeto.io/enforcerd/trirem"
},
{
"path": "controller/internal/enforcer/acls/aclcache.go",
"chars": 3435,
"preview": "package acls\n\nimport (\n\t\"errors\"\n\t\"net\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/policy\"\n)\n\n// ACLCache holds all the ACLS"
},
{
"path": "controller/internal/enforcer/acls/aclcache_test.go",
"chars": 11892,
"preview": "// +build !windows\n\npackage acls\n\nimport (\n\t\"net\"\n\t\"testing\"\n\n\t. \"github.com/smartystreets/goconvey/convey\"\n\t\"go.aporeto"
},
{
"path": "controller/internal/enforcer/acls/icmpacl.go",
"chars": 2754,
"preview": "package acls\n\nimport (\n\t\"net\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/policy\"\n)\n\ntype icmpRule stru"
},
{
"path": "controller/internal/enforcer/acls/ports.go",
"chars": 2041,
"preview": "package acls\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/policy\"\n)\n\n// ErrNo"
},
{
"path": "controller/internal/enforcer/acls/ports_test.go",
"chars": 8469,
"preview": "// +build !windows\n\npackage acls\n\nimport (\n\t\"testing\"\n\n\t. \"github.com/smartystreets/goconvey/convey\"\n\t\"go.aporeto.io/enf"
},
{
"path": "controller/internal/enforcer/acls/utils.go",
"chars": 1176,
"preview": "package acls\n\nimport (\n\t\"fmt\"\n\t\"net\"\n\t\"strconv\"\n\t\"strings\"\n)\n\n// Address is a parsed IP address or CIDR\ntype Address str"
},
{
"path": "controller/internal/enforcer/acls/utils_test.go",
"chars": 2137,
"preview": "package acls\n\nimport (\n\t\"net\"\n\t\"reflect\"\n\t\"testing\"\n)\n\nfunc TestParseAddress(t *testing.T) {\n\tipv4 := net.ParseIP(\"192.0"
},
{
"path": "controller/internal/enforcer/apiauth/apiauth.go",
"chars": 14659,
"preview": "package apiauth\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net\"\n\t\"net/http\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n\n\t\"go.aporeto.io/enforcerd/tri"
},
{
"path": "controller/internal/enforcer/apiauth/apiauth_test.go",
"chars": 25605,
"preview": "// +build !windows\n\npackage apiauth\n\nimport (\n\t\"context\"\n\t\"crypto/tls\"\n\t\"fmt\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"testing\"\n\t"
},
{
"path": "controller/internal/enforcer/apiauth/types.go",
"chars": 3216,
"preview": "package apiauth\n\nimport (\n\t\"crypto/tls\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/url\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/collector\"\n"
},
{
"path": "controller/internal/enforcer/applicationproxy/applicationproxy.go",
"chars": 14031,
"preview": "package applicationproxy\n\nimport (\n\t\"context\"\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net\"\n\t\"strconv\"\n\t\"sync\"\n\n\t"
},
{
"path": "controller/internal/enforcer/applicationproxy/common/common.go",
"chars": 1092,
"preview": "package common\n\nimport (\n\t\"crypto/x509/pkix\"\n\t\"encoding/asn1\"\n\t\"net\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/policy\"\n)\n\n/"
},
{
"path": "controller/internal/enforcer/applicationproxy/http/error_handler.go",
"chars": 1632,
"preview": "package httpproxy\n\nimport (\n\t\"context\"\n\t\"io\"\n\t\"net\"\n\t\"net/http\"\n)\n\nconst (\n\t// TriremeBadGatewayText is the message to s"
},
{
"path": "controller/internal/enforcer/applicationproxy/http/http.go",
"chars": 32872,
"preview": "package httpproxy\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"encoding/json\"\n\t\"encoding/pem\"\n\t\"fmt\"\n\t\"n"
},
{
"path": "controller/internal/enforcer/applicationproxy/http/ping_http.go",
"chars": 6513,
"preview": "package httpproxy\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net\"\n\t\"net/http\"\n\t\"time\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/collecto"
},
{
"path": "controller/internal/enforcer/applicationproxy/http/transport.go",
"chars": 1078,
"preview": "package httpproxy\n\nimport (\n\t\"net/http\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/flowstats\"\n)"
},
{
"path": "controller/internal/enforcer/applicationproxy/markedconn/mark_linux.go",
"chars": 1303,
"preview": "// +build linux\n\npackage markedconn\n\nimport (\n\t\"net\"\n\t\"syscall\"\n\n\t\"go.uber.org/zap\"\n)\n\nfunc makeListenerConfig(mark int)"
},
{
"path": "controller/internal/enforcer/applicationproxy/markedconn/mark_windows.go",
"chars": 752,
"preview": "// +build windows\n\npackage markedconn\n\nimport (\n\t\"net\"\n\t\"syscall\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/utils/frontman\""
},
{
"path": "controller/internal/enforcer/applicationproxy/markedconn/markedconn.go",
"chars": 6100,
"preview": "// +build linux windows\n\npackage markedconn\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net\"\n\t\"syscall\"\n\t\"time\"\n\n\t\"go.aporeto.io/enfor"
},
{
"path": "controller/internal/enforcer/applicationproxy/markedconn/markedconn_darwin.go",
"chars": 3284,
"preview": "// +build darwin\n\npackage markedconn\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net\"\n\t\"syscall\"\n\n\t\"go.aporeto.io/enforcerd/trireme-li"
},
{
"path": "controller/internal/enforcer/applicationproxy/markedconn/markedconn_test.go",
"chars": 3965,
"preview": "// +build linux\n\npackage markedconn\n\nimport (\n\t\"context\"\n\t\"encoding/binary\"\n\t\"net\"\n\t\"syscall\"\n\t\"testing\"\n\t\"unsafe\"\n\n\t\"gi"
},
{
"path": "controller/internal/enforcer/applicationproxy/markedconn/markedconn_windows_test.go",
"chars": 5681,
"preview": "// +build windows\n\npackage markedconn\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"syscall\"\n\t\"testing\"\n\t\"unsafe\"\n\n\t\"github.com/magic"
},
{
"path": "controller/internal/enforcer/applicationproxy/markedconn/origdest_linux.go",
"chars": 2262,
"preview": "// +build linux\n\npackage markedconn\n\nimport (\n\t\"fmt\"\n\t\"net\"\n\t\"syscall\"\n\t\"unsafe\"\n)\n\nconst (\n\tsockOptOriginalDst = 80\n)\n\n"
},
{
"path": "controller/internal/enforcer/applicationproxy/markedconn/origdest_windows.go",
"chars": 1300,
"preview": "// +build windows\n\npackage markedconn\n\nimport (\n\t\"fmt\"\n\t\"net\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/utils/frontman\"\n\t\"g"
},
{
"path": "controller/internal/enforcer/applicationproxy/markedconn/platformdata.go",
"chars": 856,
"preview": "// +build !windows\n\npackage markedconn\n\nimport (\n\t\"net\"\n)\n\n// PlatformDataControl dummy impl\n// PlatformDataControl is o"
},
{
"path": "controller/internal/enforcer/applicationproxy/markedconn/platformdata_test.go",
"chars": 3296,
"preview": "// +build windows\n\npackage markedconn\n\nimport (\n\t\"net\"\n\t\"testing\"\n\n\t. \"github.com/smartystreets/goconvey/convey\"\n)\n\nfunc"
},
{
"path": "controller/internal/enforcer/applicationproxy/markedconn/platformdata_windows.go",
"chars": 2263,
"preview": "// +build windows\n\npackage markedconn\n\nimport (\n\t\"fmt\"\n\t\"net\"\n\t\"sync\"\n)\n\n// PlatformDataControl is for Windows.\n// For p"
},
{
"path": "controller/internal/enforcer/applicationproxy/pingrequest/pingrequest.go",
"chars": 2320,
"preview": "package pingrequest\n\nimport (\n\t\"bufio\"\n\t\"bytes\"\n\t\"errors\"\n\t\"net/http\"\n\n\t\"github.com/vmihailenco/msgpack\"\n\t\"go.aporeto.io"
},
{
"path": "controller/internal/enforcer/applicationproxy/protomux/protomux.go",
"chars": 6209,
"preview": "package protomux\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net\"\n\t\"sync\"\n\t\"time\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/controller/in"
},
{
"path": "controller/internal/enforcer/applicationproxy/protomux/protomux_test.go",
"chars": 340,
"preview": "// +build !windows\n\npackage protomux\n\nimport (\n\t\"testing\"\n\n\t\"github.com/magiconair/properties/assert\"\n)\n\nfunc TestNetwor"
},
{
"path": "controller/internal/enforcer/applicationproxy/servicecache/servicecache.go",
"chars": 6358,
"preview": "package servicecache\n\nimport (\n\t\"fmt\"\n\t\"net\"\n\t\"sync\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/common\"\n\t\"go.aporeto.io/enfo"
},
{
"path": "controller/internal/enforcer/applicationproxy/servicecache/servicecache_test.go",
"chars": 8158,
"preview": "// +build !windows\n\npackage servicecache\n\nimport (\n\t\"net\"\n\t\"testing\"\n\n\t. \"github.com/smartystreets/goconvey/convey\"\n\t\"go"
},
{
"path": "controller/internal/enforcer/applicationproxy/serviceregistry/serviceregistry.go",
"chars": 11704,
"preview": "package serviceregistry\n\nimport (\n\t\"crypto/x509\"\n\t\"fmt\"\n\t\"net\"\n\t\"sync\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/controller"
},
{
"path": "controller/internal/enforcer/applicationproxy/serviceregistry/serviceregistry_test.go",
"chars": 10210,
"preview": "// +build !windows\n\npackage serviceregistry\n\nimport (\n\t\"net\"\n\t\"testing\"\n\t\"time\"\n\n\t. \"github.com/smartystreets/goconvey/c"
},
{
"path": "controller/internal/enforcer/applicationproxy/tcp/lookup.go",
"chars": 7613,
"preview": "package tcp\n\nimport (\n\t\"fmt\"\n\t\"net\"\n\t\"strconv\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/collector\"\n\t\"go.aporeto.io/enforce"
},
{
"path": "controller/internal/enforcer/applicationproxy/tcp/ping_tcp.go",
"chars": 8110,
"preview": "package tcp\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"time\"\n\n\t\"g"
},
{
"path": "controller/internal/enforcer/applicationproxy/tcp/tcp.go",
"chars": 16515,
"preview": "package tcp\n\nimport (\n\t\"context\"\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"fmt\"\n\t\"io\"\n\t\"net\"\n\t\"sync\"\n\t\"syscall\"\n\t\"time\"\n\n\t\"github.c"
},
{
"path": "controller/internal/enforcer/applicationproxy/tcp/tcp_test.go",
"chars": 5617,
"preview": "package tcp\n\nimport (\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"log\"\n\t\"reflect\"\n\t\"testing\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/c"
},
{
"path": "controller/internal/enforcer/applicationproxy/tcp/verifier/testdata/generate-certs.sh",
"chars": 1698,
"preview": "#!/bin/bash\n\n# This files generates new certs if the generated certs expire. We cant use openssl as this has aporeto ext"
},
{
"path": "controller/internal/enforcer/applicationproxy/tcp/verifier/testdata/myca-cert.pem",
"chars": 558,
"preview": "-----BEGIN CERTIFICATE-----\nMIIBcDCCARWgAwIBAgIQWzOkU1NT1yBh8UFbjCAo5zAKBggqhkjOPQQDAjAeMQ0w\nCwYDVQQKEwRhY21lMQ0wCwYDVQQ"
},
{
"path": "controller/internal/enforcer/applicationproxy/tcp/verifier/testdata/myclient-bad-cert.pem",
"chars": 648,
"preview": "-----BEGIN CERTIFICATE-----\nMIIBsjCCAVigAwIBAgIRAKXo6pjvtuJSeCQrXdRtLYUwCgYIKoZIzj0EAwIwHjEN\nMAsGA1UEChMEYWNtZTENMAsGA1U"
},
{
"path": "controller/internal/enforcer/applicationproxy/tcp/verifier/testdata/myclient-dns-cert.pem",
"chars": 721,
"preview": "-----BEGIN CERTIFICATE-----\nMIIB5zCCAY2gAwIBAgIRANny7E6cG8+6zqSZfqwnz/QwCgYIKoZIzj0EAwIwHjEN\nMAsGA1UEChMEYWNtZTENMAsGA1U"
},
{
"path": "controller/internal/enforcer/applicationproxy/tcp/verifier/testdata/myclient-ip-cert.pem",
"chars": 700,
"preview": "-----BEGIN CERTIFICATE-----\nMIIB2TCCAX+gAwIBAgIRANWzODJFxt9yZ5VPKV6ZDu8wCgYIKoZIzj0EAwIwHjEN\nMAsGA1UEChMEYWNtZTENMAsGA1U"
},
{
"path": "controller/internal/enforcer/applicationproxy/tcp/verifier/testdata/myserver-cert.pem",
"chars": 717,
"preview": "-----BEGIN CERTIFICATE-----\nMIIB4zCCAYmgAwIBAgIRAL/SlY1qRcZo+xiwdErtkvAwCgYIKoZIzj0EAwIwHjEN\nMAsGA1UEChMEYWNtZTENMAsGA1U"
},
{
"path": "controller/internal/enforcer/applicationproxy/tcp/verifier/verifier.go",
"chars": 4677,
"preview": "package verifier\n\nimport (\n\t\"crypto/x509\"\n\t\"encoding/asn1\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"sync\"\n\n\t\"go.aporeto.io/enforcerd/tr"
},
{
"path": "controller/internal/enforcer/applicationproxy/tcp/verifier/verifier_test.go",
"chars": 8747,
"preview": "package verifier\n\nimport (\n\t\"crypto/x509\"\n\t\"encoding/pem\"\n\t\"io/ioutil\"\n\t\"testing\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib"
},
{
"path": "controller/internal/enforcer/applicationproxy/tlshelper/tlshelper.go",
"chars": 1339,
"preview": "package tlshelper\n\nimport \"crypto/tls\"\n\n// The intent of this file is to provide secure base TLS configurations across a"
},
{
"path": "controller/internal/enforcer/constants/constants.go",
"chars": 617,
"preview": "package enforcerconstants\n\nconst (\n\t// TCPAuthenticationOptionBaseLen specifies the length of base TCP Authentication Op"
},
{
"path": "controller/internal/enforcer/dnsproxy/common.go",
"chars": 1938,
"preview": "package dnsproxy\n\nimport (\n\t\"net\"\n\t\"strconv\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applica"
},
{
"path": "controller/internal/enforcer/dnsproxy/dns.go",
"chars": 5239,
"preview": "// +build linux\n\npackage dnsproxy\n\nimport (\n\t\"context\"\n\t\"net\"\n\t\"strconv\"\n\t\"sync\"\n\t\"syscall\"\n\t\"time\"\n\n\t\"github.com/miekg/"
},
{
"path": "controller/internal/enforcer/dnsproxy/dns_darwin.go",
"chars": 765,
"preview": "package dnsproxy\n\nimport (\n\t\"go.aporeto.io/trireme-lib/collector\"\n\t\"go.aporeto.io/trireme-lib/controller/pkg/flowtrackin"
},
{
"path": "controller/internal/enforcer/dnsproxy/dns_linux.go",
"chars": 25164,
"preview": "// +build linux\n\npackage dnsproxy\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net\"\n\t\"strconv\"\n\t\"sync\"\n\t\"syscall\"\n\t\"time\"\n\n\t\"github.com"
},
{
"path": "controller/internal/enforcer/dnsproxy/dns_linux_test.go",
"chars": 26117,
"preview": "// +build linux\n\npackage dnsproxy\n\nimport (\n\t\"bufio\"\n\t\"context\"\n\t\"fmt\"\n\t\"net\"\n\t\"os\"\n\t\"reflect\"\n\t\"regexp\"\n\t\"strings\"\n\t\"sy"
},
{
"path": "controller/internal/enforcer/dnsproxy/dns_report.go",
"chars": 2420,
"preview": "// +build linux windows\n\npackage dnsproxy\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net\"\n\t\"time\"\n\n\t\"go.aporeto.io/enforcerd/trireme-"
},
{
"path": "controller/internal/enforcer/dnsproxy/dns_test.go",
"chars": 4130,
"preview": "// +build linux\n\npackage dnsproxy\n\nimport (\n\t\"context\"\n\t\"net\"\n\t\"sync\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/magiconair/proper"
},
{
"path": "controller/internal/enforcer/dnsproxy/dns_unsupported.go",
"chars": 1661,
"preview": "// +build !linux,!windows\n\npackage dnsproxy\n\nimport (\n\t\"context\"\n\t\"net\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/collector"
},
{
"path": "controller/internal/enforcer/dnsproxy/dns_windows.go",
"chars": 4314,
"preview": "// +build windows\n\npackage dnsproxy\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"net\"\n\t\"sync\"\n\t\"syscall\"\n\n\t\"github.com/miekg/dns\"\n\t\""
},
{
"path": "controller/internal/enforcer/dnsproxy/dns_windows_test.go",
"chars": 5972,
"preview": "// +build windows\n\npackage dnsproxy\n\nimport (\n\t\"context\"\n\t\"encoding/hex\"\n\t\"errors\"\n\t\"net\"\n\t\"sync\"\n\t\"testing\"\n\t\"time\"\n\n\t\""
},
{
"path": "controller/internal/enforcer/dnsproxy/dnsproxy.go",
"chars": 1019,
"preview": "package dnsproxy\n\nimport (\n\t\"context\"\n\t\"net\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext\"\n\t\"go.apore"
},
{
"path": "controller/internal/enforcer/dnsproxy/mockdnsproxy/mockdnsproxy.go",
"chars": 4399,
"preview": "// Code generated by MockGen. DO NOT EDIT.\n// Source: controller/internal/enforcer/dnsproxy/dnsproxy.go\n\n// Package mock"
},
{
"path": "controller/internal/enforcer/dnsproxy/mutex_map.go",
"chars": 922,
"preview": "package dnsproxy\n\nimport (\n\t\"sync\"\n)\n\n// mutexMap\ntype mutexMap struct {\n\t// as the mutex map has a map of its own\n\t// w"
},
{
"path": "controller/internal/enforcer/enforcer.go",
"chars": 9889,
"preview": "package enforcer\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"time\"\n\n\t\"github.com/blang/semver\"\n\t\"go.aporeto.io/enforcerd/trireme-lib/c"
},
{
"path": "controller/internal/enforcer/envoyauthorizer/envoyauthorizerenforcer.go",
"chars": 12194,
"preview": "package envoyauthorizer\n\nimport (\n\t\"context\"\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"fmt\"\n\t\"sync\"\n\t\"time\"\n\n\t\"go.aporeto.io/enforc"
},
{
"path": "controller/internal/enforcer/envoyauthorizer/envoyproxy/auth_server.go",
"chars": 15232,
"preview": "package envoyproxy\n\nimport (\n\t\"context\"\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"fmt\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"sync\"\n\n\tenvo"
},
{
"path": "controller/internal/enforcer/envoyauthorizer/envoyproxy/sds_server.go",
"chars": 22663,
"preview": "package envoyproxy\n\nimport (\n\t\"bytes\"\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"encoding/pem\"\n\t\"fmt\"\n\t\"net\"\n\t\"sync\"\n\t\"time\"\n\n\t\"cont"
},
{
"path": "controller/internal/enforcer/flowstats/state.go",
"chars": 4335,
"preview": "package flowstats\n\nimport (\n\t\"net\"\n\t\"net/http\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/apiau"
},
{
"path": "controller/internal/enforcer/lookup/lookup.go",
"chars": 8700,
"preview": "package lookup\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"sort\"\n\t\"strings\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
},
{
"path": "controller/internal/enforcer/lookup/lookup_test.go",
"chars": 14047,
"preview": "// +build !windows\n\npackage lookup\n\nimport (\n\t\"testing\"\n\n\t. \"github.com/smartystreets/goconvey/convey\"\n\t\"go.aporeto.io/e"
},
{
"path": "controller/internal/enforcer/metadata/metadata.go",
"chars": 2377,
"preview": "package metadata\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"sync\"\n\t\"time\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/controller"
},
{
"path": "controller/internal/enforcer/mockenforcer/mockenforcer.go",
"chars": 12909,
"preview": "// Code generated by MockGen. DO NOT EDIT.\n// Source: controller/internal/enforcer/enforcer.go\n\n// Package mockenforcer "
},
{
"path": "controller/internal/enforcer/nfqdatapath/afinetrawsocket/afinetrawsocket.go",
"chars": 4542,
"preview": "// +build linux\n\npackage afinetrawsocket\n\nimport (\n\t\"fmt\"\n\t\"io/ioutil\"\n\t\"strconv\"\n\t\"strings\"\n\t\"syscall\"\n\n\t\"go.aporeto.io"
},
{
"path": "controller/internal/enforcer/nfqdatapath/afinetrawsocket/afinetrawsocket_osx.go",
"chars": 1205,
"preview": "// +build darwin\n\npackage afinetrawsocket\n\nimport \"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet\"\n\nconst (\n\t"
},
{
"path": "controller/internal/enforcer/nfqdatapath/afinetrawsocket/afinetrawsocket_windows.go",
"chars": 2826,
"preview": "// +build windows\n\npackage afinetrawsocket\n\nimport (\n\t\"errors\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pac"
},
{
"path": "controller/internal/enforcer/nfqdatapath/autoport.go",
"chars": 3942,
"preview": "package nfqdatapath\n\nimport (\n\t\"path/filepath\"\n\t\"sync\"\n\t\"time\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/ips"
},
{
"path": "controller/internal/enforcer/nfqdatapath/autoport_nonwindows.go",
"chars": 3340,
"preview": "// +build !windows\n\npackage nfqdatapath\n\nimport (\n\t\"fmt\"\n\t\"io/ioutil\"\n\t\"os\"\n\t\"os/user\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"go.apore"
},
{
"path": "controller/internal/enforcer/nfqdatapath/autoport_windows.go",
"chars": 543,
"preview": "// +build windows\n\npackage nfqdatapath\n\nfunc (d *defaultRead) readProcNetTCP() (inodeMap map[string]string, userMap map["
},
{
"path": "controller/internal/enforcer/nfqdatapath/countererrors.go",
"chars": 8291,
"preview": "package nfqdatapath\n\nimport (\n\t\"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/counters\"\n\t\"go.aporeto.io/enforcerd/t"
},
{
"path": "controller/internal/enforcer/nfqdatapath/datapath.go",
"chars": 28084,
"preview": "package nfqdatapath\n\n// Go libraries\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"os/exec\"\n\t\"strconv\"\n\t\"sync\"\n\t\"time\"\n\n\t\"githu"
},
{
"path": "controller/internal/enforcer/nfqdatapath/datapath_common_test.go",
"chars": 11278,
"preview": "package nfqdatapath\n\nimport (\n\t\"context\"\n\t\"crypto/ecdsa\"\n\t\"time\"\n\n\t\"github.com/blang/semver\"\n\t\"github.com/golang/mock/go"
},
{
"path": "controller/internal/enforcer/nfqdatapath/datapath_darwin.go",
"chars": 1586,
"preview": "// +build darwin\n\npackage nfqdatapath\n\nimport (\n\t\"context\"\n\t\"net\"\n\t\"syscall\"\n\n\tgpacket \"github.com/ghedo/go.pkt/packet\"\n"
},
{
"path": "controller/internal/enforcer/nfqdatapath/datapath_icmp.go",
"chars": 1401,
"preview": "// +build linux\n\npackage nfqdatapath\n\nimport (\n\t\"go.aporeto.io/enforcerd/trireme-lib/collector\"\n\t\"go.aporeto.io/enforcer"
},
{
"path": "controller/internal/enforcer/nfqdatapath/datapath_linux.go",
"chars": 4962,
"preview": "// +build linux\n\npackage nfqdatapath\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net\"\n\t\"os\"\n\t\"strconv\"\n\t\"syscall\"\n\t\"time\"\n\n\t\"github.co"
},
{
"path": "controller/internal/enforcer/nfqdatapath/datapath_tcp.go",
"chars": 39143,
"preview": "package nfqdatapath\n\n// Go libraries\nimport (\n\t\"bytes\"\n\t\"fmt\"\n\t\"strconv\"\n\n\t\"github.com/pkg/errors\"\n\t\"go.aporeto.io/enfor"
},
{
"path": "controller/internal/enforcer/nfqdatapath/datapath_test.go",
"chars": 76912,
"preview": "// +build linux\n\npackage nfqdatapath\n\nimport (\n\t\"context\"\n\t\"crypto/ecdsa\"\n\t\"encoding/binary\"\n\t\"errors\"\n\t\"fmt\"\n\t\"math/ran"
},
{
"path": "controller/internal/enforcer/nfqdatapath/datapath_udp.go",
"chars": 37067,
"preview": "package nfqdatapath\n\n// Go libraries\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"strconv\"\n\t\"time\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib"
},
{
"path": "controller/internal/enforcer/nfqdatapath/datapath_windows.go",
"chars": 6507,
"preview": "// +build windows\n\npackage nfqdatapath\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net\"\n\t\"syscall\"\n\t\"unsafe\"\n\n\t\"github.com/ghedo/go.pk"
},
{
"path": "controller/internal/enforcer/nfqdatapath/diagnostics_tcp.go",
"chars": 13559,
"preview": "// +build !windows\n\npackage nfqdatapath\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"math/rand\"\n\t\"net\"\n\t\"strconv\"\n\t\"syscall\"\n\t\"time\"\n\n\t"
},
{
"path": "controller/internal/enforcer/nfqdatapath/interfaces.go",
"chars": 982,
"preview": "package nfqdatapath\n\nimport (\n\t\"net\"\n\n\t\"github.com/ghedo/go.pkt/packet\"\n)\n\n// ContextProcessor is an interface to provid"
},
{
"path": "controller/internal/enforcer/nfqdatapath/nflog/nflog_common.go",
"chars": 7802,
"preview": "package nflog\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/collector\""
},
{
"path": "controller/internal/enforcer/nfqdatapath/nflog/nflog_darwin.go",
"chars": 454,
"preview": "// +build darwin\n\npackage nflog\n\nimport (\n\t\"context\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/collector\"\n)\n\n// nfLog TODO\n"
},
{
"path": "controller/internal/enforcer/nfqdatapath/nflog/nflog_linux.go",
"chars": 2950,
"preview": "// +build linux\n\npackage nflog\n\nimport (\n\t\"context\"\n\t\"sync\"\n\t\"time\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/collector\"\n\t\""
},
{
"path": "controller/internal/enforcer/nfqdatapath/nflog/nflog_test.go",
"chars": 6994,
"preview": "// +build linux\n\npackage nflog\n\nimport (\n\t\"errors\"\n\t\"strconv\"\n\t\"testing\"\n\t\"time\"\n\n\t. \"github.com/smartystreets/goconvey/"
},
{
"path": "controller/internal/enforcer/nfqdatapath/nflog/nflog_windows.go",
"chars": 2618,
"preview": "// +build windows\n\npackage nflog\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"syscall\"\n\t\"time\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/c"
},
{
"path": "controller/internal/enforcer/nfqdatapath/nfq_darwin.go",
"chars": 79,
"preview": "// +build darwin\n\npackage nfqdatapath\n\nfunc (d *Datapath) cleanupPlatform() {}\n"
},
{
"path": "controller/internal/enforcer/nfqdatapath/nfq_linux.go",
"chars": 10968,
"preview": "// +build linux\n\npackage nfqdatapath\n\n// Go libraries\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"strconv\"\n\t\"time\"\n\n\t\"go.aporeto.io/enf"
},
{
"path": "controller/internal/enforcer/nfqdatapath/nfq_windows.go",
"chars": 5942,
"preview": "// +build windows\n\npackage nfqdatapath\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"strconv\"\n\t\"unsafe\"\n\n\t\"go.aporeto.io/enforcerd/trire"
},
{
"path": "controller/internal/enforcer/nfqdatapath/nfq_windows_test.go",
"chars": 9930,
"preview": "// +build windows\n\npackage nfqdatapath\n\nimport (\n\t\"context\"\n\t\"encoding/hex\"\n\t\"fmt\"\n\t\"strconv\"\n\t\"sync\"\n\t\"syscall\"\n\t\"testi"
},
{
"path": "controller/internal/enforcer/nfqdatapath/ping_tcp.go",
"chars": 18936,
"preview": "package nfqdatapath\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"io\"\n\t\"math/rand\"\n\t\"net\"\n\t\"os\"\n\t\"strconv\"\n\t\"syscall\"\n\t\"time\"\n\n\t\"github."
},
{
"path": "controller/internal/enforcer/nfqdatapath/ping_test.go",
"chars": 39525,
"preview": "// +build linux\n\npackage nfqdatapath\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net\"\n\t\"sync/atomic\"\n\t\"testing\"\n\t\"time\"\n\n\t\"g"
},
{
"path": "controller/internal/enforcer/nfqdatapath/test_utils.go",
"chars": 3303,
"preview": "package nfqdatapath\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\n\t\"github.com/golang/mock/gomock\"\n\t\"go.aporeto.io/enforcerd/trirem"
},
{
"path": "controller/internal/enforcer/nfqdatapath/test_utils_linux.go",
"chars": 574,
"preview": "// +build linux\n\npackage nfqdatapath\n\nimport (\n\t\"net\"\n\t\"sync\"\n\n\t\"github.com/ghedo/go.pkt/packet\"\n)\n\ntype fakeConn struct"
},
{
"path": "controller/internal/enforcer/nfqdatapath/tokenaccessor/interfaces.go",
"chars": 1548,
"preview": "package tokenaccessor\n\nimport (\n\t\"crypto/ecdsa\"\n\t\"time\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enfor"
},
{
"path": "controller/internal/enforcer/nfqdatapath/tokenaccessor/mocktokenaccessor/mocktokenaccessor.go",
"chars": 7505,
"preview": "// Code generated by MockGen. DO NOT EDIT.\n// Source: controller/internal/enforcer/nfqdatapath/tokenaccessor/interfaces."
},
{
"path": "controller/internal/enforcer/nfqdatapath/tokenaccessor/tokenaccessor.go",
"chars": 4689,
"preview": "package tokenaccessor\n\nimport (\n\t\"bytes\"\n\t\"crypto/ecdsa\"\n\t\"errors\"\n\t\"fmt\"\n\t\"time\"\n\n\tenforcerconstants \"go.aporeto.io/enf"
},
{
"path": "controller/internal/enforcer/nfqdatapath/tokenaccessor/tokenaccessor_test.go",
"chars": 603,
"preview": "// +build !windows\n\npackage tokenaccessor\n\nimport (\n\t\"testing\"\n\n\t\"github.com/golang/mock/gomock\"\n\t. \"github.com/smartyst"
},
{
"path": "controller/internal/enforcer/nfqdatapath/utils.go",
"chars": 6283,
"preview": "package nfqdatapath\n\nimport (\n\t\"go.aporeto.io/enforcerd/trireme-lib/collector\"\n\t\"go.aporeto.io/enforcerd/trireme-lib/con"
},
{
"path": "controller/internal/enforcer/nfqdatapath/utils_test.go",
"chars": 12666,
"preview": "// +build linux\n\npackage nfqdatapath\n\nimport (\n\t\"crypto/ecdsa\"\n\t\"net\"\n\t\"testing\"\n\n\t\"github.com/golang/mock/gomock\"\n\t. \"g"
},
{
"path": "controller/internal/enforcer/proxy/enforcerproxy.go",
"chars": 13861,
"preview": "// Package enforcerproxy :: This is the implementation of the RPC client\n// It implements the interface of Trireme Enfor"
},
{
"path": "controller/internal/enforcer/proxy/enforcerproxy_test.go",
"chars": 19336,
"preview": "package enforcerproxy\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"testing\"\n\t\"time\"\n\n\tgomock \"github.com/golang/mock/gomock\"\n\t. \"github"
},
{
"path": "controller/internal/enforcer/proxy/rpcserver.go",
"chars": 3107,
"preview": "package enforcerproxy\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"time\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/collector\"\n\t\""
},
{
"path": "controller/internal/enforcer/secretsproxy/secretsproxy.go",
"chars": 9788,
"preview": "// +build !windows\n\npackage secretsproxy\n\nimport (\n\t\"bufio\"\n\t\"context\"\n\t\"fmt\"\n\t\"net\"\n\t\"net/http\"\n\t\"os\"\n\t\"strconv\"\n\t\"stri"
},
{
"path": "controller/internal/enforcer/secretsproxy/secretsproxy_windows.go",
"chars": 1279,
"preview": "// +build windows\n\npackage secretsproxy\n\nimport (\n\t\"context\"\n\n\t\"go.aporeto.io/trireme-lib/controller/pkg/fqconfig\"\n\t\"go."
},
{
"path": "controller/internal/enforcer/secretsproxy/transformer.go",
"chars": 2009,
"preview": "package secretsproxy\n\nimport (\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"strconv\"\n\n\t\"go.aporeto.io/tr"
},
{
"path": "controller/internal/enforcer/utils/ephemeralkeys/ephemeralkeys.go",
"chars": 2921,
"preview": "package ephemeralkeys\n\nimport (\n\t\"crypto/ecdsa\"\n\t\"crypto/elliptic\"\n\t\"crypto/rand\"\n\t\"sync\"\n\t\"time\"\n\n\t\"go.aporeto.io/enfor"
},
{
"path": "controller/internal/enforcer/utils/ephemeralkeys/interfaces.go",
"chars": 177,
"preview": "package ephemeralkeys\n\n// KeyAccessor holds the ephemeral key functions\ntype KeyAccessor interface {\n\tPrivateKey() *Priv"
},
{
"path": "controller/internal/enforcer/utils/ephemeralkeys/mockephemeralkeys/mockephemeralkeys.go",
"chars": 1993,
"preview": "// Code generated by MockGen. DO NOT EDIT.\n// Source: controller/internal/enforcer/utils/ephemeralkeys/interfaces.go\n\n//"
},
{
"path": "controller/internal/enforcer/utils/nsenter/nsenter.c",
"chars": 1765,
"preview": "// +build linux !darwin\n// +build !windows\n\n#define _GNU_SOURCE\n#include <errno.h>\n#include <fcntl.h>\n#include <sched.h>"
},
{
"path": "controller/internal/enforcer/utils/nsenter/nsenter.go",
"chars": 227,
"preview": "// +build !linux\n\n//Package nsenter for switching namespaces\npackage nsenter\n\n//This package should only run on linux\n//"
},
{
"path": "controller/internal/enforcer/utils/nsenter/nsenter_linux.go",
"chars": 152,
"preview": "// +build linux\n\npackage nsenter\n\n/*\n#cgo CFLAGS: -Wall\nextern void nsexec();\nvoid __attribute__((constructor)) init(voi"
},
{
"path": "controller/internal/enforcer/utils/packetgen/interfaces.go",
"chars": 4877,
"preview": "package packetgen\n\nimport (\n\t\"github.com/google/gopacket\"\n\t\"github.com/google/gopacket/layers\"\n)\n\n//PacketFlowType type "
},
{
"path": "controller/internal/enforcer/utils/packetgen/packet_gen.go",
"chars": 15485,
"preview": "//Package packetgen \"PacketGen\" is a Packet Generator library\n//Current version: V1.0, Updates are coming soon\npackage p"
},
{
"path": "controller/internal/enforcer/utils/packetgen/packet_gen_test.go",
"chars": 658,
"preview": "//+build !test\n\n//PacketGen tester\n//Still in beta version, Currently used for debugging\n//Updates are coming soon with "
},
{
"path": "controller/internal/enforcer/utils/packetgen/packet_templates.go",
"chars": 116885,
"preview": "package packetgen\n\n//PacketFlowTemplate1 is a good hardcoded template\nvar PacketFlowTemplate1 [][]byte\n\n//PacketFlowTemp"
},
{
"path": "controller/internal/enforcer/utils/rpcwrapper/interfaces.go",
"chars": 676,
"preview": "package rpcwrapper\n\nimport \"context\"\n\n// RPCClient is the client interface\ntype RPCClient interface {\n\tNewRPCClient(cont"
},
{
"path": "controller/internal/enforcer/utils/rpcwrapper/mockrpcwrapper/mockrpcwrapper.go",
"chars": 6999,
"preview": "// Code generated by MockGen. DO NOT EDIT.\n// Source: controller/internal/enforcer/utils/rpcwrapper/interfaces.go\n\n// Pa"
},
{
"path": "controller/internal/enforcer/utils/rpcwrapper/rpc_handle.go",
"chars": 9512,
"preview": "package rpcwrapper\n\nimport (\n\t\"context\"\n\t\"crypto/hmac\"\n\t\"crypto/sha256\"\n\t\"encoding/binary\"\n\t\"encoding/gob\"\n\t\"fmt\"\n\t\"net\""
},
{
"path": "controller/internal/enforcer/utils/rpcwrapper/rpc_handlemock.go",
"chars": 6334,
"preview": "package rpcwrapper\n\nimport (\n\t\"context\"\n\t\"net/rpc\"\n\t\"sync\"\n\t\"testing\"\n)\n\n// MockRPCHdl is mock of rpchdl\ntype MockRPCHdl"
},
{
"path": "controller/internal/enforcer/utils/rpcwrapper/rpc_handletest.go",
"chars": 760,
"preview": "package rpcwrapper\n\nimport (\n\t\"testing\"\n\t\"time\"\n)\n\n//Not mocking system libraries\n//Will create actual rpc client server"
},
{
"path": "controller/internal/enforcer/utils/rpcwrapper/rpc_testhelper.go",
"chars": 161,
"preview": "package rpcwrapper\n\nfunc asyncRpcclient(resp chan<- error, rpchdl *RPCWrapper) {\n\terr := rpchdl.NewRPCClient(\"12345\", de"
},
{
"path": "controller/internal/enforcer/utils/rpcwrapper/types.go",
"chars": 5010,
"preview": "package rpcwrapper\n\nimport (\n\t\"time\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/collector\"\n\t\"go.aporeto.io/enforcerd/trireme"
},
{
"path": "controller/internal/processmon/interfaces.go",
"chars": 413,
"preview": "package processmon\n\nimport (\n\t\"go.aporeto.io/enforcerd/trireme-lib/policy\"\n)\n\n// ProcessManager interface exposes method"
},
{
"path": "controller/internal/processmon/mockprocessmon/mockprocessmon.go",
"chars": 2663,
"preview": "// Code generated by MockGen. DO NOT EDIT.\n// Source: controller/internal/processmon/interfaces.go\n\n// Package mockproce"
},
{
"path": "controller/internal/processmon/processmon.go",
"chars": 12842,
"preview": "// +build linux darwin\n\n// Package processmon is to manage and monitor remote enforcers.\npackage processmon\n\nimport (\n\t\""
},
{
"path": "controller/internal/processmon/processmon_linux_test.go",
"chars": 3656,
"preview": "// +build linux,!rhel6\n\npackage processmon\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"te"
},
{
"path": "controller/internal/processmon/processmon_test.go",
"chars": 6692,
"preview": "// +build !windows\n\npackage processmon\n\nimport (\n\t\"bufio\"\n\t\"bytes\"\n\t\"context\"\n\t\"fmt\"\n\t\"math/rand\"\n\t\"os\"\n\t\"os/exec\"\n\t\"pat"
},
{
"path": "controller/internal/processmon/processmon_windows.go",
"chars": 1025,
"preview": "// +build windows\n\n// Package processmon is to manage and monitor remote enforcers.\npackage processmon\n\nimport (\n\t\"conte"
},
{
"path": "controller/internal/processmon/testbinary/testbinary.go",
"chars": 81,
"preview": "package main\n\nimport \"fmt\"\n\nfunc main() {\n\tfmt.Println(\"Test Binary Executed\")\n}\n"
},
{
"path": "controller/internal/supervisor/interfaces.go",
"chars": 2026,
"preview": "package supervisor\n\nimport (\n\t\"context\"\n\t\"time\"\n\n\tprovider \"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/aclprovid"
},
{
"path": "controller/internal/supervisor/iptablesctrl/acls.go",
"chars": 24298,
"preview": "package iptablesctrl\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"strconv\"\n\t\"strings\"\n\t\"text/template\"\n\n\t\"github.com/kballard/go-s"
},
{
"path": "controller/internal/supervisor/iptablesctrl/acls_darwin.go",
"chars": 186,
"preview": "package iptablesctrl\n\nfunc (i *iptables) aclSkipProto(proto string) bool {\n\treturn false\n}\n\nfunc (i *iptables) legacyPuC"
},
{
"path": "controller/internal/supervisor/iptablesctrl/acls_linux.go",
"chars": 204,
"preview": "// +build !rhel6\n\npackage iptablesctrl\n\nfunc (i *iptables) aclSkipProto(proto string) bool {\n\treturn false\n}\n\nfunc (i *i"
},
{
"path": "controller/internal/supervisor/iptablesctrl/acls_nonwindows.go",
"chars": 3628,
"preview": "// +build !windows\n\npackage iptablesctrl\n\nimport (\n\t\"fmt\"\n\t\"strconv\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/controller/p"
},
{
"path": "controller/internal/supervisor/iptablesctrl/acls_rhel6.go",
"chars": 5501,
"preview": "// +build rhel6\n\npackage iptablesctrl\n\nimport (\n\t\"strings\"\n\t\"text/template\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/commo"
},
{
"path": "controller/internal/supervisor/iptablesctrl/acls_windows.go",
"chars": 11906,
"preview": "// +build windows\n\npackage iptablesctrl\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"strings\"\n\t\"syscall\"\n\t\"unsafe\"\n\n\t\"github.com/kballard/go"
},
{
"path": "controller/internal/supervisor/iptablesctrl/acls_windows_test.go",
"chars": 19341,
"preview": "// +build windows\n\npackage iptablesctrl\n\nimport (\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/kballard/go-shellquote\"\n\t. \"github"
},
{
"path": "controller/internal/supervisor/iptablesctrl/comparators.go",
"chars": 527,
"preview": "package iptablesctrl\n\nimport \"go.aporeto.io/enforcerd/trireme-lib/policy\"\n\nfunc testObserveContinue(p *policy.FlowPolicy"
},
{
"path": "controller/internal/supervisor/iptablesctrl/constants_nonwindows.go",
"chars": 431,
"preview": "// +build !windows\n\npackage iptablesctrl\n\nconst (\n\tipTableSectionOutput = \"OUTPUT\"\n\tipTableSectionPreRouting = \"PRER"
},
{
"path": "controller/internal/supervisor/iptablesctrl/constants_windows.go",
"chars": 447,
"preview": "// +build windows\n\npackage iptablesctrl\n\nconst (\n\tipTableSectionOutput = \"OUTPUT\"\n\tipTableSectionPreRouting = \"PRERO"
},
{
"path": "controller/internal/supervisor/iptablesctrl/icmp_linux.go",
"chars": 5611,
"preview": "// +build !rhel6\n\npackage iptablesctrl\n\n/*\n#cgo linux LDFLAGS: -L/tmp -lpcap\n#include<string.h>\n#include<stdlib.h>\n#incl"
},
{
"path": "controller/internal/supervisor/iptablesctrl/icmp_linux_test.go",
"chars": 2822,
"preview": "// +build !windows,!rhel6\n\npackage iptablesctrl\n\nimport \"testing\"\n\nfunc Test_getICMPv6(t *testing.T) {\n\ttests := []struc"
},
{
"path": "controller/internal/supervisor/iptablesctrl/icmp_rhel6.go",
"chars": 178,
"preview": "// +build rhel6 darwin\n\npackage iptablesctrl\n\nfunc icmpRule(icmpTypeCode string, policyRestrictions []string) []string {"
},
{
"path": "controller/internal/supervisor/iptablesctrl/icmp_windows.go",
"chars": 584,
"preview": "// +build windows\n\npackage iptablesctrl\n\nimport (\n\t\"go.aporeto.io/enforcerd/trireme-lib/controller/internal/windows\"\n\t\"g"
},
{
"path": "controller/internal/supervisor/iptablesctrl/instance.go",
"chars": 7491,
"preview": "package iptablesctrl\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"os\"\n\t\"strings\"\n\n\t\"go.aporeto.io/enforcerd/trireme-lib/controller/cons"
},
{
"path": "controller/internal/supervisor/iptablesctrl/ipsets.go",
"chars": 3415,
"preview": "package iptablesctrl\n\nimport (\n\t\"fmt\"\n\t\"strconv\"\n\n\tprovider \"go.aporeto.io/trireme-lib/controller/pkg/aclprovider\"\n\t\"go."
},
{
"path": "controller/internal/supervisor/iptablesctrl/iptables.go",
"chars": 15972,
"preview": "package iptablesctrl\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"net\"\n\t\"strconv\"\n\t\"text/template\"\n\n\t\"go.aporeto.io/enforcerd"
},
{
"path": "controller/internal/supervisor/iptablesctrl/iptablesV4_test.go",
"chars": 123373,
"preview": "// +build !windows,!rhel6\n\npackage iptablesctrl\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"fmt\"\n\t\"net\"\n\t\"os\"\n\t\"testing\"\n\n\t\"github.c"
},
{
"path": "controller/internal/supervisor/iptablesctrl/iptablesV6_test.go",
"chars": 48164,
"preview": "// +build !windows,!rhel6\n\npackage iptablesctrl\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"fmt\"\n\t\"net\"\n\t\"testing\"\n\n\t\"github.com/apo"
},
{
"path": "controller/internal/supervisor/iptablesctrl/iptables_linux_test.go",
"chars": 4153,
"preview": "package iptablesctrl\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n\n\t\"github.com/aporeto-inc/go-ipset/ipset\"\n\t\"go.aporeto.io/enforcerd/tri"
},
{
"path": "controller/internal/supervisor/iptablesctrl/iptables_rhel6_test.go",
"chars": 46004,
"preview": "// +build rhel6\n\npackage iptablesctrl\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"testing\"\n\n\t. \"github.com/smartystreets/goconvey/co"
},
{
"path": "controller/internal/supervisor/iptablesctrl/iptables_windows_test.go",
"chars": 40449,
"preview": "// +build windows\n\npackage iptablesctrl\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"net\"\n\t\"strings\"\n\t\"sync\"\n\t\"syscall\"\n\t\"testing\"\n\t\"un"
},
{
"path": "controller/internal/supervisor/iptablesctrl/ipv4.go",
"chars": 2307,
"preview": "package iptablesctrl\n\nimport (\n\t\"fmt\"\n\t\"net\"\n\t\"strings\"\n\n\t\"github.com/aporeto-inc/go-ipset/ipset\"\n\tprovider \"go.aporeto."
},
{
"path": "controller/internal/supervisor/iptablesctrl/ipv6.go",
"chars": 2479,
"preview": "package iptablesctrl\n\nimport (\n\t\"net\"\n\t\"strings\"\n\n\t\"github.com/aporeto-inc/go-ipset/ipset\"\n\tprovider \"go.aporeto.io/enfo"
}
]
// ... and 349 more files (download for full content)
About this extraction
This page contains the full source code of the aporeto-inc/trireme GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 549 files (3.9 MB), approximately 1.0M tokens, and a symbol index with 6939 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.